Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 01:55
Static task
static1
Behavioral task
behavioral1
Sample
Mw3Chair.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Mw3Chair.exe
Resource
win10v2004-20240802-en
General
-
Target
Mw3Chair.exe
-
Size
93.8MB
-
MD5
2dfdda495ef398f421af9821ec5bd6fb
-
SHA1
7bc7a0716e47064842c2616a2fe1a5a6c4ebaf24
-
SHA256
f77744f36fab5f4abb3ae0cf2bfade543ec90472bcdef6508bddf38493fa6873
-
SHA512
1c2af9e84ef2cbe0949e02e3e62cb0a178c53e05260ba0887888e7ff78adcc13d60f0ac4b444a1d3733ef462249b96be17c04d211c08e5dcbd6d42fd5673e508
-
SSDEEP
1572864:509tMO8gn6D68Uzusf2nhqQVGNgV2UIsVHBfgxXW5snXOyi4oLmm0GTjuME7:pTgOizfeR6gV2Vy4xXW5sXOPAxMjuMW
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2700 rr.exe 2732 CORTEX.exe 2880 rr.exe -
Loads dropped DLL 6 IoCs
pid Process 2700 rr.exe 2700 rr.exe 2172 Mw3Chair.exe 2700 rr.exe 2700 rr.exe 2880 rr.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2360 sc.exe 2028 sc.exe 2344 sc.exe 2844 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rr.exe -
Kills process with taskkill 16 IoCs
pid Process 2764 taskkill.exe 2804 taskkill.exe 108 taskkill.exe 2404 taskkill.exe 2640 taskkill.exe 2888 taskkill.exe 2728 taskkill.exe 1624 taskkill.exe 2772 taskkill.exe 484 taskkill.exe 2496 taskkill.exe 2168 taskkill.exe 1764 taskkill.exe 764 taskkill.exe 1692 taskkill.exe 2900 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2732 CORTEX.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeSecurityPrivilege 2700 rr.exe Token: SeDebugPrivilege 1692 taskkill.exe Token: SeDebugPrivilege 2404 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 2640 taskkill.exe Token: SeDebugPrivilege 2888 taskkill.exe Token: SeDebugPrivilege 2764 taskkill.exe Token: SeDebugPrivilege 2900 taskkill.exe Token: SeDebugPrivilege 484 taskkill.exe Token: SeDebugPrivilege 2496 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 108 taskkill.exe Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 2728 taskkill.exe Token: SeDebugPrivilege 2772 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2700 2172 Mw3Chair.exe 31 PID 2172 wrote to memory of 2700 2172 Mw3Chair.exe 31 PID 2172 wrote to memory of 2700 2172 Mw3Chair.exe 31 PID 2172 wrote to memory of 2700 2172 Mw3Chair.exe 31 PID 2172 wrote to memory of 2732 2172 Mw3Chair.exe 32 PID 2172 wrote to memory of 2732 2172 Mw3Chair.exe 32 PID 2172 wrote to memory of 2732 2172 Mw3Chair.exe 32 PID 2732 wrote to memory of 2584 2732 CORTEX.exe 34 PID 2732 wrote to memory of 2584 2732 CORTEX.exe 34 PID 2732 wrote to memory of 2584 2732 CORTEX.exe 34 PID 2732 wrote to memory of 2620 2732 CORTEX.exe 35 PID 2732 wrote to memory of 2620 2732 CORTEX.exe 35 PID 2732 wrote to memory of 2620 2732 CORTEX.exe 35 PID 2732 wrote to memory of 2644 2732 CORTEX.exe 36 PID 2732 wrote to memory of 2644 2732 CORTEX.exe 36 PID 2732 wrote to memory of 2644 2732 CORTEX.exe 36 PID 2732 wrote to memory of 2692 2732 CORTEX.exe 37 PID 2732 wrote to memory of 2692 2732 CORTEX.exe 37 PID 2732 wrote to memory of 2692 2732 CORTEX.exe 37 PID 2732 wrote to memory of 1196 2732 CORTEX.exe 38 PID 2732 wrote to memory of 1196 2732 CORTEX.exe 38 PID 2732 wrote to memory of 1196 2732 CORTEX.exe 38 PID 2732 wrote to memory of 2132 2732 CORTEX.exe 39 PID 2732 wrote to memory of 2132 2732 CORTEX.exe 39 PID 2732 wrote to memory of 2132 2732 CORTEX.exe 39 PID 2732 wrote to memory of 1776 2732 CORTEX.exe 40 PID 2732 wrote to memory of 1776 2732 CORTEX.exe 40 PID 2732 wrote to memory of 1776 2732 CORTEX.exe 40 PID 2732 wrote to memory of 2616 2732 CORTEX.exe 41 PID 2732 wrote to memory of 2616 2732 CORTEX.exe 41 PID 2732 wrote to memory of 2616 2732 CORTEX.exe 41 PID 2644 wrote to memory of 2404 2644 cmd.exe 42 PID 2644 wrote to memory of 2404 2644 cmd.exe 42 PID 2644 wrote to memory of 2404 2644 cmd.exe 42 PID 1196 wrote to memory of 2360 1196 cmd.exe 43 PID 1196 wrote to memory of 2360 1196 cmd.exe 43 PID 1196 wrote to memory of 2360 1196 cmd.exe 43 PID 2620 wrote to memory of 1692 2620 cmd.exe 44 PID 2620 wrote to memory of 1692 2620 cmd.exe 44 PID 2620 wrote to memory of 1692 2620 cmd.exe 44 PID 2692 wrote to memory of 764 2692 cmd.exe 45 PID 2692 wrote to memory of 764 2692 cmd.exe 45 PID 2692 wrote to memory of 764 2692 cmd.exe 45 PID 2132 wrote to memory of 2640 2132 