Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1plugx/4094...ba.exe
windows7-x64
7plugx/4094...ba.exe
windows10-2004-x64
7plugx/5a94...11.exe
windows7-x64
1plugx/5a94...11.exe
windows10-2004-x64
1plugx/8df2...43.exe
windows7-x64
10plugx/8df2...43.exe
windows10-2004-x64
10plugx/9aff...0d.exe
windows7-x64
1plugx/9aff...0d.exe
windows10-2004-x64
1plugx/a2a0...5d.exe
windows7-x64
1plugx/a2a0...5d.exe
windows10-2004-x64
1plugx/a8e2...a3.exe
windows7-x64
10plugx/a8e2...a3.exe
windows10-2004-x64
10plugx/ac75...f2.exe
windows7-x64
7plugx/ac75...f2.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12/04/2023, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
plugx/4094db927542c7b1d4a770d30231fcc34687a47058821001f4a46808692fcdba.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
plugx/4094db927542c7b1d4a770d30231fcc34687a47058821001f4a46808692fcdba.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
plugx/5a9468a87997f2363995e264505105f6a235b66543bb28635fb74f78704e9111.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
plugx/5a9468a87997f2363995e264505105f6a235b66543bb28635fb74f78704e9111.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
plugx/8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
plugx/8df2949d77aff0ef84af7c2a892602e05d3518d85b87fa5ed56493199efd2143.exe
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
plugx/9aff1e12a1b447ca8ab3076f684716a859c906f9b2d0e870d59d0f06fc548d0d.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
plugx/9aff1e12a1b447ca8ab3076f684716a859c906f9b2d0e870d59d0f06fc548d0d.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
plugx/a2a0ce67c239385c1ec1d5d29ff91a7daf91cf2b4368dc91d84dbb598becdc5d.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
plugx/a2a0ce67c239385c1ec1d5d29ff91a7daf91cf2b4368dc91d84dbb598becdc5d.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
plugx/a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
plugx/a8e2b38c576bf19f6b0bed69c85c2a64445337087257cf566388f7b0d6d583a3.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
plugx/ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
plugx/ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
plugx/ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe
-
Size
146KB
-
MD5
f1d6ee923099c9f1b10d563e6146cb87
-
SHA1
605590582a3714d21b48a874c68df15abfb4b190
-
SHA256
ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2
-
SHA512
f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a
-
SSDEEP
3072:Zq3baagC6laxrPPtBUeqc/44KBqEspsExs62pNUYO:Zq3bakvrPXt1OseExz2pH
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1964 SxS.exe -
Executes dropped EXE 2 IoCs
pid Process 1964 SxS.exe 868 SxS.exe -
Loads dropped DLL 2 IoCs
pid Process 2008 ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe 2008 ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe -
Unexpected DNS network traffic destination 8 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 61.139.2.69 Destination IP 202.98.96.68 Destination IP 202.98.96.68 Destination IP 205.252.144.228 Destination IP 61.139.2.69 Destination IP 205.252.144.228 Destination IP 61.139.2.69 Destination IP 202.98.96.68 -
Modifies data under HKEY_USERS 29 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-65-9b-ea-43-19 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-65-9b-ea-43-19\WpadDetectedUrl svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7D65EC44-B9DE-4659-B568-BCF6E064C36E}\WpadDecisionTime = c0798dc7196dd901 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7D65EC44-B9DE-4659-B568-BCF6E064C36E}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7D65EC44-B9DE-4659-B568-BCF6E064C36E}\WpadDecisionReason = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7D65EC44-B9DE-4659-B568-BCF6E064C36E}\WpadNetworkName = "Network 2" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-65-9b-ea-43-19\WpadDecisionTime = 60024fa1196dd901 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7D65EC44-B9DE-4659-B568-BCF6E064C36E}\d2-65-9b-ea-43-19 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-65-9b-ea-43-19\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-65-9b-ea-43-19\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7D65EC44-B9DE-4659-B568-BCF6E064C36E} svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7D65EC44-B9DE-4659-B568-BCF6E064C36E}\WpadDecisionTime = 00bd069e196dd901 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-65-9b-ea-43-19\WpadDecisionTime = 00bd069e196dd901 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7D65EC44-B9DE-4659-B568-BCF6E064C36E}\WpadDecisionTime = 60024fa1196dd901 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-65-9b-ea-43-19\WpadDecisionTime = c0798dc7196dd901 svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38003300350046003400380044003200310037004400410041004500340030000000 svchost.exe Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 432 svchost.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2008 ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe Token: SeTcbPrivilege 2008 ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe Token: SeDebugPrivilege 1964 SxS.exe Token: SeTcbPrivilege 1964 SxS.exe Token: SeDebugPrivilege 868 SxS.exe Token: SeTcbPrivilege 868 SxS.exe Token: SeDebugPrivilege 432 svchost.exe Token: SeTcbPrivilege 432 svchost.exe Token: SeDebugPrivilege 1740 msiexec.exe Token: SeTcbPrivilege 1740 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1964 2008 ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe 28 PID 2008 wrote to memory of 1964 2008 ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe 28 PID 2008 wrote to memory of 1964 2008 ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe 28 PID 2008 wrote to memory of 1964 2008 ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe 28 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 868 wrote to memory of 432 868 SxS.exe 30 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31 PID 432 wrote to memory of 1740 432 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\plugx\ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe"C:\Users\Admin\AppData\Local\Temp\plugx\ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\ProgramData\Microsoft PA\SxS.exe"C:\ProgramData\Microsoft PA\SxS.exe" 100 20082⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\ProgramData\Microsoft PA\SxS.exe"C:\ProgramData\Microsoft PA\SxS.exe" 200 01⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 300 4323⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD5f1d6ee923099c9f1b10d563e6146cb87
SHA1605590582a3714d21b48a874c68df15abfb4b190
SHA256ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2
SHA512f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a
-
Filesize
146KB
MD5f1d6ee923099c9f1b10d563e6146cb87
SHA1605590582a3714d21b48a874c68df15abfb4b190
SHA256ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2
SHA512f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a
-
Filesize
146KB
MD5f1d6ee923099c9f1b10d563e6146cb87
SHA1605590582a3714d21b48a874c68df15abfb4b190
SHA256ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2
SHA512f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a
-
Filesize
146KB
MD5f1d6ee923099c9f1b10d563e6146cb87
SHA1605590582a3714d21b48a874c68df15abfb4b190
SHA256ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2
SHA512f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a
-
Filesize
146KB
MD5f1d6ee923099c9f1b10d563e6146cb87
SHA1605590582a3714d21b48a874c68df15abfb4b190
SHA256ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2
SHA512f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a