Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

svc.exe

windows7_x64

7

svc.exe

windows10_x64

3

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09/07/2020, 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svc.exe

  • Size

    470KB

  • MD5

    05e4aeecf11a890bfc365ccce931065b

  • SHA1

    e6c22b3242244cb8000df3b26529c5f24b76be57

  • SHA256

    9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef

  • SHA512

    9aafe634aae28c4523948b81eab725b80b7d47677552492c028e1e1308784d2ddfd431eff4c8a6702f7b7642fa33654b8136b4f72ee03446e1eec0cd6e416678

Score
7/10
evasiontrojan

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    • Suspicious use of FindShellTrayWindow
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\svc.exe
      "C:\Users\Admin\AppData\Local\Temp\svc.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      PID:1464
      • C:\Users\Admin\AppData\Local\Temp\svc.exe
        "{path}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        PID:336
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: MapViewOfSection
      PID:1036
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\svc.exe"
        3⤵
        • Deletes itself
        PID:732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/336-2-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1036-5-0x00000000009E0000-0x00000000009FF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1036-7-0x0000000002EE0000-0x0000000003055000-memory.dmp

    Filesize

    1.5MB

    Download