Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
29/10/2023, 01:44
Static task
static1
Behavioral task
behavioral1
Sample
666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe
Resource
win10v2004-20231023-en
General
-
Target
666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe
-
Size
6.9MB
-
MD5
d2f32b3bf5e7c07ac6ee4918f93c4da3
-
SHA1
8035c6f1214d806a6f2181c41ae24c21ef1c4913
-
SHA256
666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681
-
SHA512
5622ae6a36b3fcfc4560ecebfc0bdc446976c6e262322d345888b65e5ead956ff455771fb7ee736b5f1cd8134d2753e6cc6641c39c30b5e787256c23fa3927b0
-
SSDEEP
98304:bBax0HTtGRoXuo73LIDUae0OEHtpKMbaqALvQIIxNiRo2Zo/AE9aF55FP4elzQH+:AmttF3EDv3p/baqCI3V2W/eL9QL9w
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
description pid Process procid_target PID 2188 created 1268 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 11 PID 2188 created 1268 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 11 PID 2188 created 1268 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 11 PID 2188 created 1268 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 11 PID 2188 created 1268 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 11 PID 2188 created 1268 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 11 PID 332 created 1268 332 updater.exe 11 PID 332 created 1268 332 updater.exe 11 PID 332 created 1268 332 updater.exe 11 PID 332 created 1268 332 updater.exe 11 PID 332 created 1268 332 updater.exe 11 PID 332 created 1268 332 updater.exe 11 -
XMRig Miner payload 6 IoCs
resource yara_rule behavioral1/memory/1248-76-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/1248-79-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/1248-81-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/1248-83-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/1248-85-0x0000000140000000-0x0000000140840000-memory.dmp xmrig behavioral1/memory/1248-87-0x0000000140000000-0x0000000140840000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 2 IoCs
pid Process 464 Process not Found 332 updater.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 332 set thread context of 1628 332 updater.exe 69 PID 332 set thread context of 1248 332 updater.exe 70 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2592 sc.exe 2664 sc.exe 1288 sc.exe 1520 sc.exe 1552 sc.exe 2604 sc.exe 2632 sc.exe 1196 sc.exe 1648 sc.exe 1604 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2888 schtasks.exe 2460 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a03e61bc090ada01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2788 powershell.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 2188 666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe 332 updater.exe 332 updater.exe 332 updater.exe 792 powershell.exe 332 updater.exe 332 updater.exe 332 updater.exe 332 updater.exe 332 updater.exe 332 updater.exe 332 updater.exe 332 updater.exe 332 updater.exe 332 updater.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe 1248 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2788 powershell.exe Token: SeShutdownPrivilege 1200 powercfg.exe Token: SeShutdownPrivilege 2952 powercfg.exe Token: SeShutdownPrivilege 2968 powercfg.exe Token: SeShutdownPrivilege 2984 powercfg.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 2084 powercfg.exe Token: SeShutdownPrivilege 2328 powercfg.exe Token: SeShutdownPrivilege 1052 powercfg.exe Token: SeDebugPrivilege 332 updater.exe Token: SeLockMemoryPrivilege 1248 explorer.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2592 1732 cmd.exe 34 PID 1732 wrote to memory of 2592 1732 cmd.exe 34 PID 1732 wrote to memory of 2592 1732 cmd.exe 34 PID 1732 wrote to memory of 2604 1732 cmd.exe 35 PID 1732 wrote to memory of 2604 1732 cmd.exe 35 PID 1732 wrote to memory of 2604 1732 cmd.exe 35 PID 1732 wrote to memory of 2632 1732 cmd.exe 36 PID 1732 wrote to memory of 2632 1732 cmd.exe 36 PID 1732 wrote to memory of 2632 1732 cmd.exe 36 PID 1732 wrote to memory of 2664 1732 cmd.exe 37 PID 1732 wrote to memory of 2664 1732 cmd.exe 37 PID 1732 wrote to memory of 2664 1732 cmd.exe 37 PID 1732 wrote to memory of 1288 1732 cmd.exe 38 PID 1732 wrote to memory of 1288 1732 