Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 07:54
Static task
static1
Behavioral task
behavioral1
Sample
b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Resource
win10v2004-20220812-en
General
-
Target
b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
-
Size
204KB
-
MD5
896bee8216e0354b2dce57cbf95fdcae
-
SHA1
34bb0f59699b5a70c6e924a6128dbe8c4726fd33
-
SHA256
b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90
-
SHA512
e40efb01c47fa08a77985a8151bc75978e19a8a38f51ee12dcfdfd8a932b6920a97999bd1186c01405266d80fab718447d8edf18f649aeaa09e630ed3cfea427
-
SSDEEP
6144:bcdOSKq1G5JU09zZd6n0xWWq2oM3/wCeeR0AI01Ak:wwi8Ugz+NG/wQvI0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2028 kaxom.exe -
Deletes itself 1 IoCs
pid Process 676 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run kaxom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run kaxom.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tiyritmo = "C:\\Users\\Admin\\AppData\\Roaming\\Ymevyx\\kaxom.exe" kaxom.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1768 set thread context of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3B7F19B4-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe 2028 kaxom.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeManageVolumePrivilege 692 WinMail.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe Token: SeSecurityPrivilege 676 cmd.exe Token: SeSecurityPrivilege 676 cmd.exe Token: SeSecurityPrivilege 676 cmd.exe Token: SeSecurityPrivilege 676 cmd.exe Token: SeSecurityPrivilege 676 cmd.exe Token: SeSecurityPrivilege 676 cmd.exe Token: SeSecurityPrivilege 676 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 692 WinMail.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2028 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 27 PID 1768 wrote to memory of 2028 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 27 PID 1768 wrote to memory of 2028 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 27 PID 1768 wrote to memory of 2028 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 27 PID 2028 wrote to memory of 1236 2028 kaxom.exe 13 PID 2028 wrote to memory of 1236 2028 kaxom.exe 13 PID 2028 wrote to memory of 1236 2028 kaxom.exe 13 PID 2028 wrote to memory of 1236 2028 kaxom.exe 13 PID 2028 wrote to memory of 1236 2028 kaxom.exe 13 PID 2028 wrote to memory of 1336 2028 kaxom.exe 12 PID 2028 wrote to memory of 1336 2028 kaxom.exe 12 PID 2028 wrote to memory of 1336 2028 kaxom.exe 12 PID 2028 wrote to memory of 1336 2028 kaxom.exe 12 PID 2028 wrote to memory of 1336 2028 kaxom.exe 12 PID 2028 wrote to memory of 1388 2028 kaxom.exe 10 PID 2028 wrote to memory of 1388 2028 kaxom.exe 10 PID 2028 wrote to memory of 1388 2028 kaxom.exe 10 PID 2028 wrote to memory of 1388 2028 kaxom.exe 10 PID 2028 wrote to memory of 1388 2028 kaxom.exe 10 PID 2028 wrote to memory of 1768 2028 kaxom.exe 26 PID 2028 wrote to memory of 1768 2028 kaxom.exe 26 PID 2028 wrote to memory of 1768 2028 kaxom.exe 26 PID 2028 wrote to memory of 1768 2028 kaxom.exe 26 PID 2028 wrote to memory of 1768 2028 kaxom.exe 26 PID 2028 wrote to memory of 692 2028 kaxom.exe 28 PID 2028 wrote to memory of 692 2028 kaxom.exe 28 PID 2028 wrote to memory of 692 2028 kaxom.exe 28 PID 2028 wrote to memory of 692 2028 kaxom.exe 28 PID 2028 wrote to memory of 692 2028 kaxom.exe 28 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 1768 wrote to memory of 676 1768 b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe 29 PID 2028 wrote to memory of 1916 2028 kaxom.exe 30 PID 2028 wrote to memory of 1916 2028 kaxom.exe 30 PID 2028 wrote to memory of 1916 2028 kaxom.exe 30 PID 2028 wrote to memory of 1916 2028 kaxom.exe 30 PID 2028 