Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
0c8a4b9585343d742758a6ae32c3739a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0c8a4b9585343d742758a6ae32c3739a.exe
Resource
win10v2004-20231215-en
General
-
Target
0c8a4b9585343d742758a6ae32c3739a.exe
-
Size
1.9MB
-
MD5
0c8a4b9585343d742758a6ae32c3739a
-
SHA1
e209ae2cf7c780c8e36ac18fbacb13d583bfe12d
-
SHA256
334de1d5c8bbdf92028be5824d1464f727436d58f9e8ced1c1ac824743686093
-
SHA512
bf127855dd52fee4ea3496e617b8e716ae7b773aaa9c702f8a326f7c3a72dec672b9f859f5c876145f68998f37dae8afad7ec1e425ed2e0932ad1e209ec675e0
-
SSDEEP
12288:RFfwcHcu8pMkZ3Fn9d+Vd3SUZ+7EeI1x7f7V3+hT6DaRWz58kc+1xy8SyGO4A:RJcu8pl9d+VdCUhN1SsNK+1pSyH4A
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" 0c8a4b9585343d742758a6ae32c3739a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0c8a4b9585343d742758a6ae32c3739a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" 0c8a4b9585343d742758a6ae32c3739a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} 0c8a4b9585343d742758a6ae32c3739a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ 0c8a4b9585343d742758a6ae32c3739a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" 0c8a4b9585343d742758a6ae32c3739a.exe -
resource yara_rule behavioral1/files/0x002f000000015ca1-24.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2608 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2668 fservice.exe 2688 services.exe -
Loads dropped DLL 6 IoCs
pid Process 1728 0c8a4b9585343d742758a6ae32c3739a.exe 1728 0c8a4b9585343d742758a6ae32c3739a.exe 2688 services.exe 2688 services.exe 2668 fservice.exe 1728 0c8a4b9585343d742758a6ae32c3739a.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 0c8a4b9585343d742758a6ae32c3739a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe 0c8a4b9585343d742758a6ae32c3739a.exe File opened for modification C:\Windows\SysWOW64\fservice.exe 0c8a4b9585343d742758a6ae32c3739a.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\system\sservice.exe 0c8a4b9585343d742758a6ae32c3739a.exe File opened for modification C:\Windows\system\sservice.exe 0c8a4b9585343d742758a6ae32c3739a.exe File created C:\Windows\services.exe fservice.exe File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe 2688 services.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2688 services.exe 2688 services.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2668 1728 0c8a4b9585343d742758a6ae32c3739a.exe 28 PID 1728 wrote to memory of 2668 1728 0c8a4b9585343d742758a6ae32c3739a.exe 28 PID 1728 wrote to memory of 2668 1728 0c8a4b9585343d742758a6ae32c3739a.exe 28 PID 1728 wrote to memory of 2668 1728 0c8a4b9585343d742758a6ae32c3739a.exe 28 PID 2668 wrote to memory of 2688 2668 fservice.exe 29 PID 2668 wrote to memory of 2688 2668 fservice.exe 29 PID 2668 wrote to memory of 2688 2668 fservice.exe 29 PID 2668 wrote to memory of 2688 2668 fservice.exe 29 PID 2688 wrote to memory of 2816 2688 services.exe 33 PID 2688 wrote to memory of 2816 2688 services.exe 33 PID 2688 wrote to memory of 2816 2688 services.exe 33 PID 2688 wrote to memory of 2816 2688 services.exe 33 PID 2688 wrote to memory of 2740 2688 services.exe 32 PID 2688 wrote to memory of 2740 2688 services.exe 32 PID 2688 wrote to memory of 2740 2688 services.exe 32 PID 2688 wrote to memory of 2740 2688 services.exe 32 PID 1728 wrote to memory of 2608 1728 0c8a4b9585343d742758a6ae32c3739a.exe 37 PID 1728 wrote to memory of 2608 1728 0c8a4b9585343d742758a6ae32c3739a.exe 37 PID 1728 wrote to memory of 2608 1728 0c8a4b9585343d742758a6ae32c3739a.exe 37 PID 1728 wrote to memory of 2608 1728 0c8a4b9585343d742758a6ae32c3739a.exe 37 PID 2816 wrote to memory of 2760 2816 NET.exe 36 PID 2816 wrote to memory of 2760 2816 NET.exe 36 PID 2816 wrote to memory of 2760 2816 NET.exe 36 PID 2816 wrote to memory of 2760 2816 NET.exe 36 PID 2740 wrote to memory of 2748 2740 NET.exe 34 PID 2740 wrote to memory of 2748 2740 NET.exe 34 PID 2740 wrote to memory of 2748 2740 NET.exe 34 PID 2740 wrote to memory of 2748 2740 NET.