Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

svchost/svchost.exe

windows7-x64

8

svchost/svchost.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230824-en
  • resource tags

    arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
  • submitted
    31/08/2023, 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost/svchost.exe

  • Size

    268KB

  • MD5

    43d08c0cf431e081e4b85515f8ed6e56

  • SHA1

    980b13a9fbf712a80b45444dc63f9b95a8e2f4bc

  • SHA256

    4f77019c9028fe94ff2995127578c40685b57ad4181cfd16c08a736e4a9cded2

  • SHA512

    5d672c19aa02a09b8ecd5f59b421cb9399eca2a45982e0ef87e4fcedcacd67b200c8f9c6582e93c5285dcc2f5257e200d4e812c51ade165491986d36719a1293

  • SSDEEP

    6144:Ta53bJhs0W69hd1MMdxPe9N9uA0Fu9TBAwzVgBxpyuDMk2kcVef+gKP3v:O1bjXFu9Tu8fd7/

Score
8/10
persistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
    evasion
  • Runs .reg file with regedit 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CFBD.tmp\CFBE.tmp\CFBF.bat C:\Users\Admin\AppData\Local\Temp\svchost\svchost.exe"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\regedit.exe
        Regedit /s C:\Windows\2\31.reg
        3⤵
        • Sets file execution options in registry
        • Runs .reg file with regedit
        PID:1060
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im taskmgr.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im perfmon.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\System32\1.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /f /im explorer.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\system32\taskkill.exe
            taskkill /f /im explorer.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CFBD.tmp\CFBE.tmp\CFBF.bat
    Filesize

    12KB

    MD5

    4755ff4522eaa4071a841e4971a7ed2a

    SHA1

    4b1e5e11691b2f20c020dfbd0b35743ab43cfa8e

    SHA256

    ffeb5830cec1234d357072b6504b2672485fd4a8b1c5b3e3514c511901c4a4ed

    SHA512

    830232c626281131fe0c409fb3011e4267286fe32903b05229cf7ced77c00ec69c02cd60e93036306e2269688afdcfd005437f7812af713bdde0d30c446159ae

    Download Submit

  • C:\Windows\2\31.reg
    Filesize

    444B

    MD5

    ebe3fd17fde6d498bd530a57863644c0

    SHA1

    fe76d4faa6cae714f1f650294f51b08af13ba85f

    SHA256

    ae1fa8f693ab356dbf0f54aa49dad1781a16e0835d9a256773468427bddd6931

    SHA512

    627355bfd1882318daef37956d7b036bff1ec819d4f2c9fdcbe25ab5d4c5fd7ef3386e3aa7b465da74f7acc01ffee39db3058ee717fb2bb56fc4f5e4c2414a7f

    Download Submit

  • C:\Windows\System32\1.vbs
    Filesize

    829B

    MD5

    02bad85fcfc935f75f55a31db7de2fdb

    SHA1

    0c9a9a1e47f3a8fd9e278ec905be569cfdc63458

    SHA256

    99d0f76cad13e4be4ae28c2214a6073b4ef7efe178734800759503c78e5302e5

    SHA512

    e8017389393e4166c7d74b0e765314f236c03c0dda9d42c04824fe72654b9bf523b5cf70fa6f1f4718bb893451f62589785b9269b33b196f851f1960faee1253

    Download Submit