Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 20:58
Static task
static1
Behavioral task
behavioral1
Sample
3c84427336e0e9d4d3ea7bceff1a1ee5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3c84427336e0e9d4d3ea7bceff1a1ee5.exe
Resource
win10v2004-20231215-en
General
-
Target
3c84427336e0e9d4d3ea7bceff1a1ee5.exe
-
Size
1.1MB
-
MD5
3c84427336e0e9d4d3ea7bceff1a1ee5
-
SHA1
ff3b9b945936e3ee00c59f6e5b5cee8bf77cd61d
-
SHA256
84adef8ab777a37cd3face61cccf13501928f385f4f963deb9c4708b12bf4bd3
-
SHA512
44ac720028446208484e4fcba80b2962a7af5da3e92cf12d23e45062a912049132af252837f2b506642a421a9d84e123f36674748feef8d0b7f9940241fb65ed
-
SSDEEP
24576:R7WsPkA8QsBPyoG0HBrC2zJSKDqDYMcrUMG6dZhVmpXJi5XeFneS:RrEQsBT1DqzCHL5uBeS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" lncom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lncom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" lncom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} lncom.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ lncom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" lncom.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 3c84427336e0e9d4d3ea7bceff1a1ee5.exe -
Executes dropped EXE 3 IoCs
pid Process 2244 lncom.exe 3868 fservice.exe 4048 services.exe -
Loads dropped DLL 5 IoCs
pid Process 4048 services.exe 4048 services.exe 4048 services.exe 3868 fservice.exe 2244 lncom.exe -
resource yara_rule behavioral2/memory/2244-18-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/files/0x0006000000023202-17.dat upx behavioral2/files/0x0006000000023202-14.dat upx behavioral2/files/0x0003000000022763-26.dat upx behavioral2/files/0x0003000000022763-27.dat upx behavioral2/files/0x000b000000023110-35.dat upx behavioral2/files/0x000b000000023110-36.dat upx behavioral2/memory/3868-51-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-37-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/files/0x0009000000023116-31.dat upx behavioral2/memory/2244-55-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-57-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-58-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-59-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-61-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-62-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-63-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-64-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-65-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-66-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-67-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-68-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-69-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-70-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-71-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4048-72-0x0000000000400000-0x00000000005FF000-memory.dmp upx -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ lncom.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\lncom_.exe 3c84427336e0e9d4d3ea7bceff1a1ee5.exe File created C:\Windows\SysWOW64\fservice.exe lncom.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe File created C:\Windows\SysWOW64\lncom.exe 3c84427336e0e9d4d3ea7bceff1a1ee5.exe File opened for modification C:\Windows\SysWOW64\fservice.exe lncom.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\lncom.exe.bat lncom.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\system\sservice.exe lncom.exe File opened for modification C:\Windows\system\sservice.exe lncom.exe File created C:\Windows\services.exe fservice.exe File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe 4048 services.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4048 services.exe 4048 services.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1156 wrote to memory of 2244 1156 3c84427336e0e9d4d3ea7bceff1a1ee5.exe 55 PID 1156 wrote to memory of 2244 1156 3c84427336e0e9d4d3ea7bceff1a1ee5.exe 55 PID 1156 wrote to memory of 2244 1156 3c84427336e0e9d4d3ea7bceff1a1ee5.exe 55 PID 2244 wrote to memory of 3868 2244 lncom.exe 63 PID 2244 wrote to memory of 3868 2244 lncom.exe 63 PID 2244 wrote to memory of 3868 2244 lncom.exe 63 PID 3868 wrote to memory of 4048 3868 fservice.exe 62 PID 3868 wrote to memory of 4048 3868 fservice.exe 62 PID 3868 wrote to memory of 4048 3868 fservice.exe 62 PID 4048 wrote to memory of 3344 4048 services.exe 61 PID 4048 wrote to memory of 3344 4048 services.exe 61 PID 4048 wrote to memory of 3344 4048 services.exe 61 PID 4048 wrote to memory of 2596 4048 services.exe 58 PID 4048 wrote to memory of 2596 4048 services.exe 58 PID 4048 wrote to memory of 2596 4048 services.exe 58 PID 3344 wrote to memory of 1280 3344 NET.exe 60 PID 3344 wrote to memory of 1280 3344 NET.exe 60 PID 3344 wrote to memory of 1280 3344 NET.exe 60 PID 2596 wrote to memory of 3832 2596 NET.exe 59 PID 2596 wrote to memory of 3832 2596 NET.exe 59 PID 2596 wrote to memory of 3832 2596 NET.exe 59 PID 2244 wrote to memory of 3388 2244 lncom.exe 105 PID 2244 wrote to memory of 3388 2244 lncom.exe 105 PID 2244 wrote to memory of 3388 2244 lncom.