Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
1christmasl...wn.zip
windows7-x64
en-US/flyout.html
windows7-x64
1en-US/gadget.html
windows7-x64
1en-US/gadget.xml
windows7-x64
1en-US/script/utils.js
windows7-x64
1en-US/scri...ls.vbs
windows7-x64
1en-US/settings.html
windows7-x64
1en-US/styl...lt.css
windows7-x64
3icon.png
windows7-x64
3images/background.png
windows7-x64
3images/go.png
windows7-x64
3images/logo.jpg
windows7-x64
3logo.png
windows7-x64
3vwd.xml
windows7-x64
1Analysis
-
max time kernel
108s -
max time network
112s -
platform
windows7_x64 -
resource
win7-20230220-ja -
resource tags
arch:x64arch:x86image:win7-20230220-jalocale:ja-jpos:windows7-x64systemwindows -
submitted
16/05/2023, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
christmaslistcountdown.zip
Resource
win7-20230220-ja
windows7-x64
14 signatures
1800 seconds
Behavioral task
behavioral2
Sample
en-US/flyout.html
Resource
win7-20230220-ja
windows7-x64
8 signatures
1800 seconds
Behavioral task
behavioral3
Sample
en-US/gadget.html
Resource
win7-20230220-ja
windows7-x64
6 signatures
1800 seconds
Behavioral task
behavioral4
Sample
en-US/gadget.xml
Resource
win7-20230220-ja
windows7-x64
5 signatures
1800 seconds
Behavioral task
behavioral5
Sample
en-US/script/utils.js
Resource
win7-20230220-ja
windows7-x64
0 signatures
1800 seconds
Behavioral task
behavioral6
Sample
en-US/script/utils.vbs
Resource
win7-20230220-ja
windows7-x64
0 signatures
1800 seconds
Behavioral task
behavioral7
Sample
en-US/settings.html
Resource
win7-20230220-ja
windows7-x64
5 signatures
1800 seconds
Behavioral task
behavioral8
Sample
en-US/styles/default.css
Resource
win7-20230220-ja
windows7-x64
2 signatures
1800 seconds
Behavioral task
behavioral9
Sample
icon.png
Resource
win7-20230220-ja
windows7-x64
2 signatures
1800 seconds
Behavioral task
behavioral10
Sample
images/background.png
Resource
win7-20230220-ja
windows7-x64
2 signatures
1800 seconds
Behavioral task
behavioral11
Sample
images/go.png
Resource
win7-20230220-ja
windows7-x64
2 signatures
1800 seconds
Behavioral task
behavioral12
Sample
images/logo.jpg
Resource
win7-20230220-ja
windows7-x64
2 signatures
1800 seconds
Behavioral task
behavioral13
Sample
logo.png
Resource
win7-20230220-ja
windows7-x64
2 signatures
1800 seconds
Behavioral task
behavioral14
Sample
vwd.xml
Resource
win7-20230220-ja
windows7-x64
5 signatures
1800 seconds
Errors
Reason
Machine shutdown
General
-
Target
christmaslistcountdown.zip
-
Size
54KB
-
MD5
193195995d084cfca0b8130170d92cf0
-
SHA1
1d2193cdeeefe2b09701ebd2ee99e8f270987d9d
-
SHA256
7e9f8d4be691c76607d87e7a2139ad4f849d5bb4c443c82faa0143cefd75ad65
-
SHA512
f86e133384663ac74af29d5ffaf128b1e7a2d46ed78f2a5356af499981eb8e7cb3da152a642e01a3666574abe919c07febe95874e45386ec3aa250f2efd81a62
-
SSDEEP
1536:TTZh8DH0pwi06rIUEPDrRwMj3+w7KWBmZ33w7KWBmZ3T:fZh8DH0Z06rInPfRwM7TVIZwVIZD
Score
6/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\F: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\WindowsUpdate.log ehshell.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ehshell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz ehshell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ehshell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ehshell.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1041" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 6a0061002d004a00500000000000 winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer wmplayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" wmplayer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1832 ehshell.exe 1832 ehshell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1832 ehshell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1832 ehshell.exe Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE Token: 33 1748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1748 AUDIODG.EXE Token: SeShutdownPrivilege 1832 ehshell.exe Token: SeShutdownPrivilege 1208 LogonUI.exe Token: SeShutdownPrivilege 1208 LogonUI.exe Token: SeShutdownPrivilege 1208 LogonUI.exe Token: SeShutdownPrivilege 932 winlogon.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1408 1832 ehshell.exe 29 PID 1832 wrote to memory of 1408 1832 ehshell.exe 29 PID 1832 wrote to memory of 1408 1832 ehshell.exe 29 PID 1832 wrote to memory of 1408 1832 ehshell.exe 29 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 932 wrote to memory of 1208 932 winlogon.exe 36 PID 932 wrote to memory of 1208 932 winlogon.exe 36 PID 932 wrote to memory of 1208 932 winlogon.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 PID 1820 wrote to memory of 1208 1820 csrss.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\christmaslistcountdown.zip1⤵PID:1532
-
C:\Windows\ehome\ehshell.exe"C:\Windows\ehome\ehshell.exe"1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /SkipFUE /RemoteOCXLaunch /SuppressDialogs2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
PID:1408
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5701⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1984
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1820
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\アート ã‚ャッシュ\LocalMLS\{C561A488-1883-4ED7-BC97-0DDB95EECD5C}.jpg
Filesize22KB
MD535e787587cd3fa8ed360036c9fca3df2
SHA184c76a25c6fe336f6559c033917a4c327279886d
SHA25698c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2
SHA512aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9
