Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3install_ch...rl.exe
windows7-x64
3install_ch...rl.exe
windows10-2004-x64
7install_ch...db.exe
windows7-x64
3install_ch...db.exe
windows10-2004-x64
3install_ch...dk.exe
windows7-x64
3install_ch...dk.exe
windows10-2004-x64
3install_ch...ta.exe
windows7-x64
3install_ch...ta.exe
windows10-2004-x64
3restart.exe
windows7-x64
3restart.exe
windows10-2004-x64
7startup.exe
windows7-x64
3startup.exe
windows10-2004-x64
3stop.exe
windows7-x64
3stop.exe
windows10-2004-x64
7Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/09/2024, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
install_check/check_curl.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
install_check/check_curl.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
install_check/check_db.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
install_check/check_db.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
install_check/check_jdk.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
install_check/check_jdk.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
install_check/check_meta.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
install_check/check_meta.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
restart.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
restart.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
startup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
startup.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
stop.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
stop.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
restart.exe
-
Size
88KB
-
MD5
2139fd5b746fdb409b7b8df60bafdb11
-
SHA1
2cde2eac5ae0a5c2327f0c8090279df08b2d9920
-
SHA256
6d918e0ce3d6a2a10a607043e03e8d744b985e8e653072c83c004020c1281706
-
SHA512
6d22dbb5cbb4ba06c6d8855569b1668594d39d70e94e91f98a5266224d27f978eae4fb23c6d4647aaa1b1dbfad3e6b0970e2ad08aa607324ed998c35bb5b306b
-
SSDEEP
1536:rL7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIf5w1OG:rHFfHgTWmCRkGbKGLeNTBf5y
Malware Config
Signatures
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 2856 mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NETSTAT.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language restart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language startup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1724 PING.EXE 2868 PING.EXE 2760 PING.EXE -
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
pid Process 2628 cmd.exe 2244 NETSTAT.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2244 NETSTAT.EXE -
Kills process with WMI 2 IoCs
pid Process 2140 WMIC.exe 1244 WMIC.exe -
Kills process with taskkill 1 IoCs
pid Process 2268 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2868 PING.EXE 2760 PING.EXE 1724 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 2888 stop.exe 2176 startup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2244 NETSTAT.EXE Token: SeIncreaseQuotaPrivilege 2140 WMIC.exe Token: SeSecurityPrivilege 2140 WMIC.exe Token: SeTakeOwnershipPrivilege 2140 WMIC.exe Token: SeLoadDriverPrivilege 2140 WMIC.exe Token: SeSystemProfilePrivilege 2140 WMIC.exe Token: SeSystemtimePrivilege 2140 WMIC.exe Token: SeProfSingleProcessPrivilege 2140 WMIC.exe Token: SeIncBasePriorityPrivilege 2140 WMIC.exe Token: SeCreatePagefilePrivilege 2140 WMIC.exe Token: SeBackupPrivilege 2140 WMIC.exe Token: SeRestorePrivilege 2140 WMIC.exe Token: SeShutdownPrivilege 2140 WMIC.exe Token: SeDebugPrivilege 2140 WMIC.exe Token: SeSystemEnvironmentPrivilege 2140 WMIC.exe Token: SeRemoteShutdownPrivilege 2140 WMIC.exe Token: SeUndockPrivilege 2140 WMIC.exe Token: SeManageVolumePrivilege 2140 WMIC.exe Token: 33 2140 WMIC.exe Token: 34 2140 WMIC.exe Token: 35 2140 WMIC.exe Token: SeIncreaseQuotaPrivilege 2140 WMIC.exe Token: SeSecurityPrivilege 2140 WMIC.exe Token: SeTakeOwnershipPrivilege 2140 WMIC.exe Token: SeLoadDriverPrivilege 2140 WMIC.exe Token: SeSystemProfilePrivilege 2140 WMIC.exe Token: SeSystemtimePrivilege 2140 WMIC.exe Token: SeProfSingleProcessPrivilege 2140 WMIC.exe Token: SeIncBasePriorityPrivilege 2140 WMIC.exe Token: SeCreatePagefilePrivilege 2140 