cmd.exe 38 PID 1732 wrote to memory of 1288 1732 cmd.exe 38 PID 2640 wrote to memory of 1200 2640 cmd.exe 43 PID 2640 wrote to memory of 1200 2640 cmd.exe 43 PID 2640 wrote to memory of 1200 2640 cmd.exe 43 PID 2640 wrote to memory of 2952 2640 cmd.exe 46 PID 2640 wrote to memory of 2952 2640 cmd.exe 46 PID 2640 wrote to memory of 2952 2640 cmd.exe 46 PID 2640 wrote to memory of 2968 2640 cmd.exe 47 PID 2640 wrote to memory of 2968 2640 cmd.exe 47 PID 2640 wrote to memory of 2968 2640 cmd.exe 47 PID 2640 wrote to memory of 2984 2640 cmd.exe 48 PID 2640 wrote to memory of 2984 2640 cmd.exe 48 PID 2640 wrote to memory of 2984 2640 cmd.exe 48 PID 516 wrote to memory of 1196 516 cmd.exe 56 PID 516 wrote to memory of 1196 516 cmd.exe 56 PID 516 wrote to memory of 1196 516 cmd.exe 56 PID 516 wrote to memory of 1520 516 cmd.exe 57 PID 516 wrote to memory of 1520 516 cmd.exe 57 PID 516 wrote to memory of 1520 516 cmd.exe 57 PID 516 wrote to memory of 1648 516 cmd.exe 58 PID 516 wrote to memory of 1648 516 cmd.exe 58 PID 516 wrote to memory of 1648 516 cmd.exe 58 PID 516 wrote to memory of 1552 516 cmd.exe 59 PID 516 wrote to memory of 1552 516 cmd.exe 59 PID 516 wrote to memory of 1552 516 cmd.exe 59 PID 516 wrote to memory of 1604 516 cmd.exe 60 PID 516 wrote to memory of 1604 516 cmd.exe 60 PID 516 wrote to memory of 1604 516 cmd.exe 60 PID 1504 wrote to memory of 2044 1504 cmd.exe 63 PID 1504 wrote to memory of 2044 1504 cmd.exe 63 PID 1504 wrote to memory of 2044 1504 cmd.exe 63 PID 1504 wrote to memory of 2084 1504 cmd.exe 64 PID 1504 wrote to memory of 2084 1504 cmd.exe 64 PID 1504 wrote to memory of 2084 1504 cmd.exe 64 PID 1504 wrote to memory of 2328 1504 cmd.exe 65 PID 1504 wrote to memory of 2328 1504 cmd.exe 65 PID 1504 wrote to memory of 2328 1504 cmd.exe 65 PID 1504 wrote to memory of 1052 1504 cmd.exe 68 PID 1504 wrote to memory of 1052 1504 cmd.exe 68 PID 1504 wrote to memory of 1052 1504 cmd.exe 68 PID 332 wrote to memory of 1628 332 updater.exe 69 PID 332 wrote to memory of 1248 332 updater.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe"C:\Users\Admin\AppData\Local\Temp\666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2592
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2604
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2632
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2664
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1288
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:2408
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\ecuijhvxegrk.xml"2⤵
- Creates scheduled task(s)
PID:2888
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1196
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1520
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1648
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1552
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1604
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\ecuijhvxegrk.xml"2⤵
- Creates scheduled task(s)
PID:2460
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1628
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD5d2f32b3bf5e7c07ac6ee4918f93c4da3
SHA18035c6f1214d806a6f2181c41ae24c21ef1c4913
SHA256666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681
SHA5125622ae6a36b3fcfc4560ecebfc0bdc446976c6e262322d345888b65e5ead956ff455771fb7ee736b5f1cd8134d2753e6cc6641c39c30b5e787256c23fa3927b0
-
Filesize
6.9MB
MD5d2f32b3bf5e7c07ac6ee4918f93c4da3
SHA18035c6f1214d806a6f2181c41ae24c21ef1c4913
SHA256666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681
SHA5125622ae6a36b3fcfc4560ecebfc0bdc446976c6e262322d345888b65e5ead956ff455771fb7ee736b5f1cd8134d2753e6cc6641c39c30b5e787256c23fa3927b0
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
1KB
MD5546d67a48ff2bf7682cea9fac07b942e
SHA1a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA51210d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe
-
Filesize
6.9MB
MD5d2f32b3bf5e7c07ac6ee4918f93c4da3
SHA18035c6f1214d806a6f2181c41ae24c21ef1c4913
SHA256666f5ad3c6b29636a24011639ccc771da5e964ed4d0a22e253febeed53978681
SHA5125622ae6a36b3fcfc4560ecebfc0bdc446976c6e262322d345888b65e5ead956ff455771fb7ee736b5f1cd8134d2753e6cc6641c39c30b5e787256c23fa3927b0