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c84427336e0e9d4d3ea7bceff1a1ee5.exe"C:\Users\Admin\AppData\Local\Temp\3c84427336e0e9d4d3ea7bceff1a1ee5.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\lncom.exe"C:\Windows\system32\lncom.exe"2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\lncom.exe.bat3⤵PID:3388
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc1⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc2⤵PID:3832
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice1⤵PID:1280
-
C:\Windows\SysWOW64\NET.exeNET STOP srservice1⤵
- Suspicious use of WriteProcessMemory
PID:3344
-
C:\Windows\services.exeC:\Windows\services.exe -XP1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD59732c3c1dad0739017c9372fd17c1078
SHA17f4893ae2d8dbc62e0bd0a7cb54a4d7a0542d5e9
SHA256648d7e96455ea71412fe46edc7bd11328b299c915a92fa7675bc4ba027892321
SHA512adaf34d086753c669d26f0381404e18c776d3c01bbeea56726ce960550694d99a224a9ffbb4f895627e226b7564c9134876e1a14f9f344e1cfb23e596ca33af0
-
Filesize
341KB
MD5ac043bf879477b8ea25b8d080a2e09ad
SHA1e24576674ff6126dc182dabbe0fe7ccc6cb6534d
SHA2560d3cfda2c93bbf32860d95e06a386e5981f016f46f4decc2d1a8c620b226ec9b
SHA512ff961e48861d43e12e03e7ce808b066572239e1a7f0c7b24b7fbe6678c1f1bc23d36b799010ce01124d5db0644356c2f04d80f42eb94002b182dd81be3b63761
-
Filesize
64KB
MD5c9093405a1308409fc33fb58c71f1a91
SHA15b927e54a1774b10f7553b76fb5bdca7ae424295
SHA256d88210db281a031e4ba1065b59491efb90d61aad24ee735594b0444fa2d2fd37
SHA5127c532ceb950219d1c3d0278c35dab2bc6ce53510a17fa0ebd90dc11406d47f87ae4194cbc36930f0a0290f05165a6e878da7f569b74022d1e4c85af587c964ab
-
Filesize
84KB
MD595e942d3ca17994748447bcb1c37f577
SHA1e0fae1951aa8c77e61b6519b8ca9f65f412c0511
SHA256edc0afcf0554de85157de9edd979e5b72eed19840d5e61dd490e48f824d2a1f6
SHA512af497c1fbd7b8a4f1e5936f8cd8e96e04e1e8b99307ddc70dc9a0fbed3f8ddfe23fc5a7124218bd4862afd3f84994b19b61eebfbfdbc872f2d48b337d0e9f265
-
Filesize
99B
MD51f73e450d92934cd37c041eb3f1ff51f
SHA1f3e9dece5d6b7d7a0e4966c16ffe31437539d4a0
SHA2563a57d154715459926a51a9e3925687c0c78ec9c88bc39c303b5b93385d34d67e
SHA5125f982d614e54870ae3ad212f049ca3685602812c1bb066a5f6155e694adb994d6d1608ca7a25bcab605812c6e7e6b22817aaf0dba9e906787add9b0a8e3f32a5
-
Filesize
243KB
MD5c586011d82c71272a39a1730d226cf14
SHA1c7d75f58c88be539f5d406958d6b97287a140a22
SHA256fae6e1056d44136506bf2c17c462b6d1e15a4c66fe0710cbbcd95e01bc06a3b6
SHA5128a296033b9abca9a492dd5148f42621f07b38118a9a10626c37e85e865a71f2d6063be7c4d8a29e032d7989f4d96108c0211ebe575495d9ca0e8030a9fb4d38a
-
Filesize
36KB
MD5d4a3f90e159ffbcbc4f9740de4b7f171
SHA10542f5d1e2c23dca8d90766b3a8537dc3880e5c9
SHA2562200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77
SHA5125493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94
-
Filesize
24KB
MD543e7d9b875c921ba6be38d45540fb9dd
SHA1f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4
SHA256f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b
SHA5122e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622
-
Filesize
218KB
MD5dfff92fe6aa1ea7d1b2911e807c58ef5
SHA16e509d35bded6e3566341606b7b1f6e4e8bec4d7
SHA256a34412dd4e2bdb3c1c111223e661eb837ae133d8549a0296b659481713aed537
SHA51255e9f5bc9b4ad0fc2eb252224250dbbf649b0f2d0d77398208555391b52368a3b1919afb508303513a760dfe3831dbdd603ec463597d62dde49f745ea31aeeb2
-
Filesize
149KB
MD5ca4d5e7efa6d3e3c55fbfd572280895d
SHA19ed613a8642bb636fbadf263dbb0206f5c2db813
SHA256dd369731ea186e4804b3e5b5ba60e89730179b48671c38069a40bc0bc6ff5ccb
SHA5122b1f41fa7d2d3cfdc6e84d04c33bc4a69fb9ed925a19a2ef5a3575c30c9589fbfa92bd7c6efb96b3ffb538f724afa9d2ab8c902256b5026bf8144b4f66798c95
-
Filesize
222KB
MD57a16d311cd0ff38c1a480d5a040434a6
SHA1bb25cd290fcdddc55c1c6a7b7d8a41af97b559f7
SHA256fd12c76c5590c836dafe9d61d4d8fae7fb1729407d381c20e1e4c25422814955
SHA512dd4bb416d196833107da11e38a92e825f6cf55c5bd28d43bec7e7f8daa48a5073e2477453ba46357ad94214ba08edec707fee072390f5dcfe3ce32f191669a3b