Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19/09/2022, 03:48
Static task
static1
Behavioral task
behavioral1
Sample
AvastSvcyHA/AvastSvc.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
AvastSvcyHA/AvastSvc.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
AvastSvcyHA/wsc.dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
AvastSvcyHA/wsc.dll
Resource
win10v2004-20220812-en
General
-
Target
AvastSvcyHA/AvastSvc.exe
-
Size
60KB
-
MD5
a72036f635cecf0dcb1e9c6f49a8fa5b
-
SHA1
049813b955db1dd90952657ae2bd34250153563e
-
SHA256
85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
-
SHA512
e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
-
SSDEEP
768:Q/WQ3/TymxfsHYPry0bgYh3LKgMoCDGFh9D:Q+QvT7xUHYPDbgYVLWofD
Malware Config
Extracted
plugx
103.192.226.100:80
103.192.226.100:8000
103.192.226.100:8080
103.192.226.100:110
GJsgXZYVrgqcUMNVXzvU
-
folder
AvastSvcyHA
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1952 AvastSvc.exe -
Loads dropped DLL 3 IoCs
pid Process 1376 AvastSvc.exe 1376 AvastSvc.exe 1952 AvastSvc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run AvastSvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 161" AvastSvc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run AvastSvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AvastSvcyHA = "\"C:\\ProgramData\\AvastSvcyHA\\AvastSvc.exe\" 161" AvastSvc.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: AvastSvc.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu AvastSvc.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\ms-pu AvastSvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 41003000380045003300410039003600340038003500460044003600310038000000 AvastSvc.exe Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu AvastSvc.exe Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu\PROXY AvastSvc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1952 AvastSvc.exe 1952 AvastSvc.exe 1952 AvastSvc.exe 1952 AvastSvc.exe 1952 AvastSvc.exe 1952 AvastSvc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1952 AvastSvc.exe Token: SeDebugPrivilege 1952 AvastSvc.exe Token: SeTcbPrivilege 1952 AvastSvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1376 wrote to memory of 1952 1376 AvastSvc.exe 26 PID 1376 wrote to memory of 1952 1376 AvastSvc.exe 26 PID 1376 wrote to memory of 1952 1376 AvastSvc.exe 26 PID 1376 wrote to memory of 1952 1376 AvastSvc.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"C:\Users\Admin\AppData\Local\Temp\AvastSvcyHA\AvastSvc.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\ProgramData\AvastSvcyHA\AvastSvc.exeC:\ProgramData\AvastSvcyHA\AvastSvc.exe 1612⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD503a75e4fd64e9b46d0dfff2589d27822
SHA1099199fe7bf4e7245e44e9a977178348a37a4f61
SHA2565eaaf8ac2d358c2d7065884b7994638fee3987f02474e54467f14b010a18d028
SHA5120d85b7e220a359a75555ebd929396b73417ebff8d8f713b4053c9ebc99b51325e507220efbca8afa259dc18d6f09fc3f036bfe3190ff1225153db037932a7de1
-
Filesize
60KB
MD5a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1049813b955db1dd90952657ae2bd34250153563e
SHA25685ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
-
Filesize
52KB
MD5fd866f6e1b997c31bdb6ba24361663e5
SHA1fdf4296522e9ad7ed6d2b7a8aa53debb15566c19
SHA25628875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34
SHA51205e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c
-
Filesize
60KB
MD5a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1049813b955db1dd90952657ae2bd34250153563e
SHA25685ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
-
Filesize
60KB
MD5a72036f635cecf0dcb1e9c6f49a8fa5b
SHA1049813b955db1dd90952657ae2bd34250153563e
SHA25685ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
SHA512e3582e0969361d272c2469ce139ec809b9b0ac98fbc5eb5bb287442aed4c6ba69ed8175b68970751c93730cfaf07b75c3bc5e4e24aeda8f984b24f33bb8e3da2
-
Filesize
52KB
MD5fd866f6e1b997c31bdb6ba24361663e5
SHA1fdf4296522e9ad7ed6d2b7a8aa53debb15566c19
SHA25628875b1d6206e41ddcdbae56c6001915735c08f11f6a77db5a7107a4236afb34
SHA51205e8aeb4d0f318db1943797f22388cbc43432b8206fc2b2a38505f2cacbcf25b7058015ea5e462d1778f20b3b31e256a1747f7416e26a939e5eb60b8664ad49c