Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
08/09/2023, 20:26
Static task
static1
Behavioral task
behavioral1
Sample
AVI Reader.exe
Resource
win7-20230831-en
General
-
Target
AVI Reader.exe
-
Size
49KB
-
MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f
-
SHA1
65726604b29227377aadef41da87a7306c852f0c
-
SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
-
SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
-
SSDEEP
1536:a7dS1EAd8II28ca2zhmamGJCKDRMcyEQXGNEPRbw1Rl:igEA6II2Da2zPf/XyEQSiRby
Malware Config
Extracted
njrat
Platinum
Cheats
127.0.0.1:1
smss.exe
-
reg_key
smss.exe
-
splitter
|Ghost|
Extracted
xworm
192.168.2.133:1
217.229.108.168:1
-
install_file
USB.exe
Signatures
-
Deletes itself 1 IoCs
pid Process 2748 cmd.exe -
Drops startup file 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk MicrosoftEdgeUpdate.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdge.lnk MicrosoftEdge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdge.lnk MicrosoftEdge.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe smss.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.url smss.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftEdgeUpdate.lnk MicrosoftEdgeUpdate.exe -
Executes dropped EXE 7 IoCs
pid Process 2644 smss.exe 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 940 Meatspin_v6_FULL_by_LuckyKazya.exe 928 MicrosoftEdge.exe 1692 MicrosoftEdgeUpdate.exe 2252 smss.exe 456 smss.exe -
Loads dropped DLL 1 IoCs
pid Process 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe\" .." smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe\" .." smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdge = "C:\\Users\\Admin\\AppData\\Local\\MicrosoftEdge.exe" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdate = "C:\\Users\\Admin\\AppData\\Local\\MicrosoftEdgeUpdate.exe" MicrosoftEdgeUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2668 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1692 MicrosoftEdgeUpdate.exe 928 MicrosoftEdge.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: SeDebugPrivilege 928 MicrosoftEdge.exe Token: SeDebugPrivilege 1692 MicrosoftEdgeUpdate.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: SeDebugPrivilege 928 MicrosoftEdge.exe Token: SeDebugPrivilege 1692 MicrosoftEdgeUpdate.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe Token: 33 2644 smss.exe Token: SeIncBasePriorityPrivilege 2644 smss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1692 MicrosoftEdgeUpdate.exe 928 MicrosoftEdge.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2644 1752 AVI Reader.exe 28 PID 1752 wrote to memory of 2644 1752 AVI Reader.exe 28 PID 1752 wrote to memory of 2644 1752 AVI Reader.exe 28 PID 1752 wrote to memory of 2748 1752 AVI Reader.exe 29 PID 1752 wrote to memory of 2748 1752 AVI Reader.exe 29 PID 1752 wrote to memory of 2748 1752 AVI Reader.exe 29 PID 2748 wrote to memory of 2600 2748 cmd.exe 31 PID 2748 wrote to memory of 2600 2748 cmd.exe 31 PID 2748 wrote to memory of 2600 2748 cmd.exe 31 PID 2644 wrote to memory of 2852 2644 smss.exe 32 PID 2644 wrote to memory of 2852 2644 smss.exe 32 PID 2644 wrote to memory of 2852 2644 smss.exe 32 PID 2644 wrote to memory of 2668 2644 smss.exe 34 PID 2644 wrote to memory of 2668 2644 smss.exe 34 PID 2644 wrote to memory of 2668 2644 smss.exe 34 PID 2644 wrote to memory of 2860 2644 smss.exe 39 PID 2644 wrote to memory of 2860 2644 smss.exe 39 PID 2644 wrote to memory of 2860 2644 smss.exe 39 