Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/10/2024, 16:44
241010-t82a7s1dmq 710/10/2024, 16:43
241010-t8bqjs1djp 510/10/2024, 16:30
241010-tz1nbazhmp 5Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 16:43
Static task
static1
Behavioral task
behavioral1
Sample
mpclient.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
mpclient.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
mpclient.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
mpclient.exe
Resource
win10v2004-20241007-en
General
-
Target
mpclient.exe
-
Size
186KB
-
MD5
6bd4d7f68924301051c22e8a951aecba
-
SHA1
2ae2a6b863616b61ccb550fc1a145ae025896de1
-
SHA256
9afd12eede0db98a35aba52f53041efa4a2f2a03673672c7ac530830b7152392
-
SHA512
ebf97dcc36413e9c05da1df9d296bd5226f2c5acc86f8592755f10454328ffa90dc9805825ede64f350fade5de9cef73d050aad569b733f914da6aa92740f708
-
SSDEEP
3072:crWzrkggF1yGunZZwFrUhxDR1cAoPF+sq:uCzgF1enfwFrUk
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2772 set thread context of 2808 2772 mpclient.exe 31 PID 876 set thread context of 2408 876 svchost.exe 35 PID 2408 set thread context of 2860 2408 svchost.exe 36 -
resource yara_rule behavioral3/memory/2772-18-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral3/memory/2808-17-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral3/memory/2808-16-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral3/memory/2772-1-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral3/memory/2408-63-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral3/memory/876-46-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral3/memory/876-62-0x0000000180000000-0x0000000180066000-memory.dmp upx behavioral3/memory/2408-68-0x0000000180000000-0x0000000180066000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2772 mpclient.exe 2808 svchost.exe 2808 svchost.exe 2672 mpclient.exe 876 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2860 dllhost.exe 2860 dllhost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2808 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2808 svchost.exe Token: SeTcbPrivilege 2808 svchost.exe Token: SeAuditPrivilege 876 svchost.exe Token: SeAssignPrimaryTokenPrivilege 876 svchost.exe Token: SeIncreaseQuotaPrivilege 876 svchost.exe Token: SeSecurityPrivilege 876 svchost.exe Token: SeTakeOwnershipPrivilege 876 svchost.exe Token: SeLoadDriverPrivilege 876 svchost.exe Token: SeSystemtimePrivilege 876 svchost.exe Token: SeBackupPrivilege 876 svchost.exe Token: SeRestorePrivilege 876 svchost.exe Token: SeShutdownPrivilege 876 svchost.exe Token: SeSystemEnvironmentPrivilege 876 svchost.exe Token: SeUndockPrivilege 876 svchost.exe Token: SeManageVolumePrivilege 876 svchost.exe Token: SeAssignPrimaryTokenPrivilege 876 svchost.exe Token: SeIncreaseQuotaPrivilege 876 svchost.exe Token: SeSecurityPrivilege 876 svchost.exe Token: SeTakeOwnershipPrivilege 876 svchost.exe Token: SeLoadDriverPrivilege 876 svchost.exe Token: SeSystemtimePrivilege 876 svchost.exe Token: SeBackupPrivilege 876 svchost.exe Token: SeRestorePrivilege 876 svchost.exe Token: SeShutdownPrivilege 876 svchost.exe Token: SeSystemEnvironmentPrivilege 876 svchost.exe Token: SeUndockPrivilege 876 svchost.exe Token: SeManageVolumePrivilege 876 svchost.exe Token: SeAssignPrimaryTokenPrivilege 876 svchost.exe Token: SeIncreaseQuotaPrivilege 876 svchost.exe Token: SeSecurityPrivilege 876 svchost.exe Token: SeTakeOwnershipPrivilege 