Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/07/2024, 11:38
Static task
static1
Behavioral task
behavioral1
Sample
c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7.dll
Resource
win10v2004-20240709-en
General
-
Target
c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7.dll
-
Size
5.0MB
-
MD5
e2f6cd5e295645e69b6f1e5e0fc56964
-
SHA1
2ca110489fd022d3312df57ee8560eb1330d2f9c
-
SHA256
c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7
-
SHA512
3b71f2b8e9b1a8ad60e13955abd8bfd0ca7e1cb6a41adf859fc68d65cc0c3e39c88dfb101302c6980e0fa381c0aff45a7a234884c66d6ee82687a48083cda166
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdh:+DqPoBhz1aRxcSUDk36SAEdh
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3308) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2288 mssecsvc.exe 2868 mssecsvc.exe 2860 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A25466CA-BF17-475A-B3CD-B1562D5BAF60} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A25466CA-BF17-475A-B3CD-B1562D5BAF60}\WpadDecisionTime = 2020ba6999dada01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A25466CA-BF17-475A-B3CD-B1562D5BAF60}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A25466CA-BF17-475A-B3CD-B1562D5BAF60}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-31-6d-f9-a3-60 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A25466CA-BF17-475A-B3CD-B1562D5BAF60}\8e-31-6d-f9-a3-60 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-31-6d-f9-a3-60\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-31-6d-f9-a3-60\WpadDecisionTime = 2020ba6999dada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A25466CA-BF17-475A-B3CD-B1562D5BAF60}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-31-6d-f9-a3-60\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2480 wrote to memory of 3044 2480 rundll32.exe 30 PID 2480 wrote to memory of 3044 2480 rundll32.exe 30 PID 2480 wrote to memory of 3044 2480 rundll32.exe 30 PID 2480 wrote to memory of 3044 2480 rundll32.exe 30 PID 2480 wrote to memory of 3044 2480 rundll32.exe 30 PID 2480 wrote to memory of 3044 2480 rundll32.exe 30 PID 2480 wrote to memory of 3044 2480 rundll32.exe 30 PID 3044 wrote to memory of 2288 3044 rundll32.exe 31 PID 3044 wrote to memory of 2288 3044 rundll32.exe 31 PID 3044 wrote to memory of 2288 3044 rundll32.exe 31 PID 3044 wrote to memory of 2288 3044 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9e6f90c75bd7ad50d2a8ffd3c60a0a7f0d9005b4daeb1c1fb8991f4dac614b7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2288 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2860
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD50cd8635d3cf091c6778373e4883a7acf
SHA1dbc02a965e5ceb512d1ca5240cb974756b55dd0f
SHA25692ae1eb9c83b64d781a69edee4a270a2ab7c7ad642282aa13ed4466ca9c2278a
SHA5125bf40b5f632517a58e9529556cfc035290f2b1b6eeb0901584307388612cfcad708d1b61b972f31dca09f30818820bdc0746a6c44c510aba0feb71251833e0db
-
Filesize
3.4MB
MD50c50237e95985d1b5fc293ffbfdb1e31
SHA1c4c5c1007dfd61382e1030b3c5dc8623440ff8f3
SHA25647870a5ebf14d5ba8bd9a0b189e8245963c04cb0dc7e4b2cb294075434af6af4
SHA51216bf5cb4f04feb328a1d5ae3e87648d7301ec5edecfe7512b054e1ebd237883c93f8952b10aacdf09c8881bf45898617895cb0abad11796a45b0ffea257119d4