PID 2860 wrote to memory of 940 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 40 PID 2860 wrote to memory of 940 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 40 PID 2860 wrote to memory of 940 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 40 PID 2860 wrote to memory of 928 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 42 PID 2860 wrote to memory of 928 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 42 PID 2860 wrote to memory of 928 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 42 PID 2860 wrote to memory of 1692 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 41 PID 2860 wrote to memory of 1692 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 41 PID 2860 wrote to memory of 1692 2860 717a6fb1c88b42f0a106d6cc2f4677bb.exe 41 PID 1632 wrote to memory of 2252 1632 taskeng.exe 44 PID 1632 wrote to memory of 2252 1632 taskeng.exe 44 PID 1632 wrote to memory of 2252 1632 taskeng.exe 44 PID 1632 wrote to memory of 456 1632 taskeng.exe 45 PID 1632 wrote to memory of 456 1632 taskeng.exe 45 PID 1632 wrote to memory of 456 1632 taskeng.exe 45 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AVI Reader.exe"C:\Users\Admin\AppData\Local\Temp\AVI Reader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\smss.exe"C:\Users\Admin\AppData\Local\Temp\smss.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f3⤵PID:2852
-
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\smss.exe3⤵
- Creates scheduled task(s)
PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\717a6fb1c88b42f0a106d6cc2f4677bb.exe"C:\Users\Admin\AppData\Local\Temp\717a6fb1c88b42f0a106d6cc2f4677bb.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Roaming\Meatspin_v6_FULL_by_LuckyKazya.exe"C:\Users\Admin\AppData\Roaming\Meatspin_v6_FULL_by_LuckyKazya.exe"4⤵
- Executes dropped EXE
PID:940
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate.exe"C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdate.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe"C:\Users\Admin\AppData\Roaming\MicrosoftEdge.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\AVI Reader.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 53⤵PID:2600
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {5886F1BD-66AA-4FC4-83AA-B5DB94E18FED} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\smss.exeC:\Users\Admin\AppData\Local\Temp\smss.exe2⤵
- Executes dropped EXE
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\smss.exeC:\Users\Admin\AppData\Local\Temp\smss.exe2⤵
- Executes dropped EXE
PID:456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197KB
MD596567f3ca98a3cf9df86e63eea9e88d9
SHA1e7b0484e22e7aebf974e44ec4d621ebfbdcaa2f4
SHA2567c7b11c8eb786a3dcc9a361605722abfb27450ad0a98a3fd075fcfffce08e7cc
SHA5120d47b044e7f7288b835fc05493dcaeb6778d3af18e63d8d00c0e5e394c4eae28db0aed221da239a3683bb2cfbdbf2655bd0ac3214f02ea204ff243efadc82feb
-
Filesize
192KB
MD53bdc1a44fa56047346dd6a7d33f57bfb
SHA1435be4f1307f6d4c45213e27c775bba7c126f2fc
SHA256207d25c9e2548babe4539403c210d9224dd7ada2d223e70168168fafbc49521a
SHA5125f3e6f9f771b64b065d2113330c68ad49309ec2c3d80e67020bf4185852a0cf000239f72c5d9aa12872320070d6ab2b19d91243f5efce69bb2d1ee6ea1a49178
-
Filesize
4.1MB
MD5a0b724a087d8e87aa0571726265153a3
SHA1d645fff92ae60a5fde73e1f62aef82f40cf6a1d2
SHA2569198c970d6b61c1f22b6e2e4065fd99e8fd107c3bb8162c8aef56559459e9ff1
SHA512aad4d75df0c8b5085492450ead420d6e7f7dc498dfbc3290014f2e633fcab069a5e5b0b535e7330b8b5b9267299d52b217630649933e4dbaaed3f37c5ab281dd
