Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
Resource
win10v2004-20220812-en
General
-
Target
710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
-
Size
162KB
-
MD5
7195d62842154220250c93867baf1bf5
-
SHA1
bcf17349ecc4d06f38f07c9cc3eafd1303e6e523
-
SHA256
710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff
-
SHA512
c832e015e265367687b62e74bfab20ca9ea6dba939cee718e03c085c7a573e2b15d7e0f29949961ad2302be42c1aaf3cb47eb765b2963a373f3de33bf76fcb49
-
SSDEEP
3072:iyH99g4byc6H5c6HcT66vlmm+6zMal04FpFOmal04F3uhUpjBTO+FueB5YJa+a:iyH7xOc6H5c6HcT66vlmuEPOtWYFa
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1180 svchost.exe 5104 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 4952 svchost.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svchost.exe 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 3892 dw20.exe Token: SeBackupPrivilege 3892 dw20.exe Token: SeBackupPrivilege 3892 dw20.exe Token: SeBackupPrivilege 3892 dw20.exe Token: SeBackupPrivilege 3892 dw20.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5104 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 5104 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 5104 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 5104 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3912 wrote to memory of 1180 3912 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 83 PID 3912 wrote to memory of 1180 3912 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 83 PID 3912 wrote to memory of 1180 3912 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 83 PID 1180 wrote to memory of 5104 1180 svchost.exe 84 PID 1180 wrote to memory of 5104 1180 svchost.exe 84 PID 1180 wrote to memory of 5104 1180 svchost.exe 84 PID 5104 wrote to memory of 3892 5104 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 88 PID 5104 wrote to memory of 3892 5104 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 88 PID 5104 wrote to memory of 3892 5104 710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8884⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
Filesize127KB
MD5c835a420aa809c291ef1f6063fe98550
SHA12c3091affb6ba021964bc717b97dae0debe55194
SHA25610e8b508abb60d04e16af96fb53f2e1b9f24913ecd0f5100b0f12717b301a7a5
SHA512946fcb39882adbe370c34d342bd0fc77addc3ca0d5527788a1a6c6c15c374a59308de89f1596fb58498fff349ae030ecf5af14c15c2337f0acac52e93621abc0
-
C:\Users\Admin\AppData\Local\Temp\710e501231b759e0678c9b25ca0232bd5dc2b9dcd2f4a849ba0f577c62d106ff.exe
Filesize127KB
MD5c835a420aa809c291ef1f6063fe98550
SHA12c3091affb6ba021964bc717b97dae0debe55194
SHA25610e8b508abb60d04e16af96fb53f2e1b9f24913ecd0f5100b0f12717b301a7a5
SHA512946fcb39882adbe370c34d342bd0fc77addc3ca0d5527788a1a6c6c15c374a59308de89f1596fb58498fff349ae030ecf5af14c15c2337f0acac52e93621abc0
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b