wrote to memory of 1916 2028 kaxom.exe 30 PID 2028 wrote to memory of 1044 2028 kaxom.exe 31 PID 2028 wrote to memory of 1044 2028 kaxom.exe 31 PID 2028 wrote to memory of 1044 2028 kaxom.exe 31 PID 2028 wrote to memory of 1044 2028 kaxom.exe 31 PID 2028 wrote to memory of 1044 2028 kaxom.exe 31 PID 2028 wrote to memory of 1600 2028 kaxom.exe 32 PID 2028 wrote to memory of 1600 2028 kaxom.exe 32 PID 2028 wrote to memory of 1600 2028 kaxom.exe 32 PID 2028 wrote to memory of 1600 2028 kaxom.exe 32 PID 2028 wrote to memory of 1600 2028 kaxom.exe 32 PID 2028 wrote to memory of 1484 2028 kaxom.exe 33 PID 2028 wrote to memory of 1484 2028 kaxom.exe 33 PID 2028 wrote to memory of 1484 2028 kaxom.exe 33 PID 2028 wrote to memory of 1484 2028 kaxom.exe 33 PID 2028 wrote to memory of 1484 2028 kaxom.exe 33 PID 2028 wrote to memory of 1984 2028 kaxom.exe 34 PID 2028 wrote to memory of 1984 2028 kaxom.exe 34 PID 2028 wrote to memory of 1984 2028 kaxom.exe 34 PID 2028 wrote to memory of 1984 2028 kaxom.exe 34 PID 2028 wrote to memory of 1984 2028 kaxom.exe 34 PID 2028 wrote to memory of 1768 2028 kaxom.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe"C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Roaming\Ymevyx\kaxom.exe"C:\Users\Admin\AppData\Roaming\Ymevyx\kaxom.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7b6a1d56.bat"3⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1336
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1236
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1590712757-562472613-708758500-18758177482143249131443055514879079243-927503904"1⤵PID:1916
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1044
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1484
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1984
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1768
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307B
MD5180563b06c394b734aa34c70473e1121
SHA10a719443ce4cc82da56dade01aca332a17072646
SHA2569c9be085372c5bbe2617f91b1a2e53ec4fbae76c6544718a495fe6b99899c886
SHA512c9af773e571a2fb8b9f8077a4824cc92a5833b1a267ced14b59f1b0858ae5cc60efe8e5bb6b7c4dff919ca8d88b8dfa3d8bb2ea07b6264baea9aa95c8a6334f5
-
Filesize
204KB
MD5c0986c157e7fdcbe42002d5f8cb65783
SHA199d6cf4c1654f55aec866b4619e0b620c58bfa6f
SHA256583b68f37f8ac96b00e38ff57b5266d52dfea2d008c5e69f05176a092e6ed3a8
SHA512d819cce16a928fcf386159944a59f3aa73f4054478076d8e069831a76f695d11db47a15a557df71fabe6624963eb4ace763e5b40ca1552958d06cf883e83df12
-
Filesize
204KB
MD5c0986c157e7fdcbe42002d5f8cb65783
SHA199d6cf4c1654f55aec866b4619e0b620c58bfa6f
SHA256583b68f37f8ac96b00e38ff57b5266d52dfea2d008c5e69f05176a092e6ed3a8
SHA512d819cce16a928fcf386159944a59f3aa73f4054478076d8e069831a76f695d11db47a15a557df71fabe6624963eb4ace763e5b40ca1552958d06cf883e83df12
-
Filesize
4KB
MD50ea96a456d66e809598b9439f1c2e62b
SHA133056a433840647711c8a70e4b5ade7b07438417
SHA256563ce8795a9d71b5c238dbdf985c68d8f14e2827a82f817bdcfab5399a77976a
SHA512abc3fcab00b3199f1199b7153dc5e449ea908ef8c8fa86e25acb8a73768c66a4ce623808757ec21bca7e6e17803119b148c37ba294b8ae437437a6459fddb752
-
Filesize
204KB
MD5c0986c157e7fdcbe42002d5f8cb65783
SHA199d6cf4c1654f55aec866b4619e0b620c58bfa6f
SHA256583b68f37f8ac96b00e38ff57b5266d52dfea2d008c5e69f05176a092e6ed3a8
SHA512d819cce16a928fcf386159944a59f3aa73f4054478076d8e069831a76f695d11db47a15a557df71fabe6624963eb4ace763e5b40ca1552958d06cf883e83df12
-
Filesize
204KB
MD5c0986c157e7fdcbe42002d5f8cb65783
SHA199d6cf4c1654f55aec866b4619e0b620c58bfa6f
SHA256583b68f37f8ac96b00e38ff57b5266d52dfea2d008c5e69f05176a092e6ed3a8
SHA512d819cce16a928fcf386159944a59f3aa73f4054478076d8e069831a76f695d11db47a15a557df71fabe6624963eb4ace763e5b40ca1552958d06cf883e83df12