Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

31b44a6161...c6.exe

windows7-x64

7

31b44a6161...c6.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 16:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31b44a61612e460c0eb7915d87aae05df93fe4e522b9fbaa3d69c3ccf5f11cc6.exe

  • Size

    44KB

  • MD5

    0fca8dd778151eef8e798bde2184a81f

  • SHA1

    6be67a74504f19ce52782cb8bffad5b8ff6c73a6

  • SHA256

    31b44a61612e460c0eb7915d87aae05df93fe4e522b9fbaa3d69c3ccf5f11cc6

  • SHA512

    f336acc6cd97b2083d3401e578b6ad1cb19b117d6ce5f620a0a7e8dc7b7297099a9b1a0800155760e7208baed4a7d0c247cc22d0c217b8003ecf880bcec7bf49

  • SSDEEP

    768:QmK5yGQVKTnf7RGur6CB3bWwUTTrzcTFXVd7/lZsomuRfCxRpmQy6eKZ:QprQAnWCc9TrzcTl/4ombRpA6eK

Score
7/10
persistence

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:468
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs
          2⤵
            PID:880
            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
              wmiadap.exe /F /T /R
              3⤵
                PID:2012
            • C:\Windows\system32\sppsvc.exe
              C:\Windows\system32\sppsvc.exe
              2⤵
                PID:1480
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                2⤵
                  PID:968
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  2⤵
                    PID:1280
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                    2⤵
                      PID:1048
                    • C:\Windows\System32\spoolsv.exe
                      C:\Windows\System32\spoolsv.exe
                      2⤵
                        PID:456
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        2⤵
                          PID:324
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:856
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:816
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                              2⤵
                                PID:764
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:676
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:600
                                • C:\Windows\system32\winlogon.exe
                                  winlogon.exe
                                  1⤵
                                    PID:420
                                  • C:\Windows\system32\csrss.exe
                                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                    1⤵
                                      PID:380
                                    • C:\Windows\system32\wininit.exe
                                      wininit.exe
                                      1⤵
                                        PID:372
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          2⤵
                                            PID:484
                                        • C:\Windows\system32\Dwm.exe
                                          "C:\Windows\system32\Dwm.exe"
                                          1⤵
                                            PID:1396
                                          • C:\Windows\Explorer.EXE
                                            C:\Windows\Explorer.EXE
                                            1⤵
                                              PID:1424
                                              • C:\Users\Admin\AppData\Local\Temp\31b44a61612e460c0eb7915d87aae05df93fe4e522b9fbaa3d69c3ccf5f11cc6.exe
                                                "C:\Users\Admin\AppData\Local\Temp\31b44a61612e460c0eb7915d87aae05df93fe4e522b9fbaa3d69c3ccf5f11cc6.exe"
                                                2⤵
                                                • Adds Run key to start application
                                                • Drops file in System32 directory
                                                • Suspicious use of SetThreadContext
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious behavior: MapViewOfSection
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1468
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  C:\Windows\System32\svchost.exe
                                                  3⤵
                                                  • Checks BIOS information in registry
                                                  • Checks processor information in registry
                                                  • Enumerates system info in registry
                                                  PID:1416

                                            Network

                                              No results found
                                            • 222.88.205.195:443
                                              svchost.exe
                                              152 B
                                               3
                                            • 184.173.252.243:443
                                              svchost.exe
                                              152 B
                                               3
                                            • 184.173.252.246:443
                                              svchost.exe
                                              152 B
                                               3
                                            • 222.88.205.195:443
                                              svchost.exe
                                              152 B
                                               3
                                            • 184.173.252.243:443
                                              svchost.exe
                                              152 B
                                               3
                                            • 184.173.252.246:443
                                              svchost.exe
                                              104 B
                                               2
                                            No results found

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/1416-57-0x0000000009500000-0x0000000009508000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/1416-56-0x0000000009500000-0x0000000009508000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/1416-59-0x0000000009500000-0x0000000009508000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/1416-60-0x0000000009500000-0x0000000009508000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/1416-61-0x0000000009500000-0x0000000009508000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/1416-65-0x0000000009500000-0x0000000009508000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/1416-66-0x0000000009500000-0x0000000009508000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/1416-67-0x0000000009500000-0x0000000009508000-memory.dmp

                                              Filesize

                                              32KB

                                              Download

                                            • memory/1468-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

                                              Filesize

                                              8KB

                                              Download

                                            • memory/1468-55-0x0000000000400000-0x000000000041D000-memory.dmp

                                              Filesize

                                              116KB

                                              Download

                                            • memory/1468-63-0x0000000000400000-0x000000000041D000-memory.dmp

                                              Filesize

                                              116KB

                                              Download

                                            We care about your privacy.

                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.