Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/01/2024, 19:31
Behavioral task
behavioral1
Sample
7dd10a82fde458e728f26a9fe79725ce.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
7dd10a82fde458e728f26a9fe79725ce.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7dd10a82fde458e728f26a9fe79725ce.exe
-
Size
72KB
-
MD5
7dd10a82fde458e728f26a9fe79725ce
-
SHA1
b6fd8872965d6e6560d00289b297aa5bbd7a573f
-
SHA256
23640d6ac3871292bdb343f7b736ef4ed6be9faa04913f752a60ac2912415a65
-
SHA512
e1859b09b2630da8499b1a8926c61732f274fd251e6f3e1e8fa60318e9994b2bfcfd12ad38aea26580491bda07453b3e25e3e852d5b9478d4cb26802b8820018
-
SSDEEP
1536:ioWuMqnCTygRvyulru2m3QJNrKkp8I33MSX+mSg35dgM+VdZDJs:FWuvayctu2mgTRHovN6
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2744 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2104 winhlp31.exe -
resource yara_rule behavioral1/memory/2212-0-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/files/0x000a000000012243-2.dat upx behavioral1/memory/2104-3-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2212-12-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2104-2238-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Deleteme.bat 7dd10a82fde458e728f26a9fe79725ce.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\winhlp31.exe 7dd10a82fde458e728f26a9fe79725ce.exe File opened for modification C:\Windows\winhlp31.exe 7dd10a82fde458e728f26a9fe79725ce.exe -
Modifies data under HKEY_USERS 28 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E62FCC6-4712-4973-8C0D-828E322217B6}\WpadDecisionTime = f083d5d52052da01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E62FCC6-4712-4973-8C0D-828E322217B6} svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E62FCC6-4712-4973-8C0D-828E322217B6}\WpadDecisionTime = f09231a72052da01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E62FCC6-4712-4973-8C0D-828E322217B6}\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f2-9c-95-15-85 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f2-9c-95-15-85\WpadDecisionTime = f09231a72052da01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f2-9c-95-15-85\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f2-9c-95-15-85\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E62FCC6-4712-4973-8C0D-828E322217B6}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E62FCC6-4712-4973-8C0D-828E322217B6}\d6-f2-9c-95-15-85 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0E62FCC6-4712-4973-8C0D-828E322217B6}\WpadNetworkName = "Network 3" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f2-9c-95-15-85\WpadDetectedUrl svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-f2-9c-95-15-85\WpadDecisionTime = f083d5d52052da01 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2744 2212 7dd10a82fde458e728f26a9fe79725ce.exe 29 PID 2212 wrote to memory of 2744 2212 7dd10a82fde458e728f26a9fe79725ce.exe 29 PID 2212 wrote to memory of 2744 2212 7dd10a82fde458e728f26a9fe79725ce.exe 29 PID 2212 wrote to memory of 2744 2212 7dd10a82fde458e728f26a9fe79725ce.exe 29 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30 PID 2104 wrote to memory of 2804 2104 winhlp31.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dd10a82fde458e728f26a9fe79725ce.exe"C:\Users\Admin\AppData\Local\Temp\7dd10a82fde458e728f26a9fe79725ce.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Deleteme.bat2⤵
- Deletes itself
PID:2744
-
-
C:\Windows\winhlp31.exeC:\Windows\winhlp31.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2804
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD5ee991e33374a1b1b534742dff163481c
SHA19b1b7d383d0cdf9b80bf6858492c74d573ea2534
SHA25683f917f74821d43fb49ae08b3290d305f5b137f00621775794604b27c466fc2a
SHA51229d1463433e3c1583ddf5d52114160069a01df341e265d17f1d1259b3900c6842bb85d7dad9006669ba2fee7dd24d69a0323d107861c94892bab962ff11d2228
-
Filesize
72KB
MD57dd10a82fde458e728f26a9fe79725ce
SHA1b6fd8872965d6e6560d00289b297aa5bbd7a573f
SHA25623640d6ac3871292bdb343f7b736ef4ed6be9faa04913f752a60ac2912415a65
SHA512e1859b09b2630da8499b1a8926c61732f274fd251e6f3e1e8fa60318e9994b2bfcfd12ad38aea26580491bda07453b3e25e3e852d5b9478d4cb26802b8820018