Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 03:17
Static task
static1
Behavioral task
behavioral1
Sample
90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe
Resource
win10v2004-20220812-en
General
-
Target
90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe
-
Size
316KB
-
MD5
4adb9dd246d5349b80bfeee99c8c6360
-
SHA1
996ed961402317d67608ff9b63451fe32321ac5f
-
SHA256
90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0
-
SHA512
7d82a57a3cce198bd7902d26cd90a58e8e2ecb2454953520c691c58a75477abd5e3845dae3d92cd80d4673a61694c56aa26f26fb13534d93bd8f352958b7a9e4
-
SSDEEP
6144:FPeyxTYb+6PZOFyzSOEt5zpaiRhcuGE07v6n7AV:FPbZYbp8FkwNxRhTKj6ng
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0006000000022e25-134.dat aspack_v212_v242 behavioral2/files/0x0006000000022e25-135.dat aspack_v212_v242 behavioral2/files/0x0007000000022e1a-141.dat aspack_v212_v242 behavioral2/files/0x0007000000022e1a-140.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 596 7a5d18bd.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 7a5d18bd.exe -
resource yara_rule behavioral2/files/0x0006000000022e25-134.dat upx behavioral2/files/0x0006000000022e25-135.dat upx behavioral2/memory/596-136-0x0000000000370000-0x00000000003B8000-memory.dmp upx behavioral2/memory/596-137-0x0000000000370000-0x00000000003B8000-memory.dmp upx behavioral2/memory/596-138-0x0000000000370000-0x00000000003B8000-memory.dmp upx behavioral2/files/0x0007000000022e1a-141.dat upx behavioral2/memory/628-142-0x0000000074F10000-0x0000000074F58000-memory.dmp upx behavioral2/memory/628-143-0x0000000074F10000-0x0000000074F58000-memory.dmp upx behavioral2/files/0x0007000000022e1a-140.dat upx behavioral2/memory/628-145-0x0000000074F10000-0x0000000074F58000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 628 Svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\778E0BC0.tmp 7a5d18bd.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 7a5d18bd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 596 7a5d18bd.exe 596 7a5d18bd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4636 90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4636 90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4636 wrote to memory of 596 4636 90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe 83 PID 4636 wrote to memory of 596 4636 90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe 83 PID 4636 wrote to memory of 596 4636 90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe"C:\Users\Admin\AppData\Local\Temp\90842ff5174979bf8370e13bba254e6114a4852b1066593ce75dfb0acbefa3d0.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\7a5d18bd.exeC:\7a5d18bd.exe2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:596
-
-
C:\Windows\SysWOW64\Svchost.exeC:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
PID:628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD5682bf9010065cccc656b35dcf99f59ee
SHA14e31813eba2005d98b8b1f6815ab084a2f0ed419
SHA256a20ec82b149494a619b87178023c65cb6bada9bb3340f3bf280d482b12686e7d
SHA512cced163b9864302cfb06fbcb877c67256585cff26b96ecd31008d3fbac769912b0f344b3658bc9eed27f63fc46163e4457ff76cd48284da44f026554259e136d
-
Filesize
223KB
MD5682bf9010065cccc656b35dcf99f59ee
SHA14e31813eba2005d98b8b1f6815ab084a2f0ed419
SHA256a20ec82b149494a619b87178023c65cb6bada9bb3340f3bf280d482b12686e7d
SHA512cced163b9864302cfb06fbcb877c67256585cff26b96ecd31008d3fbac769912b0f344b3658bc9eed27f63fc46163e4457ff76cd48284da44f026554259e136d
-
Filesize
724B
MD514677dbe8a4b548f4b419561b1090180
SHA12f43be2751ee0c5154dc34851513063c8a2d9726
SHA2560eaa0ba835a0e73fef19664f6b12d2985963087ef10245eb1858b909cbfb483b
SHA51224193b5afdd85db8ceedb432758e7f24fd89249627ffab5042fc95fef4e7bb6521ae4a1f61f529cae1a9360b0ff772443d229f6c2885e9fbe4c0476a898737a1
-
Filesize
223KB
MD5e8c712fb1d83347fc0f2987e00f08c12
SHA17919630f8d12bce8473e4416a25fe1669edd8d51
SHA256b54472f0d7a5112cc8a1b0611f72feb2616d36aacb8426a96a0a7446311a0265
SHA51279020ea55951e4c9a0b16a48d03f0b6c331f0a69ad87a2bb83382a3b0a37878107bf6d5d6099767938ba0cedc4c7fbc2230143ffa9d0f7f89962f9893ba5e33d
-
Filesize
223KB
MD5e8c712fb1d83347fc0f2987e00f08c12
SHA17919630f8d12bce8473e4416a25fe1669edd8d51
SHA256b54472f0d7a5112cc8a1b0611f72feb2616d36aacb8426a96a0a7446311a0265
SHA51279020ea55951e4c9a0b16a48d03f0b6c331f0a69ad87a2bb83382a3b0a37878107bf6d5d6099767938ba0cedc4c7fbc2230143ffa9d0f7f89962f9893ba5e33d