Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 17:05
Static task
static1
Behavioral task
behavioral1
Sample
3554553.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3554553.exe
Resource
win10v2004-20231215-en
General
-
Target
3554553.exe
-
Size
4.5MB
-
MD5
25a1e0a4d436eea408e79a07f45ff684
-
SHA1
da6fbf78868b855451769fb1255f7c2cdef66ace
-
SHA256
8f4c3348423dbc5dadff663216b4b015109535a06e5a81fb7cb3993a90ff26c5
-
SHA512
f7d17b6ce23042d30d9f9bad91684e627b1f8f9bb79ec2c67c3b79791f5444a2fabdcccee48ef3335df3a262060a7300d32aa81a36a1e48fc4299b6668e91df5
-
SSDEEP
98304:pKF6T4Y6cTie8X081BO2hVvXMtld70frtH1EOq+kYc6EPGo7v4+uT:QFrdSiekO2XvXMtld7WkYc6EC+uT
Malware Config
Signatures
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/2416-72-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2416-75-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2416-77-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2416-79-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2416-78-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2416-76-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2416-73-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2416-81-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2416-80-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
pid Process 2000 2311.exe 2732 115.exe 480 Process not Found 2160 Firefox.exe -
Loads dropped DLL 4 IoCs
pid Process 2092 cmd.exe 2000 2311.exe 2000 2311.exe 480 Process not Found -
resource yara_rule behavioral1/memory/2416-71-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-72-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-75-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-77-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-79-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-78-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-76-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-73-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-70-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-69-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-68-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-66-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-81-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2416-80-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe 115.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe Firefox.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2160 set thread context of 1476 2160 Firefox.exe 41 PID 2160 set thread context of 2416 2160 Firefox.exe 38 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 684 sc.exe 2004 sc.exe 2208 sc.exe 2484 sc.exe 3036 sc.exe 2260 sc.exe 2296 sc.exe 2532 sc.exe 2200 sc.exe 1840 sc.exe 2640 sc.exe 2820 sc.exe 1280 sc.exe 1904 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d07e5a8a5437da01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2732 115.exe 2736 powershell.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2732 115.exe 2160 Firefox.exe 2156 powershell.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2160 Firefox.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2736 powershell.exe Token: SeShutdownPrivilege 1420 powercfg.exe Token: SeShutdownPrivilege 1676 powercfg.exe Token: SeShutdownPrivilege 1900 powercfg.exe Token: SeShutdownPrivilege 1648 powercfg.