Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
220s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe
Resource
win7-20221111-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe
-
Size
241KB
-
MD5
189738e8cffc167c85c54566f188cc7a
-
SHA1
2987206cf8fb11aa97bb09fadfe6068f6d5edf13
-
SHA256
3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd
-
SHA512
7cca2b14ee292b166a62d842df75601845e2835413495a518556b603d8d11316eb816fedf0bec540c52b160298babb17c0ad74b9d2ab173012f4ad9c21d2a30b
-
SSDEEP
3072:ydiwIZtYRzQUVXabUuYlT7Milg7HJ4lA6B889C7nco2KiiyZ:ydiwIZt5eao3lMi27ne889Icf
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable Process not Found -
Modifies security service 2 TTPs 16 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1" Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0" Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo Process not Found Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security Process not Found -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\etadpug\ImagePath = "\"C:\\Program Files (x86)\\Google\\Desktop\\Install\\{e0870acb-cd01-0e28-0316-91a4b4cb2286}\\ \\...\\\u202eﯹ๛\\{e0870acb-cd01-0e28-0316-91a4b4cb2286}\\GoogleUpdate.exe\" <" 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe -
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 Destination IP 194.165.17.4 -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Desktop\\Install\\{e0870acb-cd01-0e28-0316-91a4b4cb2286}\\❤≸⋙\\Ⱒ☠⍨\\\u202eﯹ๛\\{e0870acb-cd01-0e28-0316-91a4b4cb2286}\\GoogleUpdate.exe\" >" 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\MpClient.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpSvc.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\de-DE:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\it-IT:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpEvMsg.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpOAV.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MsMpCom.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MsMpLics.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File created C:\Program Files (x86)\Google\Desktop\Install\{e0870acb-cd01-0e28-0316-91a4b4cb2286}\ \...\ﯹ๛\{e0870acb-cd01-0e28-0316-91a4b4cb2286}\GoogleUpdate.exe 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File created C:\Program Files (x86)\Google\Desktop\Install\{e0870acb-cd01-0e28-0316-91a4b4cb2286}\ \...\ﯹ๛\{e0870acb-cd01-0e28-0316-91a4b4cb2286}\@ 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MsMpRes.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\en-US:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\es-ES:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe -
NTFS ADS 18 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Defender\en-US:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\es-ES:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpClient.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpSvc.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MsMpLics.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\fr-FR:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\ja-JP:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpAsDesc.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpEvMsg.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\de-DE:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MpOAV.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MsMpRes.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\it-IT:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe File opened for modification C:\Program Files\Windows Defender\MsMpCom.dll:! 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1244 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeRestorePrivilege 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Token: SeDebugPrivilege 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Token: SeDebugPrivilege 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Token: SeRestorePrivilege 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeBackupPrivilege 464 Process not Found Token: SeRestorePrivilege 464 Process not Found Token: SeSecurityPrivilege 464 Process not Found Token: SeTakeOwnershipPrivilege 464 Process not Found Token: SeBackupPrivilege 464 Process not Found Token: SeRestorePrivilege 464 Process not Found Token: SeSecurityPrivilege 464 Process not Found Token: SeTakeOwnershipPrivilege 464 Process not Found Token: SeBackupPrivilege 464 Process not Found Token: SeRestorePrivilege 464 Process not Found Token: SeSecurityPrivilege 464 Process not Found Token: SeTakeOwnershipPrivilege 464 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1244 Process not Found 1244 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1244 Process not Found 1244 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 268 3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe"C:\Users\Admin\AppData\Local\Temp\3fbf60454aa6b09d1617ca32a07904f48cbe6893c85cff7f08a3920d32924ebd.exe"1⤵
- Modifies security service
- Sets service image path in registry
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:268