Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
10/10/2023, 06:57
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
294KB
-
MD5
44b65e6b1c5c97f08604d6386e073755
-
SHA1
ef3a38c06da42adf5855c9ca04afc3a264189abb
-
SHA256
6414aa1f08ec3168c6c2630d3ebd5d9a184c0520bfa3c8018d23e74ee088021c
-
SHA512
bd397b6eafdecfa6e72bb990757650566512a4c7eb12d75479fa9ef7a481542be9ccb57f538f0ed4d2e4fe77444c3aa99043b0b78663d8c740f6736ec8d84e60
-
SSDEEP
6144:U5ZKe+CEiMKqR3p5X0WVKwn01r7ufeQRM:UzB+CEfv3p5XtVKpCmQ
Malware Config
Extracted
tofsee
vanaheim.cn
jotunheim.name
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ekarqpbu = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2696 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ekarqpbu\ImagePath = "C:\\Windows\\SysWOW64\\ekarqpbu\\twpaajkk.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 1888 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 twpaajkk.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 107 ipinfo.io -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2748 set thread context of 1888 2748 twpaajkk.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 320 sc.exe 2360 sc.exe 2648 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 7cab243d671b0a0024edb47d450dd49d084297dce82e72baa49e23fd4c79431d7e1bdd3d86cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56813dd8244743be1a9644490bdb57522e4945e05cbf0bb54758df21d5904e0a56810da854c7439e4a464419bdce0286682cd0934c9c4e4241dc9984d0f31f9ad6c1cdeb40e367b8be90d4091bdb07f27ec955b02fda8e2377c88f2005469a8946c11da844b7d3de2a85d2d109d8d4d700b3a3034fdc48d551de4ad035276a6cb2e569bb47d440dd49d642dc2b9d43d51dda46d34fe089f571de4ad750b36e3a56f16c385457023e1a5642df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad74db05cd94 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3028 wrote to memory of 1672 3028 file.exe 28 PID 3028 wrote to memory of 1672 3028 file.exe 28 PID 3028 wrote to memory of 1672 3028 file.exe 28 PID 3028 wrote to memory of 1672 3028 file.exe 28 PID 3028 wrote to memory of 2964 3028 file.exe 30 PID 3028 wrote to memory of 2964 3028 file.exe 30 PID 3028 wrote to memory of 2964 3028 file.exe 30 PID 3028 wrote to memory of 2964 3028 file.exe 30 PID 3028 wrote to memory of 320 3028 file.exe 32 PID 3028 wrote to memory of 320 3028 file.exe 32 PID 3028 wrote to memory of 320 3028 file.exe 32 PID 3028 wrote to memory of 320 3028 file.exe 32 PID 3028 wrote to memory of 2360 3028 file.exe 34 PID 3028 wrote to memory of 2360 3028 file.exe 34 PID 3028 wrote to memory of 2360 3028 file.exe 34 PID 3028 wrote to memory of 2360 3028 file.exe 34 PID 3028 wrote to memory of 2648 3028 file.exe 36 PID 3028 wrote to memory of 2648 3028 file.exe 36 PID 3028 wrote to memory of 2648 3028 file.exe 36 PID 3028 wrote to memory of 2648 3028 file.exe 36 PID 3028 wrote to memory of 2696 3028 file.exe 39 PID 3028 wrote to memory of 2696 3028 file.exe 39 PID 3028 wrote to memory of 2696 3028 file.exe 39 PID 3028 wrote to memory of 2696 3028 file.exe 39 PID 2748 wrote to memory of 1888 2748 twpaajkk.exe 41 PID 2748 wrote to memory of 1888 2748 twpaajkk.exe 41 PID 2748 wrote to memory of 1888 2748 twpaajkk.exe 41 PID 2748 wrote to memory of 1888 2748 twpaajkk.exe 41 PID 2748 wrote to memory of 1888 2748 twpaajkk.exe 41 PID 2748 wrote to memory of 1888 2748 twpaajkk.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ekarqpbu\2⤵PID:1672
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\twpaajkk.exe" C:\Windows\SysWOW64\ekarqpbu\2⤵PID:2964
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ekarqpbu binPath= "C:\Windows\SysWOW64\ekarqpbu\twpaajkk.exe /d\"C:\Users\Admin\AppData\Local\Temp\file.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:320
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ekarqpbu "wifi internet conection"2⤵
- Launches sc.exe
PID:2360
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ekarqpbu2⤵
- Launches sc.exe
PID:2648
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2696
-
-
C:\Windows\SysWOW64\ekarqpbu\twpaajkk.exeC:\Windows\SysWOW64\ekarqpbu\twpaajkk.exe /d"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1888
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.8MB
MD51c14997f49f1d76dbe008498ecac01ab
SHA1955629d0b7c6d70b3cc3ae802a9a57e4b69c56cd
SHA2560658cc9da8f47338d838ae6232dd7841ab1450d6e4549f580c29a0a5f963f6ad
SHA51244e05cb0de23186bd99112a1276fc567a95024fec24f3e4e8040709586c42b0fa2affe39a5ec2dc659a97a5f7709d8e2a3913f0759806ccd2a11c288cda8be10
-
Filesize
10.8MB
MD51c14997f49f1d76dbe008498ecac01ab
SHA1955629d0b7c6d70b3cc3ae802a9a57e4b69c56cd
SHA2560658cc9da8f47338d838ae6232dd7841ab1450d6e4549f580c29a0a5f963f6ad
SHA51244e05cb0de23186bd99112a1276fc567a95024fec24f3e4e8040709586c42b0fa2affe39a5ec2dc659a97a5f7709d8e2a3913f0759806ccd2a11c288cda8be10