Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
06/07/2024, 12:56
Static task
static1
Behavioral task
behavioral1
Sample
07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
sirrah.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
sirrah.dll
Resource
win10v2004-20240704-en
General
-
Target
07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe
-
Size
1.4MB
-
MD5
429ebf3b919d8959e39f5c90b22e81dd
-
SHA1
52ca91f7e8c0ffac9ceaefef894e19b09aed662e
-
SHA256
07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed
-
SHA512
b462472208a2254e3724620a08438d9f251d70bb8edec6ff9906335eef12c16b29abc7d02535b373841aa141fae64e9aed0fe0750aff3570a6d77d087b73ad4f
-
SSDEEP
24576:nQoFpItRUEuaEvDLGh4lz8NxHfh5Mxfc8CiF4H//0lF1b+/723dSCax/vY:9boOEdEv2hTHfh5Mxfc8Ocl3+723sH/w
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 780 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2512 emivl.exe 2956 emivl.exe -
Loads dropped DLL 5 IoCs
pid Process 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 2512 emivl.exe 2512 emivl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\{A56B3307-697B-AFDF-F4EF-9F10D4ECB455} = "C:\\Users\\Admin\\AppData\\Roaming\\Myadgi\\emivl.exe" emivl.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2708 set thread context of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2724 set thread context of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2512 set thread context of 2956 2512 emivl.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0008000000016861-68.dat nsis_installer_1 behavioral1/files/0x0008000000016861-68.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" explorer.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\4B693B36-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 2956 emivl.exe 2956 emivl.exe 2864 explorer.exe 2864 explorer.exe 2404 explorer.exe 2404 explorer.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe 2956 emivl.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe Token: SeDebugPrivilege 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe Token: SeDebugPrivilege 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe Token: SeSecurityPrivilege 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe Token: SeDebugPrivilege 2956 emivl.exe Token: SeDebugPrivilege 2956 emivl.exe Token: SeDebugPrivilege 2956 emivl.exe Token: SeManageVolumePrivilege 1996 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1996 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1996 WinMail.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1996 WinMail.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2708 wrote to memory of 2724 2708 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 30 PID 2724 wrote to memory of 2864 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 31 PID 2724 wrote to memory of 2864 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 31 PID 2724 wrote to memory of 2864 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 31 PID 2724 wrote to memory of 2864 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 31 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2404 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 32 PID 2724 wrote to memory of 2512 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 34 PID 2724 wrote to memory of 2512 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 34 PID 2724 wrote to memory of 2512 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 34 PID 2724 wrote to memory of 2512 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 34 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2512 wrote to memory of 2956 2512 emivl.exe 35 PID 2724 wrote to memory of 780 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 36 PID 2724 wrote to memory of 780 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 36 PID 2724 wrote to memory of 780 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 36 PID 2724 wrote to memory of 780 2724 07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe 36 PID 2956 wrote to memory of 1128 2956 emivl.exe 19 PID 2956 wrote to memory of 1128 2956 emivl.exe 19 PID 2956 wrote to memory of 1128 2956 emivl.exe 19 PID 2956 wrote to memory of 1128 2956 emivl.exe 19 PID 2956 wrote to memory of 1128 2956 emivl.exe 19 PID 2956 wrote to memory of 1200 2956 emivl.exe 20 PID 2956 wrote to memory of 1200 2956 emivl.exe 20 PID 2956 wrote to memory of 1200 2956 emivl.exe 20 PID 2956 wrote to memory of 1200 2956 emivl.exe 20 PID 2956 wrote to memory of 1200 2956 emivl.exe 20 PID 2956 wrote to memory of 1240 2956 emivl.exe 21 PID 2956 wrote to memory of 1240 2956 emivl.exe 21 PID 2956 wrote to memory of 1240 2956 emivl.exe 21 PID 2956 wrote to memory of 1240 2956 emivl.exe 21 PID 2956 wrote to memory of 1240 2956 emivl.exe 21
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1128
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1200
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe"C:\Users\Admin\AppData\Local\Temp\07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe"C:\Users\Admin\AppData\Local\Temp\07ff5290bca33bcd25f479f468f9a0c0371b3aac25dc5bb846b55ba60ca658ed.exe"3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOw64\explorer.exe"C:\Windows\SysWOw64\explorer.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
PID:2864
-
-
C:\Windows\SysWOw64\explorer.exe"C:\Windows\SysWOw64\explorer.exe" socksParentProxy=localhost:90504⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404
-
-
C:\Users\Admin\AppData\Roaming\Myadgi\emivl.exe"C:\Users\Admin\AppData\Roaming\Myadgi\emivl.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Roaming\Myadgi\emivl.exe"C:\Users\Admin\AppData\Roaming\Myadgi\emivl.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp44a98729.bat"4⤵
- Deletes itself
PID:780
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1356
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1909519774601444051173675697418820437421375885991938777697-1543569480-1355252728"1⤵PID:3028
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1996
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD56d6adc905d2c4552f1bdda5857645383
SHA1cb393b68604e5ed0cc883e78964e99c03b7735bf
SHA256ab3a38a3e29a0891a799b6a9aecc783d44f6e7266f1f28694088d012a7e76140
SHA512864bcf58861bfd983a8861e07c1a279565abd01fdb26941580fcd89ee786f8bf22269a90389e49a8151b613a45e4b61681e57df320014889f97693da66d69b05
-
Filesize
545B
MD58a84c0e0a0d48a0761d5e3f1e568db44
SHA1ebbfd2090b2af166c7c34d1c7e97f5594edc9e18
SHA25647411046514b59e2cb4c111b733ca423adc4e8792c909c282acc6dab970804db
SHA5123c371869b3a0a5358a0eee9cf3549fa077fbde30bfbe5bc59b4c0da4be2e5729df9d75b5ce732725f836ecfe9d87e3c5c71b974b882366f9257ce3cef30df78f
-
Filesize
307B
MD563b790a21bf1478ad428c98a492b93cc
SHA155b7a2cf798a6278d0be6ae02ae58fd202b3c34b
SHA256a2b1562d3e40049f050b0147749568ae81e7d22600b9f55ce0f363ed3c63d854
SHA5121132b071f611bbe845fa76ee53e111c36cd64f560fd0a597e6c587bf093f29c84f1f3f5c068251ec9b632ad33f0ff207767eb6b1a3a9f0a09881eff39c64fd57
-
Filesize
11KB
MD5883eff06ac96966270731e4e22817e11
SHA1523c87c98236cbc04430e87ec19b977595092ac8
SHA25644e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
SHA51260333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390
-
Filesize
52KB
MD5e07ca0e84fc1eeedeccc2dec1e123128
SHA136731fd829ced121434e80ae92f62c169d949db3
SHA256659d9bf3fbe53372fa97394cc67eb6904c9339a44d0c56a53d5ca1c4dda0c842
SHA512bdf232c7b5784c38d7a0feeb103459cf6534eb6ce63e158efeb269452785219c3051f736ffa53ed20306f1cfa1ac3af6b4a09c8392f3126517d0c0f291772f10
-
Filesize
1.4MB
MD5079762d55f97e53792f94c2fc494a0c7
SHA164a684177aef43b96737d5a76451af7efcd697ea
SHA256a8791bd15c323e11678f4462ba0a414668baf9f8a4305603b4627a533daea036
SHA512d0615b04d2f850e9606a543c568df6db9facb1fed83be6d060636c5641fc32b06668a2a8f788ab9ea5dfe7fae549a7344db696632392c987faefbc14d2120c5e