Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/12/2022, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe
Resource
win7-20220812-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe
-
Size
336KB
-
MD5
31d8227a0d401e506c54413d54ba7863
-
SHA1
a6654ff509b40cc9bbaca8b6738407096a20a02e
-
SHA256
f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674
-
SHA512
83c91336cf33f4ff8f481605fa9f4114ca2df9d4b93d1ad566e21fbb28e70797d056e4ee463b21548be9c7248621eb15fcc4c19cc122433eb27f699c766c89ec
-
SSDEEP
6144:7Jwl7rc4wHHRBFYfDBaphH/J6wOAquppETUaX8ljc2jT:7Wl3c4wSfD4LfMwOOvJaOA
Score
10/10
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\sgg.exe\" -a \"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\ = "Application" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\Content Type = "application/x-msdownload" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\DefaultIcon sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\DefaultIcon\ = "%1" sgg.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1988 sgg.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 1988 sgg.exe -
Loads dropped DLL 2 IoCs
pid Process 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe" sgg.exe -
Modifies registry class 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\open\command sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\DefaultIcon\ = "%1" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\open sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\runas sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\start\command sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*" sgg.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\ = "exefile" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\ = "Application" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\DefaultIcon\ = "%1" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\runas\command sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\DefaultIcon sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command sgg.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\sgg.exe\" -a \"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\start sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\DefaultIcon sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\Content Type = "application/x-msdownload" sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\sgg.exe\" -a \"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\runas sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*" sgg.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe sgg.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\.exe\Content Type = "application/x-msdownload" sgg.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 1988 sgg.exe 1988 sgg.exe 1988 sgg.exe 1988 sgg.exe 1988 sgg.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: 33 1564 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1564 AUDIODG.EXE Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: 33 1564 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1564 AUDIODG.EXE Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe Token: SeShutdownPrivilege 1292 explorer.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1988 sgg.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1988 sgg.exe 1988 sgg.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1988 sgg.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1292 explorer.exe 1988 sgg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1988 sgg.exe 1988 sgg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 900 wrote to memory of 1988 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 27 PID 900 wrote to memory of 1988 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 27 PID 900 wrote to memory of 1988 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 27 PID 900 wrote to memory of 1988 900 f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe"C:\Users\Admin\AppData\Local\Temp\f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\sgg.exe"C:\Users\Admin\AppData\Local\sgg.exe" -gav C:\Users\Admin\AppData\Local\Temp\f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674.exe2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1988
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x58c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336KB
MD531d8227a0d401e506c54413d54ba7863
SHA1a6654ff509b40cc9bbaca8b6738407096a20a02e
SHA256f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674
SHA51283c91336cf33f4ff8f481605fa9f4114ca2df9d4b93d1ad566e21fbb28e70797d056e4ee463b21548be9c7248621eb15fcc4c19cc122433eb27f699c766c89ec
-
Filesize
336KB
MD531d8227a0d401e506c54413d54ba7863
SHA1a6654ff509b40cc9bbaca8b6738407096a20a02e
SHA256f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674
SHA51283c91336cf33f4ff8f481605fa9f4114ca2df9d4b93d1ad566e21fbb28e70797d056e4ee463b21548be9c7248621eb15fcc4c19cc122433eb27f699c766c89ec
-
Filesize
336KB
MD531d8227a0d401e506c54413d54ba7863
SHA1a6654ff509b40cc9bbaca8b6738407096a20a02e
SHA256f0c0d53a73808a6d54447493ca87b2d58744cc0adb80b086ad547ac17402f674
SHA51283c91336cf33f4ff8f481605fa9f4114ca2df9d4b93d1ad566e21fbb28e70797d056e4ee463b21548be9c7248621eb15fcc4c19cc122433eb27f699c766c89ec