Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
22/09/2022, 10:43
General
-
Target
42738b25ab8ec34a94366e52fcb5ef8ffcc1cb3db9fef55ae3ce54276ed32081.exe
-
Size
723KB
-
MD5
aa3c79bcf7df40db8c880600624583ed
-
SHA1
1e62159655afa8918e12f9af8a160419543c996e
-
SHA256
42738b25ab8ec34a94366e52fcb5ef8ffcc1cb3db9fef55ae3ce54276ed32081
-
SHA512
dfb2e625ee3faca02a0d3a82f810183439dc45c165824949a865778975053ede7553a10f42ac9edea979a38b594e9ba90c8e4580b9a362cd386efea2adeecc40
-
SSDEEP
768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\42738b25ab8ec34a94366e52fcb5ef8ffcc1cb3db9fef55ae3ce54276ed32081.exe"C:\Users\Admin\AppData\Local\Temp\42738b25ab8ec34a94366e52fcb5ef8ffcc1cb3db9fef55ae3ce54276ed32081.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 12513⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2567" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2254" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk644" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3869" /TR "C:\ProgramData\Dllhost\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3869" /TR "C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12514⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD521fb723594386c2fd180395455f7d61c
SHA1bbbe7845deeaf3cb7f6471e59931b98469023321
SHA2568a1e66d8c23a8a7c15a6e1bc1cdcbcbafcf5703a6f75d9cfcb8fc9741dc53f4e
SHA512270c57f51ac2ec76f44a32623466d0bc1cba514b30f940bc1f758f3e90580dc379c790157502d0b896c39f8a1c56a5e024e1076663a52289a70a3c58f8e0765e
-
Filesize
915KB
MD521fb723594386c2fd180395455f7d61c
SHA1bbbe7845deeaf3cb7f6471e59931b98469023321
SHA2568a1e66d8c23a8a7c15a6e1bc1cdcbcbafcf5703a6f75d9cfcb8fc9741dc53f4e
SHA512270c57f51ac2ec76f44a32623466d0bc1cba514b30f940bc1f758f3e90580dc379c790157502d0b896c39f8a1c56a5e024e1076663a52289a70a3c58f8e0765e
-
Filesize
497B
MD513fda2ab01b83a5130842a5bab3892d3
SHA16e18e4b467cde054a63a95d4dfc030f156ecd215
SHA25676973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e
SHA512c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD5ee45c633f05e7eb6ebfa901756a041e0
SHA1a4f9493d9af9bcb6fd57b164ec1657b1a882202b
SHA256b37ab198f2943d943a3d17951533bd0f808f47c05e2ee4faa54b43838eeb39e3
SHA512776dbb28abd687a62c16d076fefe9a24203772f35a734a4518ff214b00394deb06693a0c9f18715c15e88689eaebbddf294844e3fe1522e50b92608905549aac
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
672KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
704KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
1.6MB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
300KB
-
Filesize
112KB
-
Filesize
204KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
660KB
-
Filesize
592KB
-
Filesize
104KB
-
Filesize
32KB