876 svchost.exe Token: SeLoadDriverPrivilege 876 svchost.exe Token: SeSystemtimePrivilege 876 svchost.exe Token: SeBackupPrivilege 876 svchost.exe Token: SeRestorePrivilege 876 svchost.exe Token: SeShutdownPrivilege 876 svchost.exe Token: SeSystemEnvironmentPrivilege 876 svchost.exe Token: SeUndockPrivilege 876 svchost.exe Token: SeManageVolumePrivilege 876 svchost.exe Token: SeAssignPrimaryTokenPrivilege 876 svchost.exe Token: SeIncreaseQuotaPrivilege 876 svchost.exe Token: SeSecurityPrivilege 876 svchost.exe Token: SeTakeOwnershipPrivilege 876 svchost.exe Token: SeLoadDriverPrivilege 876 svchost.exe Token: SeSystemtimePrivilege 876 svchost.exe Token: SeBackupPrivilege 876 svchost.exe Token: SeRestorePrivilege 876 svchost.exe Token: SeShutdownPrivilege 876 svchost.exe Token: SeSystemEnvironmentPrivilege 876 svchost.exe Token: SeUndockPrivilege 876 svchost.exe Token: SeManageVolumePrivilege 876 svchost.exe Token: SeAssignPrimaryTokenPrivilege 876 svchost.exe Token: SeIncreaseQuotaPrivilege 876 svchost.exe Token: SeSecurityPrivilege 876 svchost.exe Token: SeTakeOwnershipPrivilege 876 svchost.exe Token: SeLoadDriverPrivilege 876 svchost.exe Token: SeSystemtimePrivilege 876 svchost.exe Token: SeBackupPrivilege 876 svchost.exe Token: SeRestorePrivilege 876 svchost.exe Token: SeShutdownPrivilege 876 svchost.exe Token: SeSystemEnvironmentPrivilege 876 svchost.exe Token: SeUndockPrivilege 876 svchost.exe Token: SeManageVolumePrivilege 876 svchost.exe Token: SeAssignPrimaryTokenPrivilege 876 svchost.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2808 2772 mpclient.exe 31 PID 2772 wrote to memory of 2808 2772 mpclient.exe 31 PID 2772 wrote to memory of 2808 2772 mpclient.exe 31 PID 2772 wrote to memory of 2808 2772 mpclient.exe 31 PID 2772 wrote to memory of 2808 2772 mpclient.exe 31 PID 2772 wrote to memory of 2808 2772 mpclient.exe 31 PID 2564 wrote to memory of 2672 2564 taskeng.exe 33 PID 2564 wrote to memory of 2672 2564 taskeng.exe 33 PID 2564 wrote to memory of 2672 2564 taskeng.exe 33 PID 2672 wrote to memory of 876 2672 mpclient.exe 13 PID 2672 wrote to memory of 876 2672 mpclient.exe 13 PID 2672 wrote to memory of 876 2672 mpclient.exe 13 PID 876 wrote to memory of 2408 876 svchost.exe 35 PID 876 wrote to memory of 2408 876 svchost.exe 35 PID 876 wrote to memory of 2408 876 svchost.exe 35 PID 876 wrote to memory of 2408 876 svchost.exe 35 PID 876 wrote to memory of 2408 876 svchost.exe 35 PID 876 wrote to memory of 2408 876 svchost.exe 35 PID 2408 wrote to memory of 2860 2408 svchost.exe 36 PID 2408 wrote to memory of 2860 2408 svchost.exe 36 PID 2408 wrote to memory of 2860 2408 svchost.exe 36 PID 2408 wrote to memory of 2860 2408 svchost.exe 36 PID 2408 wrote to memory of 2860 2408 svchost.exe 36 PID 2408 wrote to memory of 2860 2408 svchost.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\taskeng.exetaskeng.exe {F7C262D6-F24E-49C5-8480-288B74597E89} S-1-5-18:NT AUTHORITY\System:Service:2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\mpclient.exeC:\Windows\system32\mpclient.exe -svc3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{F8284233-48F4-4680-ADDD-F8284233}3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
-
C:\Users\Admin\AppData\Local\Temp\mpclient.exe"C:\Users\Admin\AppData\Local\Temp\mpclient.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -Install2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:2808
-