Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

0a93e0d48d...b8.exe

windows7-x64

8

0a93e0d48d...b8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    203s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 00:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe

  • Size

    130KB

  • MD5

    1b393f35a3329bf17af357f26b6abc9e

  • SHA1

    6544adf7e31f7514c753a01dc408a6ee9e6d9f77

  • SHA256

    0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

  • SHA512

    3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

  • SSDEEP

    3072:sXvZEHA1EaU6mLVQQ9oi3W45qy/Uua6B264qE+El:sXTUC7i3W45GuH26w

Score
8/10
persistence

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe
    "C:\Users\Admin\AppData\Local\Temp\0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe
      C:\Windows\System32\Microsoft\Windows\System32\svchost.exe -k LocalService -d11081665170111810177131869918613717318111913061616917172511166111021118151071311199916513715318111596161714171710716681111181519713919949561371831811215961631417171714166781118710713819991421813719131811161546161812174171071661916111801467139190991613137692181116156161921117171414166121711185671331999101313717918117761614124171771616612811187671318199916131371791811676161911171712141646151701118132107136182909651372534181121615261611111717111616612811182186713191899313137169218111176161412171712141661481118567135189913131307169181116761617121717714166781118154107131718991951371091811161561691117177141669171118136071341518991813013764918111615616161217178141663171118857131819991061371731811
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Deletes itself
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1948

Network

  • flag-unknown
    DNS
    infotel18265.info
    LocalService
    Remote address:
    8.8.8.8:53
    Request
    infotel18265.info
    IN A
    Response
  • flag-unknown
    DNS
    infosvc325690.info
    LocalService
    Remote address:
    8.8.8.8:53
    Request
    infosvc325690.info
    IN A
    Response
  • flag-unknown
    DNS
    infosvc325690.tk
    LocalService
    Remote address:
    8.8.8.8:53
    Request
    infosvc325690.tk
    IN A
    Response
  • flag-unknown
    DNS
    callsupp21579951.com
    LocalService
    Remote address:
    8.8.8.8:53
    Request
    callsupp21579951.com
    IN A
    Response
  • 107.181.246.186:43528
    LocalService
    152 B
     3
  • 107.181.246.186:43528
    LocalService
    152 B
     3
  • 107.181.246.186:43528
    LocalService
    152 B
     3
  • 107.181.246.186:43528
    LocalService
    152 B
     3
  • 107.181.246.186:43528
    LocalService
    152 B
     3
  • 8.8.8.8:53
    infotel18265.info
    dns
    LocalService
    63 B
     142 B
     1
    1

    DNS Request

    infotel18265.info

  • 8.8.8.8:53
    infosvc325690.info
    dns
    LocalService
    64 B
     143 B
     1
    1

    DNS Request

    infosvc325690.info

  • 8.8.8.8:53
    infosvc325690.tk
    dns
    LocalService
    62 B
     122 B
     1
    1

    DNS Request

    infosvc325690.tk

  • 8.8.8.8:53
    callsupp21579951.com
    dns
    LocalService
    66 B
     139 B
     1
    1

    DNS Request

    callsupp21579951.com

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe
    Filesize

    130KB

    MD5

    1b393f35a3329bf17af357f26b6abc9e

    SHA1

    6544adf7e31f7514c753a01dc408a6ee9e6d9f77

    SHA256

    0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

    SHA512

    3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

    Download Submit

  • C:\Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe
    Filesize

    130KB

    MD5

    1b393f35a3329bf17af357f26b6abc9e

    SHA1

    6544adf7e31f7514c753a01dc408a6ee9e6d9f77

    SHA256

    0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

    SHA512

    3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

    Download Submit

  • \Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe
    Filesize

    130KB

    MD5

    1b393f35a3329bf17af357f26b6abc9e

    SHA1

    6544adf7e31f7514c753a01dc408a6ee9e6d9f77

    SHA256

    0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

    SHA512

    3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

    Download Submit

  • \Windows\SysWOW64\Microsoft\Windows\System32\svchost.exe
    Filesize

    130KB

    MD5

    1b393f35a3329bf17af357f26b6abc9e

    SHA1

    6544adf7e31f7514c753a01dc408a6ee9e6d9f77

    SHA256

    0a93e0d48d859f5d1e9510f6e7ebe53d78277ffb86175aecd9f6e9e55233ecb8

    SHA512

    3a317fb845a4181047fcac4e109cd34b413d5ceaa854fb8c0d5acbe01d72ffb35c7812d3961c8ce6be804c907c5daa951211c6238cdac7a84a573fe1b0a86b14

    Download Submit

  • memory/1900-58-0x0000000000240000-0x0000000000243000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1900-59-0x0000000000400000-0x000000000076B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1900-54-0x0000000075131000-0x0000000075133000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1900-56-0x0000000000400000-0x000000000076B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1900-55-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/1900-65-0x0000000000400000-0x000000000076B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1948-70-0x0000000000400000-0x000000000076B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1948-71-0x0000000000400000-0x000000000076B000-memory.dmp

    Filesize

    3.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.