Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 02:50
Static task
static1
Behavioral task
behavioral1
Sample
9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe
Resource
win10v2004-20241007-en
General
-
Target
9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe
-
Size
4.0MB
-
MD5
539273d402029467299ebfd32f365b53
-
SHA1
7b208fa71b1dbfa17378eabde614c0ed6c8e2fc3
-
SHA256
9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90
-
SHA512
d539c2e40a7635a54999fc885b26bc7730da391a2f0991dddf8c63a75600298eaf068363f67bcfb3df0a10c37a5f8fbf077c4bdcd90af68dcc7e3d7e1c30443a
-
SSDEEP
98304:qhxc++JLGaI8ojO9uHZRQ4Kg/rp0WwJYxLa4iv:03G6Ooi9u+gjy+x2jv
Malware Config
Signatures
-
SaintBot payload 1 IoCs
resource yara_rule behavioral1/memory/1940-55-0x0000000000080000-0x000000000008B000-memory.dmp family_saintbot -
Saintbot family
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe watchdog.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe Google Chrome.exe -
Executes dropped EXE 4 IoCs
pid Process 3000 watchdog.exe 2904 Google Chrome.exe 2712 Defender.exe 980 Defender.exe -
Loads dropped DLL 7 IoCs
pid Process 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 3000 watchdog.exe 2904 Google Chrome.exe 2168 cmd.exe 1940 dfrgui.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\zzAdmin\\Admin.vbs" dfrgui.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Google Chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Google Chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum dfrgui.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 dfrgui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum watchdog.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 watchdog.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dfrgui.exe dfrgui.exe -
resource yara_rule behavioral1/files/0x0008000000016d70-46.dat upx behavioral1/memory/2712-50-0x000000013FCC0000-0x0000000141AE0000-memory.dmp upx behavioral1/memory/980-56-0x000000013F530000-0x0000000141350000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfrgui.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language watchdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Google Chrome.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1788 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dfrgui.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dfrgui.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1788 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2904 Google Chrome.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2972 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 29 PID 3016 wrote to memory of 2972 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 29 PID 3016 wrote to memory of 2972 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 29 PID 3016 wrote to memory of 2972 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 29 PID 3016 wrote to memory of 3000 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 30 PID 3016 wrote to memory of 3000 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 30 PID 3016 wrote to memory of 3000 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 30 PID 3016 wrote to memory of 3000 3016 9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe 30 PID 3000 wrote to memory of 2904 3000 watchdog.exe 31 PID 3000 wrote to memory of 2904 3000 watchdog.exe 31 PID 3000 wrote to memory of 2904 3000 watchdog.exe 31 PID 3000 wrote to memory of 2904 3000 watchdog.exe 31 PID 3000 wrote to memory of 2764 3000 watchdog.exe 32 PID 3000 wrote to memory of 2764 3000 watchdog.exe 32 PID 3000 wrote to memory of 2764 3000 watchdog.exe 32 PID 3000 wrote to memory of 2764 3000 watchdog.exe 32 PID 2972 wrote to memory of 2168 2972 WScript.exe 34 PID 2972 wrote to memory of 2168 2972 WScript.exe 34 PID 2972 wrote to memory of 2168 2972 WScript.exe 34 PID 2972 wrote to memory of 2168 2972 WScript.exe 34 PID 2764 wrote to memory of 1788 2764 cmd.exe 36 PID 2764 wrote