Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 06:28
Static task
static1
Behavioral task
behavioral1
Sample
599efaa8ae4f37beda54f57b98b09da0.dll
Resource
win7-20231129-en
General
-
Target
599efaa8ae4f37beda54f57b98b09da0.dll
-
Size
456KB
-
MD5
599efaa8ae4f37beda54f57b98b09da0
-
SHA1
140022bf32af7d27896d8e85af3c42d49ae4b5da
-
SHA256
24b7d682b49cdce81fd7a6f9832a9c634ba2bd14fef7dd43ee92797d1def4f54
-
SHA512
aa70e5cbb83e79c75abe557dd57c6504969744f39398fb32089a0b61857c69bf46d983e4ada2ead80a2a6a1d7149431c3804a423e354cac0afaace92fa6ab2f3
-
SSDEEP
6144:J4TmSt9uNNtXlD2K0Hp/59dB9SzH2xLBzWjKEyS4X1OGTUX7x8A3u:xYQtXlD2N7SD2xF0BY1DTUX7x8A3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\kbnecnwr\\shfqmndf.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shfqmndf.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shfqmndf.exe svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3036 Pdf4513 2764 Pdf4513 2528 kmdlopfoanwroxda.exe 2852 kmdlopfoanwroxda.exe -
Loads dropped DLL 9 IoCs
pid Process 2944 rundll32.exe 2944 rundll32.exe 3036 Pdf4513 2764 Pdf4513 2764 Pdf4513 2764 Pdf4513 2764 Pdf4513 2764 Pdf4513 2528 kmdlopfoanwroxda.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShfQmndf = "C:\\Users\\Admin\\AppData\\Local\\kbnecnwr\\shfqmndf.exe" svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3036 set thread context of 2764 3036 Pdf4513 32 PID 2528 set thread context of 2852 2528 kmdlopfoanwroxda.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe 2392 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 484 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 2764 Pdf4513 Token: SeDebugPrivilege 2764 Pdf4513 Token: SeSecurityPrivilege 2276 svchost.exe Token: SeSecurityPrivilege 2392 svchost.exe Token: SeDebugPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeSecurityPrivilege 2852 kmdlopfoanwroxda.exe Token: SeLoadDriverPrivilege 2852 kmdlopfoanwroxda.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe Token: SeBackupPrivilege 2392 svchost.exe Token: SeRestorePrivilege 2392 svchost.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2944 2928 rundll32.exe 16 PID 2928 wrote to memory of 2944 2928 rundll32.exe 16 PID 2928 wrote to memory of 2944 2928 rundll32.exe 16 PID 2928 wrote to memory of 2944 2928 rundll32.exe 16 PID 2928 wrote to memory of 2944 2928 rundll32.exe 16 PID 2928 wrote to memory of 2944 2928 rundll32.exe 16 PID 2928 wrote to memory of 2944 2928 rundll32.exe 16 PID 2944 wrote to memory of 3036 2944 rundll32.exe 18 PID 2944 wrote to memory of 3036 2944 rundll32.exe 18 PID 2944 wrote to memory of 3036 2944 rundll32.exe 18 PID 2944 wrote to memory of 3036 2944 rundll32.exe 18 PID 3036 wrote to memory of 2764 3036 Pdf4513 32 PID 3036 wrote to memory of 2764 3036 Pdf4513 32 PID 3036 wrote to memory of 2764 3036 Pdf4513 32 PID 3036 wrote to memory of 2764 3036 Pdf4513 32 PID 3036 wrote to memory of 2764 3036 Pdf4513 32 PID 3036 wrote to memory of 2764 3036 Pdf4513 32 PID 3036 wrote to memory of 2764 3036 Pdf4513 32 PID 3036 wrote to memory of 2764 3036 Pdf4513 32 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2276 2764 Pdf4513 31 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2392 2764 Pdf4513 30 PID 2764 wrote to memory of 2528 2764 Pdf4513 33 PID 2764 wrote to memory of 2528 2764 Pdf4513 33 PID 2764 wrote to memory of 2528 2764 Pdf4513 33 PID 2764 wrote to memory of 2528 2764 Pdf4513 33 PID 2528 wrote to memory of 2852 2528 kmdlopfoanwroxda.exe 34 PID 2528 wrote to memory of 2852 2528 kmdlopfoanwroxda.exe 34 PID 2528 wrote to memory of 2852 2528 kmdlopfoanwroxda.exe 34 PID 2528 wrote to memory of 2852 2528 kmdlopfoanwroxda.exe 34 PID 2528 wrote to memory of 2852 2528 kmdlopfoanwroxda.exe 34 PID 2528 wrote to memory of 2852 2528 kmdlopfoanwroxda.exe 34 PID 2528 wrote to memory of 2852 2528 kmdlopfoanwroxda.exe 34 PID 2528 wrote to memory of 2852 2528 kmdlopfoanwroxda.exe 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\599efaa8ae4f37beda54f57b98b09da0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\599efaa8ae4f37beda54f57b98b09da0.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\Pdf4513"Pdf4513"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\Pdf4513"C:\Users\Admin\AppData\Local\Temp\Pdf4513"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\kmdlopfoanwroxda.exe"C:\Users\Admin\AppData\Local\Temp\kmdlopfoanwroxda.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\kmdlopfoanwroxda.exe"C:\Users\Admin\AppData\Local\Temp\kmdlopfoanwroxda.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD558cd26d5cba48c86377d4f3dbcb0d437
SHA1f9e276dff048acf593c072d9be9ade926c25bb6c
SHA256d27a8de4bac6465d635ead175e99711216cf960483a7e3306931cb87d2f701d7
SHA512df03cf84d177733f702040167a9d02b67586c7e6cd38593a71c19efe5282fa711a0cb9a726d4f4df77aec84bf049c7cb7a6828d4531aa9dcff4ca19e80559c01
-
Filesize
100KB
MD5c43c51d12dab7d81aa13e6a16af1e6d0
SHA11fb4751c7831a1c8ceab47bfc869e95e1dd06af5
SHA2565a388b21e1ec19fd9a99f154cb863b6cc4c5bbefd75c7dd81bf781408e69e2f6
SHA5127bafb0bf2437232cecbef7c0e0c1cb459db5267a23cb1309dbd3689dce095f92b7875d6921fd123505e9008bb40713f9243525db0da3abc897ec9a010ee33a91
-
Filesize
43KB
MD5983b39e0a5d4962365cd299c076bc33d
SHA18e36878557c483c5ae6430ca591e5cc1dc0582f0
SHA2567ac87a80477f8fabfa1d48c394fa60996693ccd2354892bc67648a8aa748fe8b
SHA512c4dec5d60c79ba59c17fa33c96f684bf8e46b207a8505b83d49650d7346ed990e009922aaf6e6e82616f91f436f24530aead04048d0409678bf34527cfb218bb
-
Filesize
51KB
MD5a7b3ab44d8d4b8a78ed32c0692d182ef
SHA1972a4ab4fe4994240aab8faa6476dec5f3d2f5a9
SHA256564a77c32fc55c3898716c6073ec79924aba3f49327f311e8835878cbecbf4b6
SHA512a9665102a33bbfc36a96475c13ddf44b290f7a4e0d4331fed5919a9dbb28d5cd731725c3634a238a62edef1ec9b347103a9f764e3a0956eaee84a91c25ba8ab7