Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 22:54
Behavioral task
behavioral1
Sample
0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe
Resource
win10v2004-20220812-en
General
-
Target
0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe
-
Size
163KB
-
MD5
a17d65dc6cef4f486d205af380b99ca0
-
SHA1
c55de01173c2b517f7018b7ffc45b0161ad846c9
-
SHA256
0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd
-
SHA512
1aa534fe6bb989e9f3d7d37cfc2f9a16f264fbd0d606e40e7e5a53932fc0b95a91beffc24d3ab66440eb30d796804f965c1dc78ebe206cf65de66c7f81ebe8d4
-
SSDEEP
3072:LzLi6OaU/EmwVan5rUXznzLi6OaU/EmwVan5rUXz:3LUj5AXHLUj5AX
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x000200000001e72a-133.dat aspack_v212_v242 behavioral2/files/0x000200000001e72a-134.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3868 7a967891.exe -
Sets DLL path for service in the registry 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll" 7a967891.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll" 7a967891.exe -
resource yara_rule behavioral2/files/0x000200000001e72a-133.dat upx behavioral2/files/0x000200000001e72a-134.dat upx behavioral2/memory/3868-135-0x0000000000820000-0x0000000000844000-memory.dmp upx behavioral2/memory/3868-136-0x0000000000820000-0x0000000000844000-memory.dmp upx behavioral2/memory/2200-137-0x0000000000150000-0x0000000000189000-memory.dmp upx behavioral2/memory/3868-138-0x0000000000820000-0x0000000000844000-memory.dmp upx behavioral2/memory/2200-140-0x0000000000150000-0x0000000000189000-memory.dmp upx behavioral2/memory/2200-141-0x0000000000150000-0x0000000000189000-memory.dmp upx behavioral2/memory/2200-144-0x0000000000150000-0x0000000000189000-memory.dmp upx -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nla.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\helpsvc.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\Ias.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\Irmon.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\Nwsapagent.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\WmdmPmSp.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\uploadmgr.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\42670BDC.tmp 0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\SRService.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\LogonHours.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\64B70BDC.tmp 7a967891.exe File opened for modification C:\Windows\SysWOW64\Ntmssvc.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\NWCWorkstation.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\Wmi.dll 7a967891.exe File opened for modification C:\Windows\SysWOW64\PCAudit.dll 7a967891.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3868 7a967891.exe 3868 7a967891.exe 2200 0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe 2200 0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2200 wrote to memory of 3868 2200 0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe 80 PID 2200 wrote to memory of 3868 2200 0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe 80 PID 2200 wrote to memory of 3868 2200 0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe"C:\Users\Admin\AppData\Local\Temp\0f090f139096ab36810df40340799fa15b67619017270f48baaf27221fa905fd.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\7a967891.exeC:\7a967891.exe2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3868
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5947dfd23b9d1fb9d0d281bf6eaa1037b
SHA1c814dbc75bd66450f1955d482b01447b9f640522
SHA2569938bf5fce7f4742d3fe9bc1562a32f4ceaf9fc688023f8c1c6eee80184dc51b
SHA512ed134aab47cb37fa36f710e33cd6745f4461d6d9cd842ea03900c884b218a2af8dde1bb39dcaf54629da3cd8e22274d5cadfe6773732be5b4ea1762a43f2030c
-
Filesize
81KB
MD5947dfd23b9d1fb9d0d281bf6eaa1037b
SHA1c814dbc75bd66450f1955d482b01447b9f640522
SHA2569938bf5fce7f4742d3fe9bc1562a32f4ceaf9fc688023f8c1c6eee80184dc51b
SHA512ed134aab47cb37fa36f710e33cd6745f4461d6d9cd842ea03900c884b218a2af8dde1bb39dcaf54629da3cd8e22274d5cadfe6773732be5b4ea1762a43f2030c