Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe
Resource
win10v2004-20220812-en
General
-
Target
ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe
-
Size
260KB
-
MD5
7754d0298a654d770bf3495b02acc540
-
SHA1
39e8753098fa0e7a69e17369941695032253bb82
-
SHA256
ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530
-
SHA512
b6be4fd3e3af371ca170c3d047cf82784fca60610194eb7fe3661986ec4b0d1fd0568cf10dd0d7543e975234c1bde08f7c64e2dd7034b68ce2633b47acbd00dc
-
SSDEEP
6144:zv0lxQwhXPv8m9pEUFhuoY8laLSWmH60HwYg6YtU:zcHPUChkl/lj6Y
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0009000000022df5-135.dat aspack_v212_v242 behavioral2/files/0x0009000000022df5-134.dat aspack_v212_v242 behavioral2/files/0x0009000000022df7-141.dat aspack_v212_v242 behavioral2/files/0x0009000000022df7-140.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3900 15256b0b.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 15256b0b.exe -
resource yara_rule behavioral2/files/0x0009000000022df5-135.dat upx behavioral2/files/0x0009000000022df5-134.dat upx behavioral2/memory/3900-136-0x0000000000E30000-0x0000000000E78000-memory.dmp upx behavioral2/memory/3900-137-0x0000000000E30000-0x0000000000E78000-memory.dmp upx behavioral2/memory/3900-138-0x0000000000E30000-0x0000000000E78000-memory.dmp upx behavioral2/files/0x0009000000022df7-141.dat upx behavioral2/memory/3524-142-0x0000000074E10000-0x0000000074E58000-memory.dmp upx behavioral2/memory/3524-143-0x0000000074E10000-0x0000000074E58000-memory.dmp upx behavioral2/files/0x0009000000022df7-140.dat upx behavioral2/memory/3524-145-0x0000000074E10000-0x0000000074E58000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 3524 Svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\58B10948.tmp 15256b0b.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 15256b0b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3900 15256b0b.exe 3900 15256b0b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4292 wrote to memory of 3900 4292 ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe 78 PID 4292 wrote to memory of 3900 4292 ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe 78 PID 4292 wrote to memory of 3900 4292 ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe"C:\Users\Admin\AppData\Local\Temp\ff468c90ad081738dc369b602dc00fb24257c804800ce9107fbcc5c7cf3ee530.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\15256b0b.exeC:\15256b0b.exe2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3900
-
-
C:\Windows\SysWOW64\Svchost.exeC:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
PID:3524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD513b9957d21567562146e0e20387cf309
SHA130b1891f3ca0803946f620c90778c14b61b5cb15
SHA256e44b15602f4814f952b9e3d93806c39ccf3213120ce7c8037798a41a6d0e825b
SHA5125f1d9278906411350d00b1ce302da41fe17bbed891147422188ffc207cfe93a0dc3b74a6d9eeed3934d85950b60393712bd5d75a08843d01e99ce42f114b1cae
-
Filesize
223KB
MD513b9957d21567562146e0e20387cf309
SHA130b1891f3ca0803946f620c90778c14b61b5cb15
SHA256e44b15602f4814f952b9e3d93806c39ccf3213120ce7c8037798a41a6d0e825b
SHA5125f1d9278906411350d00b1ce302da41fe17bbed891147422188ffc207cfe93a0dc3b74a6d9eeed3934d85950b60393712bd5d75a08843d01e99ce42f114b1cae
-
Filesize
724B
MD5e64ec1c0b0c4b890d0fa572c836fc669
SHA16d37689f209e19c15ac7e796a280a455573903bb
SHA256532f312d157fd765f7f5e8c0f0c2214b8b53cb03c5e91beba24e868193be6706
SHA512fdc69a22e702472d9573fb527d77572ac0e160645646d41776868caaf13fb10be33bdc5b0c3faee252dabe28448966ec8cca89c57a53ce1336d4c543af026d6a
-
Filesize
223KB
MD5191561a679cd0bad0b58845c16c17d62
SHA11eb19c5039138e84ece4d093316fcb140b1c4f0f
SHA25672881a84e247aec3c0b12571a9ee841db81bb0f97791a517e710dcece37a84c6
SHA5128fb0f50120c9ee7e11c5fd57995bc4e6c55a06255327b001234118c379fcb9e121db6f1e9ea7c0e219b37679eac4cdf041e9cdb0fbf8bd6ddf5e874f41ba61f7
-
Filesize
223KB
MD5191561a679cd0bad0b58845c16c17d62
SHA11eb19c5039138e84ece4d093316fcb140b1c4f0f
SHA25672881a84e247aec3c0b12571a9ee841db81bb0f97791a517e710dcece37a84c6
SHA5128fb0f50120c9ee7e11c5fd57995bc4e6c55a06255327b001234118c379fcb9e121db6f1e9ea7c0e219b37679eac4cdf041e9cdb0fbf8bd6ddf5e874f41ba61f7