WMIC.exe Token: SeBackupPrivilege 2140 WMIC.exe Token: SeRestorePrivilege 2140 WMIC.exe Token: SeShutdownPrivilege 2140 WMIC.exe Token: SeDebugPrivilege 2140 WMIC.exe Token: SeSystemEnvironmentPrivilege 2140 WMIC.exe Token: SeRemoteShutdownPrivilege 2140 WMIC.exe Token: SeUndockPrivilege 2140 WMIC.exe Token: SeManageVolumePrivilege 2140 WMIC.exe Token: 33 2140 WMIC.exe Token: 34 2140 WMIC.exe Token: 35 2140 WMIC.exe Token: SeIncreaseQuotaPrivilege 1244 WMIC.exe Token: SeSecurityPrivilege 1244 WMIC.exe Token: SeTakeOwnershipPrivilege 1244 WMIC.exe Token: SeLoadDriverPrivilege 1244 WMIC.exe Token: SeSystemProfilePrivilege 1244 WMIC.exe Token: SeSystemtimePrivilege 1244 WMIC.exe Token: SeProfSingleProcessPrivilege 1244 WMIC.exe Token: SeIncBasePriorityPrivilege 1244 WMIC.exe Token: SeCreatePagefilePrivilege 1244 WMIC.exe Token: SeBackupPrivilege 1244 WMIC.exe Token: SeRestorePrivilege 1244 WMIC.exe Token: SeShutdownPrivilege 1244 WMIC.exe Token: SeDebugPrivilege 1244 WMIC.exe Token: SeSystemEnvironmentPrivilege 1244 WMIC.exe Token: SeRemoteShutdownPrivilege 1244 WMIC.exe Token: SeUndockPrivilege 1244 WMIC.exe Token: SeManageVolumePrivilege 1244 WMIC.exe Token: 33 1244 WMIC.exe Token: 34 1244 WMIC.exe Token: 35 1244 WMIC.exe Token: SeIncreaseQuotaPrivilege 1244 WMIC.exe Token: SeSecurityPrivilege 1244 WMIC.exe Token: SeTakeOwnershipPrivilege 1244 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2748 2444 restart.exe 31 PID 2444 wrote to memory of 2748 2444 restart.exe 31 PID 2444 wrote to memory of 2748 2444 restart.exe 31 PID 2444 wrote to memory of 2748 2444 restart.exe 31 PID 2748 wrote to memory of 2888 2748 cmd.exe 32 PID 2748 wrote to memory of 2888 2748 cmd.exe 32 PID 2748 wrote to memory of 2888 2748 cmd.exe 32 PID 2748 wrote to memory of 2888 2748 cmd.exe 32 PID 2748 wrote to memory of 2868 2748 cmd.exe 33 PID 2748 wrote to memory of 2868 2748 cmd.exe 33 PID 2748 wrote to memory of 2868 2748 cmd.exe 33 PID 2888 wrote to memory of 2864 2888 stop.exe 34 PID 2888 wrote to memory of 2864 2888 stop.exe 34 PID 2888 wrote to memory of 2864 2888 stop.exe 34 PID 2888 wrote to memory of 2864 2888 stop.exe 34 PID 2864 wrote to memory of 2856 2864 cmd.exe 35 PID 2864 wrote to memory of 2856 2864 cmd.exe 35 PID 2864 wrote to memory of 2856 2864 cmd.exe 35 PID 2864 wrote to memory of 2856 2864 cmd.exe 35 PID 2856 wrote to memory of 2312 2856 mshta.exe 36 PID 2856 wrote to memory of 2312 2856 mshta.exe 36 PID 2856 wrote to memory of 2312 2856 mshta.exe 36 PID 2856 wrote to memory of 2312 2856 mshta.exe 36 PID 2312 wrote to memory of 2944 2312 cmd.exe 38 PID 2312 wrote to memory of 2944 2312 cmd.exe 38 PID 2312 wrote to memory of 2944 2312 cmd.exe 38 PID 2312 wrote to memory of 2944 2312 cmd.exe 38 PID 2944 wrote to memory of 1904 2944 stop.exe 39 PID 2944 wrote to memory of 1904 2944 stop.exe 39 PID 2944 wrote to memory of 1904 2944 stop.exe 39 PID 2944 wrote to memory of 1904 2944 stop.exe 39 PID 1904 wrote to memory of 2760 1904 cmd.exe 40 PID 1904 wrote to memory of 2760 1904 cmd.exe 40 PID 1904 wrote to memory of 2760 1904 cmd.exe 40 PID 1904 wrote to memory of 2760 1904 cmd.exe 40 PID 2748 wrote to memory of 2176 2748 cmd.exe 41 PID 2748 wrote to memory of 2176 2748 cmd.exe 41 PID 2748 wrote to memory of 2176 2748 cmd.exe 41 PID 2748 wrote to memory of 2176 2748 cmd.exe 41 PID 2176 wrote to memory of 804 2176 startup.exe 42 PID 2176 wrote to memory of 804 2176 startup.exe 42 PID 2176 wrote to memory of 804 2176 startup.exe 42 PID 2176 wrote to memory of 804 2176 startup.exe 42 PID 804 wrote to memory of 1692 804 cmd.exe 43 PID 804 wrote to memory of 1692 804 cmd.exe 43 PID 804 wrote to memory of 1692 804 cmd.exe 43 PID 1904 wrote to memory of 2628 1904 cmd.exe 44 PID 1904 wrote to memory of 2628 1904 cmd.exe 44 PID 1904 wrote to memory of 2628 1904 cmd.exe 44 PID 1904 wrote to memory of 2628 1904 cmd.exe 44 PID 2628 wrote to memory of 2244 2628 cmd.exe 45 PID 2628 wrote to memory of 2244 2628 cmd.exe 45 PID 2628 wrote to memory of 2244 2628 cmd.exe 45 PID 2628 wrote to memory of 2244 2628 cmd.exe 45 PID 2628 wrote to memory of 2264 2628 cmd.exe 46 PID 2628 wrote to memory of 2264 2628 cmd.exe 46 PID 2628 wrote to memory of 2264 2628 cmd.exe 46 PID 2628 wrote to memory of 2264 2628 cmd.exe 46 PID 1904 wrote to memory of 2268 1904 cmd.exe 47 PID 1904 wrote to memory of 2268 1904 cmd.exe 47 PID 1904 wrote to memory of 2268 1904 cmd.exe 47 PID 1904 wrote to memory of 2268 1904 cmd.exe 47 PID 1904 wrote to memory of 2140 1904 cmd.exe 48 PID 1904 wrote to memory of 2140 1904 cmd.