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c8a4b9585343d742758a6ae32c3739a.exe"C:\Users\Admin\AppData\Local\Temp\0c8a4b9585343d742758a6ae32c3739a.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\services.exeC:\Windows\services.exe -XP3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc4⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc5⤵PID:2748
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP srservice4⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice5⤵PID:2760
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0c8a4b9585343d742758a6ae32c3739a.exe.bat2⤵
- Deletes itself
PID:2608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133B
MD5183bc952982ee3a973b844b55fb72d51
SHA1625d6742dfae6def7d8b62a0b86b7aa18ed4706d
SHA256516f9ad5f244b5f96f19807df4d0db5557cba36fbf4e7925a9486791eb3806fc
SHA5126aca759304480101a64188922bf1971c05b1f76772dcd90fa5d27f92470563fbbb813e97a575364121563ac0292ffd427b4bc20b1a94a0680150fda0424bb930
-
Filesize
159KB
MD5f5c4ea7b1313ca53bc0e554b97946596
SHA12ba2baa20ed978f40a496e39f212189f1d3e244c
SHA2564e818cbd4295837a5b24ed69284b539153dd6dc74bc90562c9740ff1493056e0
SHA512628d8dc86749aafdf95eccde0aced5fe92aabe750bc204c6bb1a4a923561fd5b588f6eedfa4610814b0bcfd2ddd091d38624b873824aa445b3bb573beba3387a
-
Filesize
84KB
MD5061db8354c22431854174b8eaab39803
SHA1245288c3b27c1e216c90379d5a94fc516d8171e0
SHA256fab1beb14acf4bfde34fbdcb93f42f685960d8f027d596e44e342e7287422083
SHA51230da3f24250ee9256a92cafc211005a0b542f10e3e26bf5dea6778a01ba0b652460350a8ea610d4be8cf8834e068c2cef35882e189d982aba0b0ad104f7a549a
-
Filesize
116KB
MD5e05e2ca69a017592a2be1e94ecca47eb
SHA1d89b76da2301df099e63753e9eaf168ceed5fe20
SHA256a119c17a82b6d75b2099fef094e2eeadc38081993f4cfa8a2b524a632f202dae
SHA5127c84791d0f6e5784f265df6b22146dc2d6cfcafcc542073931b534a9d43c40b6c6fc06c7a9bfd0c53148b1c0c0246ae5041ed5d540b4c61cebbe9aaac1c1acf7
-
Filesize
50KB
MD5979d1862bf9aae910f39cfac81e25461
SHA1c8d5c5401569c64740a545bcde7ca81aa1216199
SHA25631d3871b1d4d39bb512e4b6a31b15ee6426a9cebb27fe451a00b23d2492eac64
SHA51215b63636e763d7f23ec73d1ef88c8730040edfc81ace7c5773aea640029c2643bb7bbe77fa0d74564e4a1a36d8e5ffbbab3156108baacefcb803f8bb6a7314f2
-
Filesize
69KB
MD5a9e0edaf9ed2412f5b98dab889f10b43
SHA19fb8b3a021ccd3df72a56c10535f09a19f0920e1
SHA256c9abd91acfa752dc638c21b6589a41cc76ecc63adedb58df71dfeb675ff72964
SHA512a3ab4f597cc222c29ae6592d42d36fb73e3e0ad43857583369cf55766a51b1c785e54caacc25dab72e48202bd6677b3437e59a12c19b99e8fb918dcb867a7edd
-
Filesize
72KB
MD543d9cdcce2768e889a93f6a094e66dc8
SHA1279d7ca2b70dc284c36caa95090b33216c915063
SHA25683623cace449eb0a16e9df5366f357783de892baca239c744d796f8b93da64a7
SHA512138945715cfc84abc8cd2bbbf4880b85daa59f85fe7611c0fe5356273e637277ab2feed01b2a45b960c88bb1627a1e0373f553fe5ed656a1af5c9eddeadc075b
-
Filesize
157KB
MD5d79d48c848e84841b552ae1d0a613af2
SHA10470695f5d224d5c5ac0e9beab36216318a23e2d
SHA2564502b676e48d076b97c2fef5a7e9649e68e2ac6005238b49071862839103c5e3
SHA51282add62af9d3a567de8a69e5ca4cfe32cae1ae33260ee8b03182eb7a7a3c5fb717f80b156fc5f1c5bef29f2851e004ad469b855aecc47b471210aaa243493004
-
Filesize
73KB
MD5bef51625f82ef5093e9befe303d8d353
SHA1257eae9fc8f4a5b80b6fd16e0c2cfc262a064100
SHA256c6a243060d6ee39a4f8bc84f892603b4f825142e883f895ee756a1a760ac7727
SHA512aacc69f03e0ea3e26b0d2c6b36079098f05495401f2d20110b0cb7dd5606ac782ff32889eae0b9b1df97b207e84456aa99ecc28dc41f5fdef6d96c532216c4cc
-
Filesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
Filesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066