Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
Resource
win10v2004-20220812-en
General
-
Target
81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe
-
Size
28KB
-
MD5
98796e376e08ab8fce2dfb0570938751
-
SHA1
5a8f6bfdc7791d7c7336b225ec996fb60a90a6d3
-
SHA256
81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812
-
SHA512
a029579f3f9c6f5247521097fbccec8cdd1d196c95d8813c8da446bb33474b15a2465578a6c3c60e5533ba07e1a5515b4cde55596a14df3b7c9ca98ae2d35877
-
SSDEEP
768:b2FFwaMLgTzqjA4pYOUd+/u9uppQ1MZrX5iHkYmDWVcNnXwzMtc2/:bWTcvjVpzJdYWZ75hYy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4264 sovhst.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rp.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rfwstub.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360upp.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\krnl360svc.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360sd.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravservice.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KpfwSvc.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsMain.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.KXP sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRun.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.KXP\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\debugger = "ntsd -d" sovhst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.EXE sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREngLdr.EXE\debugger = "ntsd -d" sovhst.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safeup.EXE\debugger = "ntsd -d" sovhst.exe -
Loads dropped DLL 1 IoCs
pid Process 4264 sovhst.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\dllcache\linkinfo.dll sovhst.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\sovhst.exe 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe File opened for modification C:\Program Files\sovhst.exe sovhst.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\fonts\niuxs.sys sovhst.exe File created C:\Windows\fonts\fuckjss.sys sovhst.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2536 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe 4264 sovhst.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 648 Process not Found 648 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4264 sovhst.exe Token: SeDebugPrivilege 4264 sovhst.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3916 wrote to memory of 4264 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 79 PID 3916 wrote to memory of 4264 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 79 PID 3916 wrote to memory of 4264 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 79 PID 4264 wrote to memory of 856 4264 sovhst.exe 80 PID 4264 wrote to memory of 856 4264 sovhst.exe 80 PID 4264 wrote to memory of 856 4264 sovhst.exe 80 PID 856 wrote to memory of 2536 856 cmd.exe 82 PID 856 wrote to memory of 2536 856 cmd.exe 82 PID 856 wrote to memory of 2536 856 cmd.exe 82 PID 3916 wrote to memory of 5036 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 84 PID 3916 wrote to memory of 5036 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 84 PID 3916 wrote to memory of 5036 3916 81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe"C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Program Files\sovhst.exe"C:\Program Files\sovhst.exe"2⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\cmd.execmd /c sc config avp start= disabled3⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\sc.exesc config avp start= disabled4⤵
- Launches sc.exe
PID:2536
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\81fc2152f255942e1a8d0ba485d0ec6eae29fc2e1fcaa72011670fd07156d812.exe"2⤵PID:5036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD55b740193023b700d63331f2f73473851
SHA1e117d4e186af3a0c8cdcdd4b239852ac37ab6a6d
SHA2567fd7baa8cabcb6d218fa4dd3efbd65d8e9dd195cbf2af858c8665d9ccbbba412
SHA5120b2a86922696a7f3c23aee456c9275fb981d8862d699d8c777ee756e123e572ca0e8604bdd20d113b6b460c036147bb9f9986ffd7af8cf3e3e837ea08ef562d7
-
Filesize
24KB
MD55b740193023b700d63331f2f73473851
SHA1e117d4e186af3a0c8cdcdd4b239852ac37ab6a6d
SHA2567fd7baa8cabcb6d218fa4dd3efbd65d8e9dd195cbf2af858c8665d9ccbbba412
SHA5120b2a86922696a7f3c23aee456c9275fb981d8862d699d8c777ee756e123e572ca0e8604bdd20d113b6b460c036147bb9f9986ffd7af8cf3e3e837ea08ef562d7
-
Filesize
17KB
MD52398c9de62d15b8957a97f877d7f6982
SHA1ee6ec78a3e0c50bbb21f7be4445f2874f9addc8c
SHA256aff30473dd841ef8a285dd71c69da64e4295fbdecbd9e800a7522719ec4b1057
SHA512741abeccb76c08fa11dec3752209749fd5853bc3a6f847cd67aace1900fd4ee199aec1a4279372c87c6c2d2acf8e281a3570372f96d649fd1f1dc907a68468a8