Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 00:21
Static task
static1
Behavioral task
behavioral1
Sample
12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
Resource
win10v2004-20220901-en
General
-
Target
12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
-
Size
647KB
-
MD5
6964ee62d4beebd5da6f288350db6b10
-
SHA1
91f59ee4f3589c4579cbf53bd5e62e583b8e265d
-
SHA256
12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066
-
SHA512
1033c4a13e11ba0bd6b16e4187bd709620ab161f44b35bbc322c61d8b63d3ad35af3c85d3738fd120f125fd3aac1e873e71ff1d6af6e3d3f2ba7f68786ab8fd9
-
SSDEEP
6144:HyH7xOc6H5c6HcT66vlmQ6C/uT4HJJJJJJDa8Fc3pGNWXcIPNaAar8Qa:Ha/a5b4Zov
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 840 svchost.exe 4664 12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe 1528 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 4664 12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4884 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4884 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1676 wrote to memory of 840 1676 12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe 84 PID 1676 wrote to memory of 840 1676 12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe 84 PID 1676 wrote to memory of 840 1676 12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe 84 PID 840 wrote to memory of 4664 840 svchost.exe 85 PID 840 wrote to memory of 4664 840 svchost.exe 85 PID 840 wrote to memory of 4664 840 svchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe"C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe"C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4664
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1528
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x528 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4884
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
Filesize612KB
MD597ea456e257b71cec2b36000d66a2cdc
SHA13aedb25f95ddcf9c9697c2221f03a77e6bac512f
SHA256a95dd946acbe215a4bd9e214e42829a515283da5c85884f00a2004b4ee903bbf
SHA5124b0f2a5a36adb39f0646fd52d7ac53c1fb3528fe9a3fbd226353ec6d81eefddefa92d0914b4c42797caae67c8c6ae41b08800975b39f6a5e4608fe77dab2d296
-
C:\Users\Admin\AppData\Local\Temp\12f0731f3e455cf84877e05ccbc8eb5ea5a5e58433a5e50aaa20936476f0e066.exe
Filesize612KB
MD597ea456e257b71cec2b36000d66a2cdc
SHA13aedb25f95ddcf9c9697c2221f03a77e6bac512f
SHA256a95dd946acbe215a4bd9e214e42829a515283da5c85884f00a2004b4ee903bbf
SHA5124b0f2a5a36adb39f0646fd52d7ac53c1fb3528fe9a3fbd226353ec6d81eefddefa92d0914b4c42797caae67c8c6ae41b08800975b39f6a5e4608fe77dab2d296
-
Filesize
9KB
MD5780d14604d49e3c634200c523def8351
SHA1e208ef6f421d2260070a9222f1f918f1de0a8eeb
SHA256844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2
SHA512a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b
-
Filesize
35KB
MD5a2dcf14a9e2b1003b484fa7b3203f168
SHA18da3c84acbeaa3dc76a2ceff518460ae37a12089
SHA2565980affb855b100280a2d82a0bc56feb6c5121e3ec0d15869def2c37c6390c5d
SHA5128ffbb737a4a6b8ca2a27b0ec47c53e1aed90d626725e91f4d97228deeb03aff3b60be4ef004b83d2368ec54da448d32befb5655613cabfb7a752cfcdd9e2855a
-
Filesize
35KB
MD5a2dcf14a9e2b1003b484fa7b3203f168
SHA18da3c84acbeaa3dc76a2ceff518460ae37a12089
SHA2565980affb855b100280a2d82a0bc56feb6c5121e3ec0d15869def2c37c6390c5d
SHA5128ffbb737a4a6b8ca2a27b0ec47c53e1aed90d626725e91f4d97228deeb03aff3b60be4ef004b83d2368ec54da448d32befb5655613cabfb7a752cfcdd9e2855a
-
Filesize
35KB
MD5a2dcf14a9e2b1003b484fa7b3203f168
SHA18da3c84acbeaa3dc76a2ceff518460ae37a12089
SHA2565980affb855b100280a2d82a0bc56feb6c5121e3ec0d15869def2c37c6390c5d
SHA5128ffbb737a4a6b8ca2a27b0ec47c53e1aed90d626725e91f4d97228deeb03aff3b60be4ef004b83d2368ec54da448d32befb5655613cabfb7a752cfcdd9e2855a