Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/10/2022, 23:56
Static task
static1
Behavioral task
behavioral1
Sample
3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe
Resource
win10v2004-20220812-en
General
-
Target
3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe
-
Size
316KB
-
MD5
4b1a332f822e5a76560a820f8cc926d0
-
SHA1
5d9f4d8bb86f89276484057493473969e5a7464a
-
SHA256
3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9
-
SHA512
7f99397e47392cbfc4a48dc577fd7ea82d538ea35bfc84b16d6211a94ee83c1c9359ede59a2d03bd061bfc34b94662e8a90d0e570561142e2683cee0994997f5
-
SSDEEP
6144:dPeyxTwquPwv0OrVXl7HWrE+icB8aa36OCwb7eEk8vEE+MUyA3:dPbZwBPMHXVHGbKaW60b7eX8vEIA3
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000b0000000122d2-55.dat aspack_v212_v242 behavioral1/files/0x000b0000000122d2-62.dat aspack_v212_v242 behavioral1/files/0x00090000000122e8-63.dat aspack_v212_v242 behavioral1/files/0x000a0000000122d6-66.dat aspack_v212_v242 behavioral1/files/0x000a0000000122d6-67.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 1384 71c069d7.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 71c069d7.exe -
resource yara_rule behavioral1/files/0x000b0000000122d2-55.dat upx behavioral1/memory/1384-58-0x0000000000920000-0x0000000000969000-memory.dmp upx behavioral1/memory/1384-61-0x0000000000920000-0x0000000000969000-memory.dmp upx behavioral1/memory/1384-60-0x0000000000920000-0x0000000000969000-memory.dmp upx behavioral1/files/0x000b0000000122d2-62.dat upx behavioral1/files/0x00090000000122e8-63.dat upx behavioral1/memory/1384-65-0x0000000075270000-0x00000000752D0000-memory.dmp upx behavioral1/files/0x000a0000000122d6-66.dat upx behavioral1/files/0x000a0000000122d6-67.dat upx behavioral1/memory/908-69-0x0000000074BC0000-0x0000000074C09000-memory.dmp upx behavioral1/memory/908-70-0x0000000074BC0000-0x0000000074C09000-memory.dmp upx behavioral1/memory/1384-73-0x0000000000920000-0x0000000000969000-memory.dmp upx behavioral1/memory/908-72-0x0000000074BC0000-0x0000000074C09000-memory.dmp upx -
Loads dropped DLL 2 IoCs
pid Process 1384 71c069d7.exe 908 Svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\1A2705A4.tmp 71c069d7.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 71c069d7.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1384 71c069d7.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1112 3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1112 3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1384 1112 3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe 26 PID 1112 wrote to memory of 1384 1112 3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe 26 PID 1112 wrote to memory of 1384 1112 3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe 26 PID 1112 wrote to memory of 1384 1112 3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe"C:\Users\Admin\AppData\Local\Temp\3cadee91361fe4e96b078508fcca9ce806fd830a0256edb9c166b3b575e00fe9.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\71c069d7.exeC:\71c069d7.exe2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1384
-
-
C:\Windows\SysWOW64\Svchost.exeC:\Windows\SysWOW64\Svchost.exe -k netsvcs1⤵
- Loads dropped DLL
PID:908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD510be9a26093a6a446de4fc9b759c410b
SHA15a2ad24a3502bc32533f02044fb44f0def15513c
SHA256ac86fbb6bd701b7767d28a60769786ca6dd413785b2a5d8bed890b4d78b255b0
SHA5123ffe6b2b2ba943238880a59ba3a3562799568d0636f1b91dd0e934579e7bd66a086b45d8d6ccc8969b85c42fa382bd05fe89d1524d18bdb6cb3e03f7271dd9f2
-
Filesize
225KB
MD510be9a26093a6a446de4fc9b759c410b
SHA15a2ad24a3502bc32533f02044fb44f0def15513c
SHA256ac86fbb6bd701b7767d28a60769786ca6dd413785b2a5d8bed890b4d78b255b0
SHA5123ffe6b2b2ba943238880a59ba3a3562799568d0636f1b91dd0e934579e7bd66a086b45d8d6ccc8969b85c42fa382bd05fe89d1524d18bdb6cb3e03f7271dd9f2
-
Filesize
724B
MD57521707e1fa1dd6d38f99ecc009546b0
SHA1888d97f03cdbcf3a8dcd90a4b51a0ff2afc8c852
SHA256832a2d3575ee021a805edbdb8be768ccc5812e6f2b9e8f8609585f72fe02ae9f
SHA5126cb3fee8ddba1d1b2a558058f27f8184279f3d7c3559575b8535e1d402b40cffdaf2098ccccde237f90354ccb00fe02036d369fd8da8e176da529bc0a7ce9c3d
-
Filesize
225KB
MD5747ecef3bc851ae360714164035f25cf
SHA10baee203020f8c2a3f340a61e97b1182420004bb
SHA25612bed65fcebacae59487515d0d9389b45a77528bf4a9192f4e21647409dbdd25
SHA51283373165ba0aa27cb35181bec2846fa91145b7910450ad2faa19d7e252205bfd1748e71af8f881bee47a871902653f042b7259343b594279e6b7e2ed63ee6f41
-
Filesize
225KB
MD5747ecef3bc851ae360714164035f25cf
SHA10baee203020f8c2a3f340a61e97b1182420004bb
SHA25612bed65fcebacae59487515d0d9389b45a77528bf4a9192f4e21647409dbdd25
SHA51283373165ba0aa27cb35181bec2846fa91145b7910450ad2faa19d7e252205bfd1748e71af8f881bee47a871902653f042b7259343b594279e6b7e2ed63ee6f41
-
Filesize
225KB
MD5747ecef3bc851ae360714164035f25cf
SHA10baee203020f8c2a3f340a61e97b1182420004bb
SHA25612bed65fcebacae59487515d0d9389b45a77528bf4a9192f4e21647409dbdd25
SHA51283373165ba0aa27cb35181bec2846fa91145b7910450ad2faa19d7e252205bfd1748e71af8f881bee47a871902653f042b7259343b594279e6b7e2ed63ee6f41