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\restart.exe"C:\Users\Admin\AppData\Local\Temp\restart.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F779.tmp\F77A.tmp\F77B.bat C:\Users\Admin\AppData\Local\Temp\restart.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\stop.exestop.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F7A8.tmp\F7A9.tmp\F7AA.bat C:\Users\Admin\AppData\Local\Temp\stop.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\mshta.exemshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c C:\Users\Admin\AppData\Local\Temp\stop.exe ::","","runas",0)(window.close)5⤵
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\stop.exe ::6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\stop.exeC:\Users\Admin\AppData\Local\Temp\stop.exe ::7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F863.tmp\F873.tmp\F874.bat C:\Users\Admin\AppData\Local\Temp\stop.exe ::"8⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.19⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netstat -ano | findstr 388089⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -ano10⤵
- System Location Discovery: System Language Discovery
- System Network Connections Discovery
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\SysWOW64\findstr.exefindstr 3880810⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /pid9⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2268
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where ParentProcessId= call terminate9⤵
- System Location Discovery: System Language Discovery
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process where "CommandLine Like '%-Dframework=DCP -Dservice=LocalAutoExecutor%'" call terminate9⤵
- System Location Discovery: System Language Discovery
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.19⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1724
-
-
-
-
-
-
-
-
C:\Windows\system32\PING.EXEping -n 4 127.0.0.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2868
-
-
C:\Users\Admin\AppData\Local\Temp\startup.exestartup.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\36A.tmp\36B.tmp\36C.bat C:\Users\Admin\AppData\Local\Temp\startup.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\javaw.exejavaw -Djava.net.preferIPv4Stack=false -Xms128m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=./ -cp "../app/lib/*;../app/lib/undertow/*" -noverify -Dframework=DCP -Dservice=LocalAutoExecutor -Dspring.jmx.enabled=false -XX:TieredStopAtLevel=1 -Drpc.introspection.checking=true -Dco.paralleluniverse.fibers.verifyInstrumentation=true -Dspring.config.location=application.yaml -Dspring.main.web-environment=true -Dserver.service=service.yaml com.huawei.dcp.springframework.springboot.Main5⤵PID:1692
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Access Token Manipulation
1Create Process with Token
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56fff0f25b1f097e77fa3cc3baef782be
SHA1a5b3f62a5e31bae2649efb882a81cfd1a0f786a3
SHA256365dcf49f7f01f038f371fe69342965d9a9ae288017b8eea3cd8b9cb90f4d3de
SHA512121b1d335f3826f9f128fbf952837a49b3103183a391ac9c8479e5e02a7fa315b608f97e7594414f4364dc228dbc4004a2de4711f94bb2749f7c5f38b28d1eea
-
Filesize
162B
MD571be6427d99fb57b746a713186983866
SHA141b9e0b40ad51d7d0f950fc2259136b6cfdc3b25
SHA256f30c36097af8deb6f47fb2fc5f81e001129dc10ee536b34292231f66b480b8c0
SHA5128e7f5e2609d18daf223d25c26ebfc9e4836772a2d619a5fce05d4c582c2b3519043c93e51d3446902d7e6140ea1ce55c31815daa05775423b640fbf208223689
-
Filesize
878B
MD54c3d8e6836df5b79c9801e66b9c4544f
SHA18f4db94463b6ca0694ef20539be2110bae41155d
SHA256490ed3f789efb0ec7b5486de682055c2fbd490f92f927757775f498f14f1d90f
SHA51203c2bb1555a9cf330e2831fe39c4187309f0a3d775360bbf5f301d2a88c5323abf1d6a0cd48d1e4ba13178c1ab241a76b81495cea4b63ee468760a6b9a1092fe