Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

1

Static

static

9d38e91757...99.exe

windows7-x64

9d38e91757...99.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 17:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d38e91757b5aae61ee2197747010adb9c650f4ff82eb8bc5cb9d246d124d199.exe

  • Size

    46KB

  • MD5

    059132220573a0a7b40771fd98741f60

  • SHA1

    677b871b691a8bf8b4992a369bb23a2c77e6e8db

  • SHA256

    9d38e91757b5aae61ee2197747010adb9c650f4ff82eb8bc5cb9d246d124d199

  • SHA512

    0cf095fd2134547c525dd17e05debbc1b49e9b25e6de14c8cec113ab5b3915c10460d1eeda5b39b0bf474d2be05ebc75feb42052c8c1c9539c58f923fb92714d

  • SSDEEP

    768:VG3emjLYAhSn98/KWb5NtaR06hUaGYs3yo66oQ8+fJaG:VGOmAN9cK8taRFtG5xa

Score
1/10

Malware Config

Signatures

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:656
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:600
        • C:\Windows\system32\dwm.exe
          "dwm.exe"
          2⤵
            PID:1016
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            2⤵
              PID:768
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x4 /state0:0xa39f0055 /state1:0x41c64e6d
              2⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              PID:2988
          • C:\Windows\system32\fontdrvhost.exe
            "fontdrvhost.exe"
            1⤵
              PID:760
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
              1⤵
                PID:1184
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                1⤵
                  PID:1624
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                  1⤵
                    PID:1900
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    1⤵
                      PID:3404
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                        PID:3484
                      • C:\Windows\system32\DllHost.exe
                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                        1⤵
                          PID:4472
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                          1⤵
                            PID:2448
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4948
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                              1⤵
                                PID:8
                              • C:\Windows\system32\SppExtComObj.exe
                                C:\Windows\system32\SppExtComObj.exe -Embedding
                                1⤵
                                  PID:2332
                                • C:\Windows\system32\wbem\wmiprvse.exe
                                  C:\Windows\system32\wbem\wmiprvse.exe
                                  1⤵
                                    PID:1300
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                    1⤵
                                      PID:436
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                      1⤵
                                        PID:4168
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                        1⤵
                                          PID:2720
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                          1⤵
                                            PID:3864
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k netsvcs -p
                                            1⤵
                                              PID:5068
                                            • C:\Windows\System32\RuntimeBroker.exe
                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                              1⤵
                                                PID:3668
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                  PID:3340
                                                • C:\Windows\system32\DllHost.exe
                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                  1⤵
                                                    PID:3244
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                    1⤵
                                                      PID:752
                                                    • C:\Windows\Explorer.EXE
                                                      C:\Windows\Explorer.EXE
                                                      1⤵
                                                        PID:3060
                                                        • C:\Users\Admin\AppData\Local\Temp\9d38e91757b5aae61ee2197747010adb9c650f4ff82eb8bc5cb9d246d124d199.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\9d38e91757b5aae61ee2197747010adb9c650f4ff82eb8bc5cb9d246d124d199.exe"
                                                          2⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious behavior: MapViewOfSection
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:796
                                                          • C:\Windows\System32\Conhost.exe
                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            3⤵
                                                              PID:2164
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                          1⤵
                                                            PID:2700
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                            1⤵
                                                              PID:2684
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                              1⤵
                                                                PID:2676
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                1⤵
                                                                  PID:2640
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                  1⤵
                                                                    PID:2576
                                                                  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                    1⤵
                                                                      PID:2568
                                                                    • C:\Windows\system32\taskhostw.exe
                                                                      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                                                      1⤵
                                                                        PID:2420
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                        1⤵
                                                                          PID:2400
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                          1⤵
                                                                            PID:2392
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                            1⤵
                                                                              PID:2336
                                                                            • C:\Windows\system32\sihost.exe
                                                                              sihost.exe
                                                                              1⤵
                                                                                PID:2304
                                                                              • C:\Windows\System32\svchost.exe
                                                                                C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                1⤵
                                                                                  PID:2120
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                                  1⤵
                                                                                    PID:2064
                                                                                  • C:\Windows\System32\spoolsv.exe
                                                                                    C:\Windows\System32\spoolsv.exe
                                                                                    1⤵
                                                                                      PID:1800
                                                                                    • C:\Windows\System32\svchost.exe
                                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                      1⤵
                                                                                        PID:1440
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                        1⤵
                                                                                          PID:2016
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                          1⤵
                                                                                            PID:1936
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                            1⤵
                                                                                              PID:1892
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                              1⤵
                                                                                                PID:1820
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                1⤵
                                                                                                  PID:1780
                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                  1⤵
                                                                                                    PID:1692
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                    1⤵
                                                                                                      PID:1640
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                      1⤵
                                                                                                        PID:1544
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                        1⤵
                                                                                                          PID:1536
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                          1⤵
                                                                                                            PID:1508
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                            1⤵
                                                                                                              PID:1420
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                              1⤵
                                                                                                                PID:1352
                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                1⤵
                                                                                                                  PID:1344
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                  1⤵
                                                                                                                    PID:1288
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                    1⤵
                                                                                                                      PID:1280
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                                      1⤵
                                                                                                                        PID:1100
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                        1⤵
                                                                                                                          PID:1064
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                          1⤵
                                                                                                                            PID:1052
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                            1⤵
                                                                                                                              PID:644
                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                              1⤵
                                                                                                                                PID:736
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                1⤵
                                                                                                                                  PID:332
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                  1⤵
                                                                                                                                    PID:940
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k RPCSS -p
                                                                                                                                    1⤵
                                                                                                                                      PID:888
                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                      C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                                                                                                      1⤵
                                                                                                                                        PID:776

                                                                                                                                      Network

                                                                                                                                        No results found
                                                                                                                                      • 104.110.191.133:80
                                                                                                                                        CryptSvc
                                                                                                                                        260 B
                                                                                                                                         5
                                                                                                                                      • 93.184.220.29:80
                                                                                                                                        wlidsvc
                                                                                                                                        322 B
                                                                                                                                         7
                                                                                                                                      • 104.110.191.140:80
                                                                                                                                        CryptSvc
                                                                                                                                        260 B
                                                                                                                                         5
                                                                                                                                      • 20.42.65.89:443
                                                                                                                                        OfficeClickToRun.exe
                                                                                                                                        322 B
                                                                                                                                         7
                                                                                                                                      • 52.109.8.86:443
                                                                                                                                        40 B
                                                                                                                                         1
                                                                                                                                      • 104.110.191.133:80
                                                                                                                                        CryptSvc
                                                                                                                                        322 B
                                                                                                                                         7
                                                                                                                                      • 104.110.191.133:80
                                                                                                                                        CryptSvc
                                                                                                                                        322 B
                                                                                                                                         7
                                                                                                                                      No results found

                                                                                                                                      MITRE ATT&CK Matrix

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • memory/796-132-0x0000000001000000-0x000000000100F000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        60KB

                                                                                                                                        Download

                                                                                                                                      We care about your privacy.

                                                                                                                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.