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeShutdownPrivilege 1080 powercfg.exe Token: SeShutdownPrivilege 1108 powercfg.exe Token: SeShutdownPrivilege 588 powercfg.exe Token: SeShutdownPrivilege 584 powercfg.exe Token: SeLockMemoryPrivilege 2416 conhost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2092 2112 3554553.exe 26 PID 2112 wrote to memory of 2092 2112 3554553.exe 26 PID 2112 wrote to memory of 2092 2112 3554553.exe 26 PID 2112 wrote to memory of 2092 2112 3554553.exe 26 PID 2092 wrote to memory of 2000 2092 cmd.exe 24 PID 2092 wrote to memory of 2000 2092 cmd.exe 24 PID 2092 wrote to memory of 2000 2092 cmd.exe 24 PID 2092 wrote to memory of 2000 2092 cmd.exe 24 PID 2000 wrote to memory of 2732 2000 2311.exe 23 PID 2000 wrote to memory of 2732 2000 2311.exe 23 PID 2000 wrote to memory of 2732 2000 2311.exe 23 PID 2000 wrote to memory of 2732 2000 2311.exe 23 PID 2636 wrote to memory of 2712 2636 cmd.exe 83 PID 2636 wrote to memory of 2712 2636 cmd.exe 83 PID 2636 wrote to memory of 2712 2636 cmd.exe 83 PID 2264 wrote to memory of 1968 2264 cmd.exe 55 PID 2264 wrote to memory of 1968 2264 cmd.exe 55 PID 2264 wrote to memory of 1968 2264 cmd.exe 55 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 1476 2160 Firefox.exe 41 PID 2160 wrote to memory of 2416 2160 Firefox.exe 38 PID 2160 wrote to memory of 2416 2160 Firefox.exe 38 PID 2160 wrote to memory of 2416 2160 Firefox.exe 38 PID 2160 wrote to memory of 2416 2160 Firefox.exe 38 PID 2160 wrote to memory of 2416 2160 Firefox.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\3554553.exe"C:\Users\Admin\AppData\Local\Temp\3554553.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\2121.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092
-
-
C:\Users\Admin\AppData\Roaming\115.exe"C:\Users\Admin\AppData\Roaming\115.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "Firefox"2⤵
- Launches sc.exe
PID:2208
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:2200
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "Firefox" binpath= "C:\ProgramData\Firefox.exe" start= "auto"2⤵
- Launches sc.exe
PID:1280
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "Firefox"2⤵
- Launches sc.exe
PID:1904
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1840
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2484
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3036
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2640
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:2636
-
-
C:\Users\Admin\AppData\Roaming\2311.exe2311 -p123 -dC:\Users\Admin\AppData\Roaming1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
-
C:\Windows\system32\conhost.execonhost.exe1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe1⤵PID:1476
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:584
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:588
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc1⤵
- Launches sc.exe
PID:684
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits1⤵
- Launches sc.exe
PID:2260
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv1⤵
- Launches sc.exe
PID:2296
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵
- Drops file in Windows directory
PID:1968
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc1⤵
- Launches sc.exe
PID:2532
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc1⤵
- Launches sc.exe
PID:2004
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart1⤵
- Suspicious use of WriteProcessMemory
PID:2264
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
C:\ProgramData\Firefox.exeC:\ProgramData\Firefox.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart1⤵
- Drops file in Windows directory
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
279KB
MD5912197612ba46f17e7e3848a01c4a39f
SHA1f8dfed89890be5310959bfbdc2e1bbe047c6e919
SHA256dbb12c4f28e52c76b8e031b9f0c39a9071d571eb12833490f4795da2d339d425
SHA5123fb6ca9bd771adb79b482a5b0b829f309d49e1606bcd3aca0117c41d6fded82fa6f96cc436f90c83b8dd49739be0b3d127d7dbf4225a75e9c0b9e0ab1668952b
