Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe
Resource
win10v2004-20220812-en
General
-
Target
1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe
-
Size
256KB
-
MD5
0e0b31ac867bf65d90e19a4b35576e40
-
SHA1
c4a299775fc065d15cba2023567417084b77dd18
-
SHA256
1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b
-
SHA512
77b44ea778952b2831ea46458f828fff04278e68611f00729728355f069ed967e489d152e32efa8545af8dcbe6af4e87bc22f6f8bac1b0a1fccf6a5b08cc9ad5
-
SSDEEP
6144:bvqyTM5nSOEt5zpaiRhcuGE07v6+uMHWzIH:brQ3wNxRhTKj6oHZ
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0007000000022f67-134.dat aspack_v212_v242 behavioral2/files/0x0007000000022f67-135.dat aspack_v212_v242 behavioral2/files/0x0006000000022f6a-140.dat aspack_v212_v242 behavioral2/files/0x0006000000022f6a-141.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 1044 78d26152.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" 78d26152.exe -
resource yara_rule behavioral2/files/0x0007000000022f67-134.dat upx behavioral2/files/0x0007000000022f67-135.dat upx behavioral2/memory/1044-137-0x0000000000E00000-0x0000000000E47000-memory.dmp upx behavioral2/memory/1044-136-0x0000000000E00000-0x0000000000E47000-memory.dmp upx behavioral2/memory/1044-138-0x0000000000E00000-0x0000000000E47000-memory.dmp upx behavioral2/files/0x0006000000022f6a-140.dat upx behavioral2/files/0x0006000000022f6a-141.dat upx behavioral2/memory/3168-142-0x0000000075730000-0x0000000075777000-memory.dmp upx behavioral2/memory/3168-143-0x0000000075730000-0x0000000075777000-memory.dmp upx behavioral2/memory/3168-144-0x0000000075730000-0x0000000075777000-memory.dmp upx behavioral2/memory/1044-146-0x0000000000E00000-0x0000000000E47000-memory.dmp upx behavioral2/memory/3168-147-0x0000000075730000-0x0000000075777000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 3168 Svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll 78d26152.exe File opened for modification C:\Windows\SysWOW64\316D0BE4.tmp 78d26152.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1044 78d26152.exe 1044 78d26152.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4444 wrote to memory of 1044 4444 1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe 78 PID 4444 wrote to memory of 1044 4444 1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe 78 PID 4444 wrote to memory of 1044 4444 1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe"C:\Users\Admin\AppData\Local\Temp\1d34929f5a27078bcf706693ac2b3768aa7f0893bde449f2df7e55803acdc79b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\78d26152.exeC:\78d26152.exe2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
-
C:\Windows\SysWOW64\Svchost.exeC:\Windows\SysWOW64\Svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
PID:3168
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD5b3d1699bac5f4682cda6ca7676f8d333
SHA1009fae507bc8b45b2a6e4f6e3753f60c96d3d692
SHA25662e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218
SHA5121a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571
-
Filesize
221KB
MD5b3d1699bac5f4682cda6ca7676f8d333
SHA1009fae507bc8b45b2a6e4f6e3753f60c96d3d692
SHA25662e55bf4c88ceb6ca6ac53a2b3be0144c8939b4d576676f00182ef8bd5117218
SHA5121a22e86d20b3f0cdae51bdef481caf3c83d1c5650c8566efef0bee941b5c4ddaf9d73d60b615de381c7d2e68a96cb118112898afb111ac41b68380a8ecffd571
-
Filesize
724B
MD5f87f5425ff414a06dec432bbdf73ed25
SHA1603784c88ba307081311379f2eb1c3e82d9a786f
SHA256792a525858951143209846ea7bcab8cc3be83a131e444a16e446e56f191a551f
SHA51209540205e90b353b3bdb90422c92399cfdab4e3c86863267b38c1fab28257e4927e9525396c2bc79b6048243a28e909661b842dcf3a82f4c0c0a39f820e27709
-
Filesize
221KB
MD50669d63a75b1858b346fc2e650ab3e48
SHA152529e1ebebdd2d3c447f6044f64639e517d9ef4
SHA256e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e
SHA512af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8
-
Filesize
221KB
MD50669d63a75b1858b346fc2e650ab3e48
SHA152529e1ebebdd2d3c447f6044f64639e517d9ef4
SHA256e74d7fd196f966eb88d82c5396181e0c7e159080a173bc69d207ee3a24d4728e
SHA512af0d747f01a91a09f21e4b68258f6f285fd502f2b021dc25574a343a20f3a1abd0b1a86129385a4d9eada81808ea32ed9718c606ad002721a1b96b31c38a39c8