Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
62s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 10:52
Static task
static1
Behavioral task
behavioral1
Sample
f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe
Resource
win7-20221111-en
7 signatures
150 seconds
General
-
Target
f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe
-
Size
433KB
-
MD5
8c483d31d90cb9c0642eafa94d00b7e3
-
SHA1
c6c3ac38b00091a505c6609fa00db0ee2b3a89e0
-
SHA256
f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc
-
SHA512
e532c5eea5a3f7584aa0fb509eceec2dc5577d31025206f85cb0bb26caba5c9fa6857fa43369cf204d7c7346234f5ebdebf087f82537fbb5d034466b42dc6c16
-
SSDEEP
12288:xZUKXCWhLv9hJ/uB8jKZ67/Nag/HFNyWouSpM5TCI+7roS:vUKyCLvdGB9K/Xfnktp4TCv
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Ebook.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Ebook.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
resource yara_rule behavioral1/memory/1188-57-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1188-60-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1188-61-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1188-67-0x0000000000400000-0x0000000000473000-memory.dmp upx behavioral1/memory/1188-76-0x0000000000400000-0x0000000000473000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2040 set thread context of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 -
Modifies registry key 1 TTPs 4 IoCs
pid Process 1568 reg.exe 1656 reg.exe 1736 reg.exe 1852 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeCreateTokenPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeAssignPrimaryTokenPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeLockMemoryPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeIncreaseQuotaPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeMachineAccountPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeTcbPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeSecurityPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeTakeOwnershipPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeLoadDriverPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeSystemProfilePrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeSystemtimePrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeProfSingleProcessPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeIncBasePriorityPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeCreatePagefilePrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeCreatePermanentPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeBackupPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeRestorePrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeShutdownPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeDebugPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeAuditPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeSystemEnvironmentPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeChangeNotifyPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeRemoteShutdownPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeUndockPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeSyncAgentPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeEnableDelegationPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeManageVolumePrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeImpersonatePrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: SeCreateGlobalPrivilege 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: 31 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: 32 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: 33 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: 34 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe Token: 35 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 2040 wrote to memory of 1188 2040 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 28 PID 1188 wrote to memory of 564 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 29 PID 1188 wrote to memory of 564 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 29 PID 1188 wrote to memory of 564 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 29 PID 1188 wrote to memory of 564 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 29 PID 1188 wrote to memory of 436 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 31 PID 1188 wrote to memory of 436 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 31 PID 1188 wrote to memory of 436 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 31 PID 1188 wrote to memory of 436 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 31 PID 1188 wrote to memory of 1392 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 33 PID 1188 wrote to memory of 1392 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 33 PID 1188 wrote to memory of 1392 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 33 PID 1188 wrote to memory of 1392 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 33 PID 1188 wrote to memory of 676 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 34 PID 1188 wrote to memory of 676 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 34 PID 1188 wrote to memory of 676 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 34 PID 1188 wrote to memory of 676 1188 f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe 34 PID 564 wrote to memory of 1852 564 cmd.exe 39 PID 564 wrote to memory of 1852 564 cmd.exe 39 PID 564 wrote to memory of 1852 564 cmd.exe 39 PID 564 wrote to memory of 1852 564 cmd.exe 39 PID 1392 wrote to memory of 1656 1392 cmd.exe 37 PID 1392 wrote to memory of 1656 1392 cmd.exe 37 PID 1392 wrote to memory of 1656 1392 cmd.exe 37 PID 1392 wrote to memory of 1656 1392 cmd.exe 37 PID 436 wrote to memory of 1736 436 cmd.exe 38 PID 436 wrote to memory of 1736 436 cmd.exe 38 PID 436 wrote to memory of 1736 436 cmd.exe 38 PID 436 wrote to memory of 1736 436 cmd.exe 38 PID 676 wrote to memory of 1568 676 cmd.exe 40 PID 676 wrote to memory of 1568 676 cmd.exe 40 PID 676 wrote to memory of 1568 676 cmd.exe 40 PID 676 wrote to memory of 1568 676 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe"C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe"C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f1fcd083f8079998648d4b3ea35c42373a3dfa970ac8228442a1717d35fcc9cc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Ebook.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Ebook.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Ebook.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Ebook.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1568
-
-
-