Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/09/2024, 12:29
Behavioral task
behavioral1
Sample
Meow.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
Meow.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
2 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
Meow.exe
-
Size
7.0MB
-
MD5
c11bcc869a27b0e553de21da35b12d7d
-
SHA1
8756faa6dd994c0482647e6f1f5e7e30d20a37a5
-
SHA256
6de7fd500a0b9f04c47d4658d9d7704952b3f52df5e30553649c34981374adc5
-
SHA512
4b66a33b083d339bb73b7943baff61982b6e8180164826819ce49c64309a42002b61511cf2c8429c46700f74c5b825702939ddb144940f823cea81abdb1318ad
-
SSDEEP
196608:PRJGV2NBKA1HeT39IigZTet4Q4G/NsIWyzWXAMYI93:LGV2fj1+TtIigS1NsIVzWXAcx
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2968 Meow.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language csrss.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 2420 LogonUI.exe Token: SeShutdownPrivilege 2420 LogonUI.exe Token: SeSecurityPrivilege 2680 winlogon.exe Token: SeBackupPrivilege 2680 winlogon.exe Token: SeSecurityPrivilege 2680 winlogon.exe Token: SeTcbPrivilege 2680 winlogon.exe Token: SeShutdownPrivilege 2420 LogonUI.exe Token: SeSecurityPrivilege 2680 winlogon.exe Token: SeBackupPrivilege 2680 winlogon.exe Token: SeSecurityPrivilege 2680 winlogon.exe Token: SeShutdownPrivilege 2420 LogonUI.exe Token: SeShutdownPrivilege 2420 LogonUI.exe Token: SeShutdownPrivilege 2680 winlogon.exe Token: SeShutdownPrivilege 2680 winlogon.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2968 3016 Meow.exe 31 PID 3016 wrote to memory of 2968 3016 Meow.exe 31 PID 3016 wrote to memory of 2968 3016 Meow.exe 31 PID 2872 wrote to memory of 1796 2872 cmd.exe 38 PID 2872 wrote to memory of 1796 2872 cmd.exe 38 PID 2872 wrote to memory of 1796 2872 cmd.exe 38 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 2680 wrote to memory of 2420 2680 winlogon.exe 42 PID 2680 wrote to memory of 2420 2680 winlogon.exe 42 PID 2680 wrote to memory of 2420 2680 winlogon.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42 PID 1324 wrote to memory of 2420 1324 csrss.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\Meow.exe"C:\Users\Admin\AppData\Local\Temp\Meow.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\Meow.exe"C:\Users\Admin\AppData\Local\Temp\Meow.exe"2⤵
- Loads dropped DLL
PID:2968
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2764
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2148
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\tree.comtree2⤵PID:1796
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1324
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2116
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:3008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5cae8fa4e7cb32da83acf655c2c39d9e1
SHA17a0055588a2d232be8c56791642cb0f5abbc71f8
SHA2568ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93
SHA512db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c