Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll
Resource
win10v2004-20240426-en
General
-
Target
6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll
-
Size
1.0MB
-
MD5
73ed3c0f370c86c091aa0db781287c77
-
SHA1
ebee720921ef5cb33e25c3321b0ff16aea32cd92
-
SHA256
6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f
-
SHA512
7a3957287ee80db1ab103671dd7ed2bf23aebf30df07d68921e5af062d6e18e66a32aa681c1da3cfd373d48e430d9d8e6221f31ece4e785677f0dc8e5116acff
-
SSDEEP
24576:EKFZnpqCuPZCKj3/w6BFb41oLF1LCrf2DitbRoXyaH:5rnQCKgKjBB941oLCrf2it6Xyc
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2712-37-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral1/memory/2712-45-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral1/memory/2712-49-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral1/memory/2712-50-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral1/memory/2712-51-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral1/memory/2712-53-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral1/memory/2712-54-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral1/memory/2712-60-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect behavioral1/memory/2712-61-0x0000000010000000-0x00000000102D9000-memory.dmp vmprotect -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1192 set thread context of 2712 1192 Explorer.EXE 29 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\mac.txt xwizard.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2208 rundll32.exe 2208 rundll32.exe 2208 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1192 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2208 rundll32.exe Token: SeDebugPrivilege 1192 Explorer.EXE Token: SeDebugPrivilege 2712 xwizard.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeSystemtimePrivilege 864 svchost.exe Token: SeBackupPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeShutdownPrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeUndockPrivilege 864 svchost.exe Token: SeManageVolumePrivilege 864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeAuditPrivilege 864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeSystemtimePrivilege 864 svchost.exe Token: SeBackupPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeShutdownPrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeUndockPrivilege 864 svchost.exe Token: SeManageVolumePrivilege 864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe Token: SeTakeOwnershipPrivilege 864 svchost.exe Token: SeLoadDriverPrivilege 864 svchost.exe Token: SeSystemtimePrivilege 864 svchost.exe Token: SeBackupPrivilege 864 svchost.exe Token: SeRestorePrivilege 864 svchost.exe Token: SeShutdownPrivilege 864 svchost.exe Token: SeSystemEnvironmentPrivilege 864 svchost.exe Token: SeUndockPrivilege 864 svchost.exe Token: SeManageVolumePrivilege 864 svchost.exe Token: SeAssignPrimaryTokenPrivilege 864 svchost.exe Token: SeIncreaseQuotaPrivilege 864 svchost.exe Token: SeSecurityPrivilege 864 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious use of SendNotifyMessage 28 IoCs
pid Process 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2208 2072 rundll32.exe 28 PID 2072 wrote to memory of 2208 2072 rundll32.exe 28 PID 2072 wrote to memory of 2208 2072 rundll32.exe 28 PID 2072 wrote to memory of 2208 2072 rundll32.exe 28 PID 2072 wrote to memory of 2208 2072 rundll32.exe 28 PID 2072 wrote to memory of 2208 2072 rundll32.exe 28 PID 2072 wrote to memory of 2208 2072 rundll32.exe 28 PID 2208 wrote to memory of 864 2208 rundll32.exe 13 PID 2208 wrote to memory of 864 2208 rundll32.exe 13 PID 2208 wrote to memory of 864 2208 rundll32.exe 13 PID 2208 wrote to memory of 864 2208 rundll32.exe 13 PID 2208 wrote to memory of 864 2208 rundll32.exe 13 PID 2208 wrote to memory of 864 2208 rundll32.exe 13 PID 2208 wrote to memory of 864 2208 rundll32.exe 13 PID 2208 wrote to memory of 864 2208 rundll32.exe 13 PID 2208 wrote to memory of 1192 2208 rundll32.exe 21 PID 2208 wrote to memory of 1192 2208 rundll32.exe 21 PID 2208 wrote to memory of 1192 2208 rundll32.exe 21 PID 2208 wrote to memory of 1192 2208 rundll32.exe 21 PID 1192 wrote to memory of 2712 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2712 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2712 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2712 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2712 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2712 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2712 1192 Explorer.EXE 29 PID 1192 wrote to memory of 2712 1192 Explorer.EXE 29 PID 864 wrote to memory of 2520 864 svchost.exe 30 PID 864 wrote to memory of 2520 864 svchost.exe 30 PID 864 wrote to memory of 2520 864 svchost.exe 30
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:2520
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ca39838e51cf76a703c851970780fad9dbc940079bbf902a18f20329447f23f.dll,#13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
-
-
-
C:\Windows\SysWOW64\xwizard.exeC:\Windows\SysWOW64\xwizard.exe2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2712
-