Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 18:37
Static task
static1
Behavioral task
behavioral1
Sample
35016c4bc187c4a4a06866399fe35650.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
35016c4bc187c4a4a06866399fe35650.exe
Resource
win10v2004-20231222-en
General
-
Target
35016c4bc187c4a4a06866399fe35650.exe
-
Size
708KB
-
MD5
35016c4bc187c4a4a06866399fe35650
-
SHA1
53c87f60f44492453c3d6e94eee5f63464b029dd
-
SHA256
a6d21d179c1f801bc655a19cbdb6a11f7050d4b81bc98696d9d2a2d9b63bf437
-
SHA512
f596ee5b836a14bb0f046143892e772388789567541f15fbaba44b6e452d942e10bfadbc95b51474b452f894997c9c32f4e75730aa81dd2d3e5ad83c1c2489d9
-
SSDEEP
12288:ihdUZQ75UTWAnhZMYmPabdQNED+YnsdFtxDk5TLhuCDH1EoqWU:ivUZQNGWAnhZMzaSxYnsdWJluUc
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 35016c4bc187c4a4a06866399fe35650.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rnkfvrf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rnkfvrf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wszlzxj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wszlzxj.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 35016c4bc187c4a4a06866399fe35650.exe -
Executes dropped EXE 4 IoCs
pid Process 2800 rnkfvrf.exe 2820 rnkfvrf.exe 2472 wszlzxj.exe 968 wszlzxj.exe -
Loads dropped DLL 5 IoCs
pid Process 2456 35016c4bc187c4a4a06866399fe35650.exe 2456 35016c4bc187c4a4a06866399fe35650.exe 2800 rnkfvrf.exe 2820 rnkfvrf.exe 2820 rnkfvrf.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\rnkfvrf.exe 35016c4bc187c4a4a06866399fe35650.exe File opened for modification C:\Windows\SysWOW64\rnkfvrf.exe 35016c4bc187c4a4a06866399fe35650.exe File created C:\Windows\SysWOW64\wszlzxj.exe rnkfvrf.exe File opened for modification C:\Windows\SysWOW64\wszlzxj.exe rnkfvrf.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476} 35016c4bc187c4a4a06866399fe35650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\ = "UPnP Service Provider Class" 35016c4bc187c4a4a06866399fe35650.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32 35016c4bc187c4a4a06866399fe35650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32\ = "C:\\Windows\\SysWOW64\\fdssdp.dll" 35016c4bc187c4a4a06866399fe35650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{723B3A73-988E-42E1-1DC3-5D4683FB2476}\InprocServer32\ThreadingModel = "Both" 35016c4bc187c4a4a06866399fe35650.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\ProgramData\TEMP:474A6CD6 rnkfvrf.exe File opened for modification C:\ProgramData\TEMP:474A6CD6 wszlzxj.exe File created C:\ProgramData\TEMP:474A6CD6 35016c4bc187c4a4a06866399fe35650.exe File opened for modification C:\ProgramData\TEMP:474A6CD6 35016c4bc187c4a4a06866399fe35650.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: 33 2456 35016c4bc187c4a4a06866399fe35650.exe Token: SeIncBasePriorityPrivilege 2456 35016c4bc187c4a4a06866399fe35650.exe Token: 33 2456 35016c4bc187c4a4a06866399fe35650.exe Token: SeIncBasePriorityPrivilege 2456 35016c4bc187c4a4a06866399fe35650.exe Token: 33 2820 rnkfvrf.exe Token: SeIncBasePriorityPrivilege 2820 rnkfvrf.exe Token: 33 2820 rnkfvrf.exe Token: SeIncBasePriorityPrivilege 2820 rnkfvrf.exe Token: 33 968 wszlzxj.exe Token: SeIncBasePriorityPrivilege 968 wszlzxj.exe Token: 33 968 wszlzxj.exe Token: SeIncBasePriorityPrivilege 968 wszlzxj.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2456 2548 35016c4bc187c4a4a06866399fe35650.exe 28 PID 2548 wrote to memory of 2456 2548 35016c4bc187c4a4a06866399fe35650.exe 28 PID 2548 wrote to memory of 2456 2548 35016c4bc187c4a4a06866399fe35650.exe 28 PID 2548 wrote to memory of 2456 2548 35016c4bc187c4a4a06866399fe35650.exe 28 PID 2548 wrote to memory of 2456 2548 35016c4bc187c4a4a06866399fe35650.exe 28 PID 2548 wrote to memory of 2456 2548 35016c4bc187c4a4a06866399fe35650.exe 28 PID 2456 wrote to memory of 2800 2456 35016c4bc187c4a4a06866399fe35650.exe 29 PID 2456 wrote to memory of 2800 2456 35016c4bc187c4a4a06866399fe35650.exe 29 PID 2456 wrote to memory of 2800 2456 35016c4bc187c4a4a06866399fe35650.exe 29 PID 2456 wrote to memory of 2800 2456 35016c4bc187c4a4a06866399fe35650.exe 29 PID 2800 wrote to memory of 2820 2800 rnkfvrf.exe 30 PID 2800 wrote to memory of 2820 2800 rnkfvrf.exe 30 PID 2800 wrote to memory of 2820 2800 rnkfvrf.exe 30 PID 2800 wrote to memory of 2820 2800 rnkfvrf.exe 30 PID 2800 wrote to memory of 2820 2800 rnkfvrf.exe 30 PID 2800 wrote to memory of 2820 2800 rnkfvrf.exe 30 PID 2820 wrote to memory of 2472 2820 rnkfvrf.exe 32 PID 2820 wrote to memory of 2472 2820 rnkfvrf.exe 32 PID 2820 wrote to memory of 2472 2820 rnkfvrf.exe 32 PID 2820 wrote to memory of 2472 2820 rnkfvrf.exe 32 PID 2472 wrote to memory of 968 2472 wszlzxj.exe 31 PID 2472 wrote to memory of 968 2472 wszlzxj.exe 31 PID 2472 wrote to memory of 968 2472 wszlzxj.exe 31 PID 2472 wrote to memory of 968 2472 wszlzxj.exe 31 PID 2472 wrote to memory of 968 2472 wszlzxj.exe 31 PID 2472 wrote to memory of 968 2472 wszlzxj.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"2⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\rnkfvrf.exeC:\Windows\system32\rnkfvrf.exe 728 "C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\rnkfvrf.exeC:\Windows\system32\rnkfvrf.exe 728 "C:\Users\Admin\AppData\Local\Temp\35016c4bc187c4a4a06866399fe35650.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\wszlzxj.exeC:\Windows\system32\wszlzxj.exe 744 "C:\Windows\SysWOW64\rnkfvrf.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472
-
-
-
-
-
C:\Windows\SysWOW64\wszlzxj.exeC:\Windows\system32\wszlzxj.exe 744 "C:\Windows\SysWOW64\rnkfvrf.exe"1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5b300a70019785e4eb4ea104fb9a0716c
SHA11461598ad8d1de0bac72691cff4143fc62f62216
SHA2569925e96afb7cfebfdaee72fdc0c3168a30c6f21983a651f50cd438110ca83dfa
SHA512baebe64e21b838598607f6f0162d8b7abac46555b60c58395d008ef74befbdf8e8f51a568a511710016ebb02466900a000e9f7886fff0f15d7c48d5769c9eea6