Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 14:39
Static task
static1
Behavioral task
behavioral1
Sample
775930a062cfe16caf9a56513d142262.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
775930a062cfe16caf9a56513d142262.dll
Resource
win10v2004-20241007-en
General
-
Target
775930a062cfe16caf9a56513d142262.dll
-
Size
5.0MB
-
MD5
775930a062cfe16caf9a56513d142262
-
SHA1
ebc7f59387f5b121795b3c3bc37bc77c566baf7b
-
SHA256
c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
-
SHA512
7b5a61545b21ea5f477d86df7af8d53951011f3b062db09a5defb053716bb2bb619c53b5111ddcadba5047029fb41da2cdf3d95ab49466ed33428f372fe98f48
-
SSDEEP
49152:RnnMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHE:1nPoBhz1aRxcSUDk36SAEdhk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3313) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
pid Process 1132 mssecsvr.exe 2212 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3FWI17MO.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3FWI17MO.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ELDLD8BD.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ELDLD8BD.txt mssecsvr.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5} mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\WpadDecisionTime = f00f6f3c5b67db01 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-7b-ed-da-f9-02\WpadDecisionTime = f00f6f3c5b67db01 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\WpadDecisionReason = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-7b-ed-da-f9-02\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-7b-ed-da-f9-02\WpadDecisionReason = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\WpadNetworkName = "Network 3" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-7b-ed-da-f9-02 mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0129000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\22-7b-ed-da-f9-02 mssecsvr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2652 wrote to memory of 1648 2652 rundll32.exe 30 PID 2652 wrote to memory of 1648 2652 rundll32.exe 30 PID 2652 wrote to memory of 1648 2652 rundll32.exe 30 PID 2652 wrote to memory of 1648 2652 rundll32.exe 30 PID 2652 wrote to memory of 1648 2652 rundll32.exe 30 PID 2652 wrote to memory of 1648 2652 rundll32.exe 30 PID 2652 wrote to memory of 1648 2652 rundll32.exe 30 PID 1648 wrote to memory of 1132 1648 rundll32.exe 31 PID 1648 wrote to memory of 1132 1648 rundll32.exe 31 PID 1648 wrote to memory of 1132 1648 rundll32.exe 31 PID 1648 wrote to memory of 1132 1648 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\775930a062cfe16caf9a56513d142262.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\775930a062cfe16caf9a56513d142262.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1132
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5e916117384c8250971067d18f2734f8b
SHA149515862ad32a93804f787671a4eff3d0ebf6fc8
SHA25609e05a106716c7a1994bc60185129c57a865f378468dfd223e424b51de1fcbe9
SHA512b6e887f017086f2a578a2e82d37749632aa6e11c1c95650d818b3d381aa53be24eceab0358b8e64760df2ec17bfa3647db64b1bf50e7b69da14641c3d3bd8ca3