cmd.exe 46 PID 2132 wrote to memory of 2640 2132 cmd.exe 46 PID 2132 wrote to memory of 2640 2132 cmd.exe 46 PID 2616 wrote to memory of 2928 2616 cmd.exe 47 PID 2616 wrote to memory of 2928 2616 cmd.exe 47 PID 2616 wrote to memory of 2928 2616 cmd.exe 47 PID 2732 wrote to memory of 2760 2732 CORTEX.exe 49 PID 2732 wrote to memory of 2760 2732 CORTEX.exe 49 PID 2732 wrote to memory of 2760 2732 CORTEX.exe 49 PID 2732 wrote to memory of 2836 2732 CORTEX.exe 50 PID 2732 wrote to memory of 2836 2732 CORTEX.exe 50 PID 2732 wrote to memory of 2836 2732 CORTEX.exe 50 PID 2732 wrote to memory of 2752 2732 CORTEX.exe 51 PID 2732 wrote to memory of 2752 2732 CORTEX.exe 51 PID 2732 wrote to memory of 2752 2732 CORTEX.exe 51 PID 2732 wrote to memory of 2872 2732 CORTEX.exe 52 PID 2732 wrote to memory of 2872 2732 CORTEX.exe 52 PID 2732 wrote to memory of 2872 2732 CORTEX.exe 52 PID 2732 wrote to memory of 2948 2732 CORTEX.exe 53 PID 2732 wrote to memory of 2948 2732 CORTEX.exe 53 PID 2732 wrote to memory of 2948 2732 CORTEX.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mw3Chair.exe"C:\Users\Admin\AppData\Local\Temp\Mw3Chair.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\rr.exe"C:\Users\Admin\AppData\Roaming\rr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exeC:\Users\Admin\AppData\Local\Temp\2m5QK1WcLEvcRZNvUwDhvm0yekH\rr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880
-
-
-
C:\Users\Admin\AppData\Roaming\CORTEX.exe"C:\Users\Admin\AppData\Roaming\CORTEX.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color 43⤵PID:2584
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:2360
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵PID:1776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\CORTEX.exe" MD53⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Roaming\CORTEX.exe" MD54⤵PID:2928
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵PID:2760
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵PID:2836
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:2752
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵PID:2872
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵PID:2948
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵PID:2964
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵PID:584
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵PID:980
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:984
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵PID:3052
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:2844
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵PID:2248
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵PID:2476
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&13⤵PID:1008
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:108
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&13⤵PID:1576
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1764
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&13⤵PID:560
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
C:\Windows\system32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&13⤵PID:1640
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro4⤵
- Launches sc.exe
PID:2344
-
-
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&13⤵PID:2288
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
-
C:\Windows\system32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&13⤵PID:1860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5cc00135fe47c2e1e3c2afdae364e343e
SHA1b6f2edebeae328004537147e4743523f1eba88fe
SHA2565dad57ea08d8af1e78889e7b9191a0d4cb55e6124a447a8ab352064ca20a200d
SHA512cbd7392ffb932241eaa3d67e4df7e2fa1163529e46ecf7ed17eb80fe5f36895ed00b39feccbb9966cfaebafba83b576a4f9a17593bb2bb61d8df70703d90b35f
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
16.1MB
MD566d8819bc195304bf89ff06d186f7806
SHA1ff1295cba9c2cd3ea0c0fcd1d55d2b8170deddfc
SHA25613e4c83b9fb05b82bb26dd299d7c3fa38ac829b4d99b33f257a1f680f965938f
SHA512a5dbf7be3d4cf5c13abf846554147f0bf32c4732b7ed81e9a415b37fc5f5abef97a01f61e744ca24394105451a9addffbd62338283feb9ca83e359728063591b
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
Filesize
424KB
MD580e44ce4895304c6a3a831310fbf8cd0
SHA136bd49ae21c460be5753a904b4501f1abca53508
SHA256b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df