Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

cc6221ecf9...fc.exe

windows7-x64

1

cc6221ecf9...fc.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    111s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 16:50 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc6221ecf99543eb680ecaa9880cd17510e7deebfe9420e09ddf530bbda727fc.exe

  • Size

    44KB

  • MD5

    0fd5347449481c7d2019529591763680

  • SHA1

    cfaf571f170400a13e1fbf6050f7e466263012d4

  • SHA256

    cc6221ecf99543eb680ecaa9880cd17510e7deebfe9420e09ddf530bbda727fc

  • SHA512

    11cef2472a2ab17cb8b0e540e7f619d08d6043f0c4a1406d05eaffd0fd54000b4292f5ce5e4a984d7e86733c09ec1d195990328a1b181f90ffc8eb265887af5b

  • SSDEEP

    768:85R2Voo2Hace1BxQ3Y+RWleZ8Y6P+N8SsOtmZl9IspEHhUa8:uvwfII+0leVBsxZl2Cur8

Score
1/10

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:668
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:620
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:1020
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            2⤵
              PID:784
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
            1⤵
              PID:948
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
              1⤵
                PID:484
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k RPCSS -p
                1⤵
                  PID:896
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k DcomLaunch -p
                  1⤵
                    PID:792
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      2⤵
                        PID:3432
                      • C:\Windows\system32\SppExtComObj.exe
                        C:\Windows\system32\SppExtComObj.exe -Embedding
                        2⤵
                          PID:3712
                        • C:\Windows\system32\wbem\wmiprvse.exe
                          C:\Windows\system32\wbem\wmiprvse.exe
                          2⤵
                            PID:4740
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            2⤵
                              PID:4688
                            • C:\Windows\system32\DllHost.exe
                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                              2⤵
                                PID:4276
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                2⤵
                                  PID:3720
                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                  2⤵
                                    PID:3520
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    2⤵
                                      PID:3364
                                    • C:\Windows\system32\DllHost.exe
                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                      2⤵
                                        PID:3260
                                    • C:\Windows\system32\fontdrvhost.exe
                                      "fontdrvhost.exe"
                                      1⤵
                                        PID:776
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                        1⤵
                                          PID:400
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                          1⤵
                                            PID:656
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                            1⤵
                                              PID:984
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                              1⤵
                                                PID:1028
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                1⤵
                                                  PID:1124
                                                  • C:\Windows\system32\taskhostw.exe
                                                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                    2⤵
                                                      PID:2364
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                    1⤵
                                                      PID:1156
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                      1⤵
                                                        PID:1288
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                        1⤵
                                                          PID:1328
                                                          • C:\Windows\system32\sihost.exe
                                                            sihost.exe
                                                            2⤵
                                                              PID:2260
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                            1⤵
                                                              PID:1604
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                              1⤵
                                                                PID:2080
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                1⤵
                                                                  PID:1916
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                  1⤵
                                                                    PID:1788
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                    1⤵
                                                                      PID:368
                                                                    • C:\Windows\System32\spoolsv.exe
                                                                      C:\Windows\System32\spoolsv.exe
                                                                      1⤵
                                                                        PID:1268
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                        1⤵
                                                                          PID:2752
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                          1⤵
                                                                            PID:5008
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                            1⤵
                                                                              PID:4388
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                              1⤵
                                                                                PID:2312
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                1⤵
                                                                                  PID:1072
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                  1⤵
                                                                                    PID:3060
                                                                                  • C:\Windows\System32\svchost.exe
                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                    1⤵
                                                                                      PID:4056
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                      1⤵
                                                                                        PID:480
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                        1⤵
                                                                                          PID:2376
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                          1⤵
                                                                                            PID:1612
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                            1⤵
                                                                                              PID:8
                                                                                            • C:\Windows\Explorer.EXE
                                                                                              C:\Windows\Explorer.EXE
                                                                                              1⤵
                                                                                                PID:3036
                                                                                                • C:\Users\Admin\AppData\Local\Temp\cc6221ecf99543eb680ecaa9880cd17510e7deebfe9420e09ddf530bbda727fc.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\cc6221ecf99543eb680ecaa9880cd17510e7deebfe9420e09ddf530bbda727fc.exe"
                                                                                                  2⤵
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:4788
                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    3⤵
                                                                                                      PID:2820
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                                  1⤵
                                                                                                    PID:2740
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                                    1⤵
                                                                                                      PID:2732
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                                      1⤵
                                                                                                        PID:2704
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                                        1⤵
                                                                                                          PID:2652
                                                                                                        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                          1⤵
                                                                                                            PID:2644
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                                                            1⤵
                                                                                                              PID:2500
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                                              1⤵
                                                                                                                PID:2488
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                                1⤵
                                                                                                                  PID:2276
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                                                  1⤵
                                                                                                                    PID:1944
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                                                    1⤵
                                                                                                                      PID:1936
                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                      1⤵
                                                                                                                        PID:1876
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                                                        1⤵
                                                                                                                          PID:1868
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                                          1⤵
                                                                                                                            PID:1772
                                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                            1⤵
                                                                                                                              PID:1732
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                                              1⤵
                                                                                                                                PID:1636
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                                1⤵
                                                                                                                                  PID:1588
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                                                  1⤵
                                                                                                                                    PID:1524
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                                                    1⤵
                                                                                                                                      PID:1516
                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                                      1⤵
                                                                                                                                        PID:1384
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                                        1⤵
                                                                                                                                          PID:1376
                                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                                          1⤵
                                                                                                                                            PID:1320

                                                                                                                                          Network

                                                                                                                                            No results found
                                                                                                                                          • 209.197.3.8:80
                                                                                                                                            260 B
                                                                                                                                             5
                                                                                                                                          • 104.80.225.205:443
                                                                                                                                            RuntimeBroker.exe
                                                                                                                                            322 B
                                                                                                                                             7
                                                                                                                                          • 20.42.65.89:443
                                                                                                                                            OfficeClickToRun.exe
                                                                                                                                            322 B
                                                                                                                                             7
                                                                                                                                          • 209.197.3.8:80
                                                                                                                                            CryptSvc
                                                                                                                                            322 B
                                                                                                                                             7
                                                                                                                                          • 209.197.3.8:80
                                                                                                                                            CryptSvc
                                                                                                                                            322 B
                                                                                                                                             7
                                                                                                                                          • 209.197.3.8:80
                                                                                                                                            CryptSvc
                                                                                                                                            322 B
                                                                                                                                             7
                                                                                                                                          • 209.197.3.8:80
                                                                                                                                            CryptSvc
                                                                                                                                            260 B
                                                                                                                                             5
                                                                                                                                          No results found

                                                                                                                                          MITRE ATT&CK Matrix

                                                                                                                                          Replay Monitor

                                                                                                                                          Loading Replay Monitor...

                                                                                                                                          Downloads

                                                                                                                                          • memory/4788-132-0x0000000001000000-0x0000000001010000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            64KB

                                                                                                                                            Download

                                                                                                                                          • memory/4788-133-0x0000000001000000-0x0000000001010000-memory.dmp

                                                                                                                                            Filesize

                                                                                                                                            64KB

                                                                                                                                            Download

                                                                                                                                          We care about your privacy.

                                                                                                                                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.