-
Filesize
4.1MB
MD5a0b724a087d8e87aa0571726265153a3
SHA1d645fff92ae60a5fde73e1f62aef82f40cf6a1d2
SHA2569198c970d6b61c1f22b6e2e4065fd99e8fd107c3bb8162c8aef56559459e9ff1
SHA512aad4d75df0c8b5085492450ead420d6e7f7dc498dfbc3290014f2e633fcab069a5e5b0b535e7330b8b5b9267299d52b217630649933e4dbaaed3f37c5ab281dd
-
Filesize
49KB
MD5c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA165726604b29227377aadef41da87a7306c852f0c
SHA25687a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA512e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
-
Filesize
49KB
MD5c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA165726604b29227377aadef41da87a7306c852f0c
SHA25687a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA512e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
-
Filesize
49KB
MD5c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA165726604b29227377aadef41da87a7306c852f0c
SHA25687a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA512e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
-
Filesize
49KB
MD5c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA165726604b29227377aadef41da87a7306c852f0c
SHA25687a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA512e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
-
Filesize
3.8MB
MD5137c1b0243beb35b6a0b6dbe632dc341
SHA1b710da533d9a33f4d7fc78d317bbcee8dc95826d
SHA25686cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab
SHA51249ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf
-
Filesize
3.8MB
MD5137c1b0243beb35b6a0b6dbe632dc341
SHA1b710da533d9a33f4d7fc78d317bbcee8dc95826d
SHA25686cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab
SHA51249ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf
-
Filesize
197KB
MD596567f3ca98a3cf9df86e63eea9e88d9
SHA1e7b0484e22e7aebf974e44ec4d621ebfbdcaa2f4
SHA2567c7b11c8eb786a3dcc9a361605722abfb27450ad0a98a3fd075fcfffce08e7cc
SHA5120d47b044e7f7288b835fc05493dcaeb6778d3af18e63d8d00c0e5e394c4eae28db0aed221da239a3683bb2cfbdbf2655bd0ac3214f02ea204ff243efadc82feb
-
Filesize
197KB
MD596567f3ca98a3cf9df86e63eea9e88d9
SHA1e7b0484e22e7aebf974e44ec4d621ebfbdcaa2f4
SHA2567c7b11c8eb786a3dcc9a361605722abfb27450ad0a98a3fd075fcfffce08e7cc
SHA5120d47b044e7f7288b835fc05493dcaeb6778d3af18e63d8d00c0e5e394c4eae28db0aed221da239a3683bb2cfbdbf2655bd0ac3214f02ea204ff243efadc82feb
-
Filesize
192KB
MD53bdc1a44fa56047346dd6a7d33f57bfb
SHA1435be4f1307f6d4c45213e27c775bba7c126f2fc
SHA256207d25c9e2548babe4539403c210d9224dd7ada2d223e70168168fafbc49521a
SHA5125f3e6f9f771b64b065d2113330c68ad49309ec2c3d80e67020bf4185852a0cf000239f72c5d9aa12872320070d6ab2b19d91243f5efce69bb2d1ee6ea1a49178
-
Filesize
192KB
MD53bdc1a44fa56047346dd6a7d33f57bfb
SHA1435be4f1307f6d4c45213e27c775bba7c126f2fc
SHA256207d25c9e2548babe4539403c210d9224dd7ada2d223e70168168fafbc49521a
SHA5125f3e6f9f771b64b065d2113330c68ad49309ec2c3d80e67020bf4185852a0cf000239f72c5d9aa12872320070d6ab2b19d91243f5efce69bb2d1ee6ea1a49178
-
Filesize
49KB
MD5c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA165726604b29227377aadef41da87a7306c852f0c
SHA25687a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA512e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
-
Filesize
3.8MB
MD5137c1b0243beb35b6a0b6dbe632dc341
SHA1b710da533d9a33f4d7fc78d317bbcee8dc95826d
SHA25686cd8a8dc5228014e559788e7a0f5ed6fef637691bf53111e9eab4187a0652ab
SHA51249ee75b71223ed47ae81a089247ff3002d50f70ede8e57af42f73745bbf7cb8ee7c71c1ab5da9d967fbe0b2f9de5dad70f4a7f4cfe44ba104d5a60be53eccabf