to memory of 1788 2764 cmd.exe 36 PID 2764 wrote to memory of 1788 2764 cmd.exe 36 PID 2764 wrote to memory of 1788 2764 cmd.exe 36 PID 2904 wrote to memory of 1940 2904 Google Chrome.exe 37 PID 2904 wrote to memory of 1940 2904 Google Chrome.exe 37 PID 2904 wrote to memory of 1940 2904 Google Chrome.exe 37 PID 2904 wrote to memory of 1940 2904 Google Chrome.exe 37 PID 2168 wrote to memory of 2712 2168 cmd.exe 38 PID 2168 wrote to memory of 2712 2168 cmd.exe 38 PID 2168 wrote to memory of 2712 2168 cmd.exe 38 PID 2168 wrote to memory of 2712 2168 cmd.exe 38 PID 2904 wrote to memory of 1940 2904 Google Chrome.exe 37 PID 2764 wrote to memory of 2184 2764 cmd.exe 39 PID 2764 wrote to memory of 2184 2764 cmd.exe 39 PID 2764 wrote to memory of 2184 2764 cmd.exe 39 PID 2764 wrote to memory of 2184 2764 cmd.exe 39 PID 1940 wrote to memory of 2088 1940 dfrgui.exe 40 PID 1940 wrote to memory of 2088 1940 dfrgui.exe 40 PID 1940 wrote to memory of 2088 1940 dfrgui.exe 40 PID 1940 wrote to memory of 2088 1940 dfrgui.exe 40 PID 2168 wrote to memory of 980 2168 cmd.exe 42 PID 2168 wrote to memory of 980 2168 cmd.exe 42 PID 2168 wrote to memory of 980 2168 cmd.exe 42 PID 2168 wrote to memory of 980 2168 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe"C:\Users\Admin\AppData\Local\Temp\9361a5a13c26bdba1ce006356706339272465f4fa25c75a008f0041b9b647b90.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Admin\run.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c 5666.bat3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Admin\Defender.exeDefender.exe4⤵
- Executes dropped EXE
PID:2712
-
-
C:\Users\Admin\AppData\Local\Admin\Defender.exeDefender.exe --algo ETHASH --pool eth.2miners.com:2020 --user 0xbFA6b56Ff31539269929C6913B7e68A45122847c.Worker4⤵
- Executes dropped EXE
PID:980
-
-
-
-
C:\Users\Admin\AppData\Local\Admin\watchdog.exe"C:\Users\Admin\AppData\Local\Admin\watchdog.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\dfrgui.exe"C:\Windows\system32\dfrgui.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2088
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\del.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 34⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1788
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"4⤵
- System Location Discovery: System Language Discovery
PID:2184
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
490B
MD53d959857b0136a49f004516acc96a627
SHA160f7ec89669792026aeec876f664d62d19bdc269
SHA256e3cf05b34d24ca28a56a04281d310b4212adc2a19aae43f668bff34debd60f04
SHA512e3d11abd4bfe1f0fa635241c120d2c09966926673792e440a1721a3a88e08e48cfb4079c0f6037f1f275edf4d0dbd8d37266e0047674d882207b06e1dbaa805a
-
Filesize
116B
MD51b068a0de7c2182577b08ccf6973d35d
SHA1fcae2d3432c11c9139e1a5ac513667f1f00931ca
SHA2563ab89fde92e31ee6818660f9c29acc2cf0d03799bb5c4f0641929bbd8eade2b4
SHA512728b6b024e1f5b9df94de37d83b9423447888783e0bcd7528047ee1d922784deb30df9a232f87f0e95e4d47499544c7bd2368a2f35b144bfd385a203464d71f3
-
Filesize
29KB
MD5512292a064c1899e46b19b2f0c3ada9a
SHA1fabb10754aceead1c7c0688b10484971ac020149
SHA256c773acbb7e825f660f9e7c4c6c71b20e678b556e63e702a3f3286bd59c3f1b61
SHA51216788ca1c710726ad98317b9e9c7da82bbbfe4d511a611f558418784d39fd789925691ea3caca79cb5ea38c81f2d1b3dd2003eb246063fa5cb5ac81e834f0f35
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
114B
MD5ccf1f01af7806334814c7d2481b60e59
SHA1126b1d3d067653d3936f82b15b060bce172c0258
SHA256432e3e54e9c6f791ae439eb3af32bc350ffbae4ea42724a1875c13e49058e940
SHA512d333c52d23ba1473117f5e83c13fc880055989df4fc3a9cb69b13d3e297160f048e9a9256289840d9039587dd08030798027204f66886e6ae83136512fff81b0
-
Filesize
3.7MB
MD53c9dcc91e05dc05a01fff739e40474d7
SHA14958788d0d3f4bdd7410669da6b8d66c642b0551
SHA2566dd7b3d944595429136366b908fd18d3cac315c6f1453dd4cb5bcafa9e9a95a6
SHA512f6fbe0bf4c71e6bda658d42b0bae94b51da6bf44ec813c070b7a74c7243f277ca0749b37dcd48a71e42295f7ade9f2384e6a69711cbb2dcbd732c0a4c7934d0f