Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2022, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
-
Size
249KB
-
MD5
0dc2ef41474a7c3ab621e11107c48f20
-
SHA1
e8f6fd4275b415bfd1d940cafaae13da7511fbad
-
SHA256
75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08
-
SHA512
54df78dd25fec69cb999c87341c823cddd4e3f7e4211958c022d42bc82c56ae239ee88b494f176067f3e11b1bb77edb3cbd8de7b5c2af32ca08f65f1e7442a9c
-
SSDEEP
6144:xyH7xOc6H5c6HcT66vlmA4KmNNT/5BD6HtOIF3uUAGdkabk0i5dArDySa:xa2d/0tuUA3T5aHyh
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2256 svchost.exe 3788 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe 3392 svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3788 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe 3788 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe 3788 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2760 wrote to memory of 2256 2760 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe 81 PID 2760 wrote to memory of 2256 2760 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe 81 PID 2760 wrote to memory of 2256 2760 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe 81 PID 2256 wrote to memory of 3788 2256 svchost.exe 82 PID 2256 wrote to memory of 3788 2256 svchost.exe 82 PID 2256 wrote to memory of 3788 2256 svchost.exe 82 PID 3788 wrote to memory of 4876 3788 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe 84 PID 3788 wrote to memory of 4876 3788 75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe"C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe"C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122884⤵PID:4876
-
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:4064
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\75a3e5a4575a707afcea12ef0fd87a361d5b0949dce5da3b0402fbb7d8d7cc08.exe
Filesize214KB
MD53ff3e4a873cb1eb481bc9e925d715fbb
SHA18a3614a8e8d60e5d1d5742e1b4a04be07e38eb74
SHA2562a1f82a08ba90fa972f92da3799259a85991fbcfe7e287623d64efcb663507b5
SHA5121189d2d5c00ef04cb67ca2603354bacc2324213c35ca6b6256a15ad299505e0d868e6b4f825288a38cad661350c9e95b33600bf306b36592401d72cf7586f437
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b