Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 12:03
Behavioral task
behavioral1
Sample
7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe
Resource
win10v2004-20231025-en
General
-
Target
7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe
-
Size
223KB
-
MD5
481ae3f07c96b7beac6e90a319beeb15
-
SHA1
62c08dbdc7c4ccde919dcdcc4e689957bb7ae713
-
SHA256
7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573
-
SHA512
3dce6ae29525f1308c94e35bf4d87983d49f2e30e0799c3474f291632212874212f6339766c72a5efed5f90ca5f84c27f5207dade4bf86468bce0e5d0f3ba719
-
SSDEEP
6144:8wPSUONLNsuWA7koN+boRhZ2VUUaSaE0A6Xvd2:8OuW5o/oVU1r5w
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3292 created 604 3292 Explorer.EXE 3 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\72NDIPhq.sys Dxpserver.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe -
Executes dropped EXE 1 IoCs
pid Process 4700 Dxpserver.exe -
resource yara_rule behavioral2/memory/4688-0-0x00000000003D0000-0x000000000043E000-memory.dmp upx behavioral2/memory/4688-52-0x00000000003D0000-0x000000000043E000-memory.dmp upx behavioral2/memory/4688-53-0x00000000003D0000-0x000000000043E000-memory.dmp upx behavioral2/memory/4688-55-0x00000000003D0000-0x000000000043E000-memory.dmp upx behavioral2/files/0x0006000000022e28-70.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 Dxpserver.exe File created C:\Windows\system32\ \Windows\System32\m8yLBDwW.sys Dxpserver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C Dxpserver.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Logs\Dxpserver.exe Explorer.EXE File opened for modification C:\Windows\Logs\Dxpserver.exe Explorer.EXE File created C:\Windows\YT5Mzr.sys Dxpserver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Dxpserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 Dxpserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 Dxpserver.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4252 timeout.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Dxpserver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Dxpserver.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Dxpserver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Dxpserver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Dxpserver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Dxpserver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Dxpserver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Dxpserver.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Dxpserver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 3292 Explorer.EXE 3292 Explorer.EXE 3292 Explorer.EXE 3292 Explorer.EXE 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe 4700 Dxpserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3292 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 672 Process not Found 672 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe Token: SeTcbPrivilege 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe Token: SeDebugPrivilege 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe Token: SeDebugPrivilege 3292 Explorer.EXE Token: SeDebugPrivilege 3292 Explorer.EXE Token: SeDebugPrivilege 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe Token: SeDebugPrivilege 4700 Dxpserver.exe Token: SeDebugPrivilege 4700 Dxpserver.exe Token: SeDebugPrivilege 4700 Dxpserver.exe Token: SeIncBasePriorityPrivilege 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3292 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4688 wrote to memory of 3292 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 40 PID 4688 wrote to memory of 3292 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 40 PID 4688 wrote to memory of 3292 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 40 PID 4688 wrote to memory of 3292 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 40 PID 4688 wrote to memory of 3292 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 40 PID 3292 wrote to memory of 4700 3292 Explorer.EXE 94 PID 3292 wrote to memory of 4700 3292 Explorer.EXE 94 PID 3292 wrote to memory of 4700 3292 Explorer.EXE 94 PID 3292 wrote to memory of 4700 3292 Explorer.EXE 94 PID 3292 wrote to memory of 4700 3292 Explorer.EXE 94 PID 3292 wrote to memory of 4700 3292 Explorer.EXE 94 PID 3292 wrote to memory of 4700 3292 Explorer.EXE 94 PID 4688 wrote to memory of 604 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 3 PID 4688 wrote to memory of 604 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 3 PID 4688 wrote to memory of 604 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 3 PID 4688 wrote to memory of 604 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 3 PID 4688 wrote to memory of 604 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 3 PID 4688 wrote to memory of 896 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 98 PID 4688 wrote to memory of 896 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 98 PID 4688 wrote to memory of 896 4688 7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe 98 PID 896 wrote to memory of 4252 896 cmd.exe 100 PID 896 wrote to memory of 4252 896 cmd.exe 100 PID 896 wrote to memory of 4252 896 cmd.exe 100
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:604
-
C:\Windows\Logs\Dxpserver.exe"C:\Windows\Logs\Dxpserver.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe"C:\Users\Admin\AppData\Local\Temp\7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\7c8dd8652f58dc1be9d0f313dd7ed2c97fb698860d08ea0753e932fa2bb6e573.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:4252
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.1MB
MD5a7ef23896bd75e4cf69595d10cac31ac
SHA16882cc47f35317decd34213a550473c6aa83a908
SHA2563148f6ce8f8cd6246cb222715925a6a6066d573e92bf5441a8f191884870810c
SHA5121f8efa9855b5f9b768a2cd445986de7f5c4a2adec31afa5b92530651a8f99fcb43f25eaa2469c5ea7c1e7e04b3a5fd41f61bc1b322d9489ad11494ad4164f08c
-
Filesize
310KB
MD56344f1a7d50da5732c960e243c672165
SHA1b6d0236f79d4f988640a8445a5647aff5b5410f7
SHA256b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f
SHA51273f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65
-
Filesize
310KB
MD56344f1a7d50da5732c960e243c672165
SHA1b6d0236f79d4f988640a8445a5647aff5b5410f7
SHA256b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f
SHA51273f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65