-
Filesize
115KB
MD5d0590be13d5688c02f1a4b4afe657a38
SHA1a432c80c14d9e28ceda1f8c012bb969ff5528212
SHA25658501b4e4179fb8a92f03c8bbdef6326a4ce65eeb29c0c49f0e9910aa4dce91e
SHA5128d21008b954fe7037a5ca405d9ee6718083bf05138fa594c72ef3b3763c868f42a465d3b0004f794602bf24ab1a2e41353b742dc9d39099a08c554ac0c78c159
-
Filesize
560KB
MD53d95bf22f2bbd88b521ac9da54fb8ed4
SHA1dde19153dd722d107d5d5ccf307b60ae719765a4
SHA2561b0c400d6e43a5cb27a9f45a53b689d0eb294004d7e29015e4bd26efd9900da5
SHA512e69081726abcbd8a7f815a284f46ee07df41c14b0d387ce794e676c8c90f7ae748bae737a42e4950b83a0ceb6678bad9526f7377a9b328234fdda1d37c8dde35
-
Filesize
385KB
MD5991e240f6be98e108c60b6b7c9dcfaa4
SHA121b6c9fb5859e5ff6ea74f8e487c12d52da459d3
SHA25646fc1cbc54289a95092ee1615cf26ace004b9c901b3f41a8d3692f501122098e
SHA512cbe383171e537ddc0b5e060260866178f59229e02e038c198df48b35544f4c0cfd4c8329c2dd41a48f1f9cad7f84d38f847358520224bf3c60b0e7958f0adada
-
Filesize
17KB
MD50f407c8a9f87a5586077dc7e52ae9b3e
SHA17d309aa919f12f3cfcd4ef8b0a2cebefcef252d4
SHA256b51a1f6a1f10e63d7f49611e53a9e2736b718c638aa608322d4806390a4031cf
SHA512c62e102aee7f73eaa1b791ca27576f3180d122afb2ef4db67d449dacd1de78611f16bcb1ae66afa2128a10ff7d8b4e81eb8be401e3225bbad2f5af5d8283f39d
-
Filesize
22B
MD5124010ee831f1263a1bfff78fe7c5e1d
SHA1ab25a327d550aa8ac3b616d1cd9e91cf4a9179d0
SHA2569ffca63f74d789d6857d3b48855eb8cedbf37265739556983f519c75b4a2d903
SHA512ea99fdc3ca643e4d3dcd7c7ef17ad1fcb47463c8e123e0954b33ce8279d3b43e728635372c6fefc3b63b268df0268a2105503dd258d33002047beb6a9f4323eb
-
Filesize
30KB
MD549264fc9f0a313f8ab30242db7982dfc
SHA1751cdc15bd744d877cee41bfcd8445336a42efaa
SHA2564ae704e58cdcc8af203c463ff6acd2d4d492d016db9e951c4fbcf92b267d474f
SHA512c9de753f73f6be5628e57718262436e24a5d2b9ca9e2b07ba76ce1f1d97054a0c5bda501b1e8d14b00a8f383a751b7ccc8f1f8fcb1b1c36ccbccae6459bafdd2
-
Filesize
108KB
MD526404b10b96d1e94b5ed0fbbcfc42e47
SHA1ba81fc25578210d972e29c7c1db31af15ed70a86
SHA25646728de54c6ea31bfe74edb18c3b7e96bf734da8e83a0adf89396eef43ce4f8a
SHA512473a306453a5513aff20c9b3e8d3d5947bd5eecd130b719ff848647495fa2f3a00140cde2beed9a30e817c06a9387d375e1077ffe722ea71e0dcd230e66f258c
-
Filesize
199KB
MD5998ac0212b619e532d5d866877ed74e7
SHA1ee9bd63d886af34da379237bb98a77cfdd30abc3
SHA256b71d6bdf53d095d204e7e53d9f74f005b5226e420e2da5d7abadc05753814076
SHA512f0f37d78da86af5f1c183ef09ff76c083bcdcabe76ff6420b1a8ca158d4d1862e3d0ff0059e0e6ebc14394281518f05a1532f1beb3a41e21c5df3e412fae1070
-
Filesize
255KB
MD597ace791c5ae10a61454c25b0acb8d7d
SHA170f71950bec668f31313d7b56a1faa71be99618c
SHA2568e2544d48424c95cfb8cf375251b37f44e6fcd9f405e5e7d395578fdcb0bdf2b
SHA51208340daee594a59b4e0186e9494b6d15958dbe64553093c0094ec821b290e5f120cab678e96648cee76972c329f1d5c73a7d3d31026638a2c6e8baf129afcda1
-
Filesize
511KB
MD5b1e1f59681c15cb6e81adda76fd31437
SHA1904cc741cb7da6a716e6720aa3aae004c66c6a1e
SHA256c3c5670a90ff94cce5268b56266aa364d1d0e317d19231c3e9f30ce8ca282ebf
SHA512bb5149258c41d369c58a83b1a9b6d8b4fceb26385295bfa0204939522cad004afb1c613fea10575cc8e3c0285ca9bcf92c79d4a938e6ab7063a2477d56c37a6c
-
Filesize
503KB
MD5afa5f1752b721c97dd367dd88e0a037e
SHA140e2794c0a6ff0433f9ac30cbe9d02ea0fb1cc1c
SHA256cf1b9f3c56c5dfd0f41c5dc492aced8e0eaa20c865556c6698bbb94b7d79d8f7
SHA5126f2b29494a4ff17a4f48dee38a36a0841b4dbb171d636d1233f34c8165b41880be59dfed45f4738b8bb95d1071616463bad94cde4caefe8c2ef3047601a4d88d
-
Filesize
345KB
MD524c54350b178274c31089f90fbe206e2
SHA1c5d293e1d0d589dca4b0f46ecd10dd383b0a36b3
SHA256f38d187b1f8b67536aedc770a13d51181a35765d669fe19f527639044666b4d5
SHA51284f218feb86f0d404a6cf5513da5f9f069fad00133d9ddddf1b6cb96caad0d28d907811aac7a83db14a2b5375b2ffc24e4d6cc81d25534ec490aa86c634c2ccc