Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

f7c32381e3...aa.exe

windows7-x64

1

f7c32381e3...aa.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    177s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 16:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7c32381e3b59350ec62352c862dd8f94b6e42c6408dfb94e9fa1b78e7df8aaa.exe

  • Size

    34KB

  • MD5

    092442835094d22f8e3c7a66471d6260

  • SHA1

    7a483e53e82c0605ec28644d12b57383f72d87d6

  • SHA256

    f7c32381e3b59350ec62352c862dd8f94b6e42c6408dfb94e9fa1b78e7df8aaa

  • SHA512

    6a248abfbb7a727177f43f11fec6aa316c62f85962d2fbcf3518975823ecb03cad660e4b93bce9e2328bf37e9b802e8a4ef8654b8b331886bcb6f46575b8af31

  • SSDEEP

    768:g24OpwDjqhhC61J5UKzasTHUWFvhSHpIchakzg7B+xl:nmuhhN1EKztjJq5hn+cx

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:664
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:576
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:1012
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            2⤵
              PID:768
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
            1⤵
              PID:1156
              • C:\Windows\system32\taskhostw.exe
                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                2⤵
                  PID:2944
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                1⤵
                  PID:2092
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:3428
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k WerSvcGroup
                    1⤵
                      PID:4492
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                      1⤵
                        PID:4512
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k netsvcs -p
                        1⤵
                          PID:4260
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                          1⤵
                            PID:3004
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                            1⤵
                              PID:2164
                            • C:\Windows\system32\SppExtComObj.exe
                              C:\Windows\system32\SppExtComObj.exe -Embedding
                              1⤵
                                PID:1596
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                1⤵
                                  PID:3360
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                  1⤵
                                    PID:2260
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                    1⤵
                                      PID:1144
                                    • C:\Windows\System32\RuntimeBroker.exe
                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                      1⤵
                                        PID:4748
                                      • C:\Windows\system32\DllHost.exe
                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                        1⤵
                                          PID:4412
                                        • C:\Windows\System32\RuntimeBroker.exe
                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                          1⤵
                                            PID:3652
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:3528
                                            • C:\Users\Admin\AppData\Local\Temp\f7c32381e3b59350ec62352c862dd8f94b6e42c6408dfb94e9fa1b78e7df8aaa.exe
                                              "C:\Users\Admin\AppData\Local\Temp\f7c32381e3b59350ec62352c862dd8f94b6e42c6408dfb94e9fa1b78e7df8aaa.exe"
                                              1⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: MapViewOfSection
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:1548
                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                              1⤵
                                                PID:3368
                                              • C:\Windows\system32\DllHost.exe
                                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                1⤵
                                                  PID:3276
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                  1⤵
                                                    PID:3024
                                                  • C:\Windows\Explorer.EXE
                                                    C:\Windows\Explorer.EXE
                                                    1⤵
                                                      PID:760
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                      1⤵
                                                        PID:2852
                                                      • C:\Windows\system32\sihost.exe
                                                        sihost.exe
                                                        1⤵
                                                          PID:2832
                                                        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                          1⤵
                                                            PID:2544
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                            1⤵
                                                              PID:2536
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                              1⤵
                                                                PID:2452
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                1⤵
                                                                  PID:2440
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                  1⤵
                                                                    PID:2432
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                      PID:2400
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                      1⤵
                                                                        PID:2364
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                        1⤵
                                                                          PID:2356
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                          1⤵
                                                                            PID:2108
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                            1⤵
                                                                              PID:2072
                                                                            • C:\Windows\System32\spoolsv.exe
                                                                              C:\Windows\System32\spoolsv.exe
                                                                              1⤵
                                                                                PID:1420
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                1⤵
                                                                                  PID:1960
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                  1⤵
                                                                                    PID:1948
                                                                                  • C:\Windows\System32\svchost.exe
                                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                    1⤵
                                                                                      PID:1912
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                      1⤵
                                                                                        PID:1904
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                        1⤵
                                                                                          PID:1784
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                          1⤵
                                                                                            PID:1764
                                                                                          • C:\Windows\System32\svchost.exe
                                                                                            C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                            1⤵
                                                                                              PID:1664
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                              1⤵
                                                                                                PID:1648
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                1⤵
                                                                                                  PID:1624
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                  1⤵
                                                                                                    PID:1528
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                    1⤵
                                                                                                      PID:1476
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                      1⤵
                                                                                                        PID:1456
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                        1⤵
                                                                                                          PID:1376
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                          1⤵
                                                                                                            PID:1364
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                            1⤵
                                                                                                              PID:1348
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                              1⤵
                                                                                                                PID:1248
                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                1⤵
                                                                                                                  PID:1208
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                  1⤵
                                                                                                                    PID:1196
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                    1⤵
                                                                                                                      PID:1052
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                      1⤵
                                                                                                                        PID:1044
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                                        1⤵
                                                                                                                          PID:644
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                          1⤵
                                                                                                                            PID:688
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                            1⤵
                                                                                                                              PID:440
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                              1⤵
                                                                                                                                PID:932
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k RPCSS -p
                                                                                                                                1⤵
                                                                                                                                  PID:880
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                                                                                                  1⤵
                                                                                                                                    PID:780
                                                                                                                                    • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                      C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                      2⤵
                                                                                                                                        PID:1136
                                                                                                                                    • C:\Windows\system32\fontdrvhost.exe
                                                                                                                                      "fontdrvhost.exe"
                                                                                                                                      1⤵
                                                                                                                                        PID:764

                                                                                                                                      Network

                                                                                                                                      • flag-us
                                                                                                                                        DNS
                                                                                                                                        96.108.152.52.in-addr.arpa
                                                                                                                                        Dnscache
                                                                                                                                        Remote address:
                                                                                                                                        8.8.8.8:53
                                                                                                                                        Request
                                                                                                                                        96.108.152.52.in-addr.arpa
                                                                                                                                        IN PTR
                                                                                                                                        Response
                                                                                                                                      • 93.184.220.29:80
                                                                                                                                        wlidsvc
                                                                                                                                        322 B
                                                                                                                                         7
                                                                                                                                      • 93.184.220.29:80
                                                                                                                                        wlidsvc
                                                                                                                                        260 B
                                                                                                                                         5
                                                                                                                                      • 52.168.112.66:443
                                                                                                                                        OfficeClickToRun.exe
                                                                                                                                        322 B
                                                                                                                                         7
                                                                                                                                      • 8.252.51.254:80
                                                                                                                                        OfficeClickToRun.exe
                                                                                                                                        322 B
                                                                                                                                         7
                                                                                                                                      • 104.80.225.205:443
                                                                                                                                        RuntimeBroker.exe
                                                                                                                                        322 B
                                                                                                                                         7
                                                                                                                                      • 40.125.122.151:443
                                                                                                                                        260 B
                                                                                                                                         5
                                                                                                                                      • 8.8.8.8:53
                                                                                                                                        96.108.152.52.in-addr.arpa
                                                                                                                                        dns
                                                                                                                                        Dnscache
                                                                                                                                        72 B
                                                                                                                                         146 B
                                                                                                                                         1
                                                                                                                                        1

                                                                                                                                        DNS Request

                                                                                                                                        96.108.152.52.in-addr.arpa

                                                                                                                                      MITRE ATT&CK Matrix

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • memory/1548-132-0x0000000001000000-0x000000000100D000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        52KB

                                                                                                                                        Download

                                                                                                                                      • memory/1548-133-0x0000000001000000-0x000000000100D000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        52KB

                                                                                                                                        Download

                                                                                                                                      We care about your privacy.

                                                                                                                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.