Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
182s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 21:32
Static task
static1
Behavioral task
behavioral1
Sample
0480e4cfa319fada861bad6fdcae6475.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0480e4cfa319fada861bad6fdcae6475.exe
Resource
win10v2004-20231215-en
General
-
Target
0480e4cfa319fada861bad6fdcae6475.exe
-
Size
116KB
-
MD5
0480e4cfa319fada861bad6fdcae6475
-
SHA1
0f7d5ab1f91894d04acfedb15ba387e9ed34da08
-
SHA256
98ba0eace481b0462e7e306f87b151a9445f6e71f676a97a9bdab77d643bc1fd
-
SHA512
7056d7945a7e606a9df1220b9720ee9e5484f18c26be364d64c76398979625862471447d7ecd4256c948b7f9e3298e14b28290f6e8fcbbb5817691276c7829c6
-
SSDEEP
3072:Afcl+7jQq3piXYkXzwwj2vvO9fCvou/tGWZfVwMS:l/kuwlvW9JCfn
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 608 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 3528 helloserv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\helloserv = "C:\\Windows\\helloserv.exe" 0480e4cfa319fada861bad6fdcae6475.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\7-Zip\ helloserv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\helloserv.config helloserv.exe File created C:\Windows\helloserv.exe 0480e4cfa319fada861bad6fdcae6475.exe File opened for modification C:\Windows\helloserv.exe 0480e4cfa319fada861bad6fdcae6475.exe File created C:\Windows\helloserv.config helloserv.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2324 0480e4cfa319fada861bad6fdcae6475.exe 2324 0480e4cfa319fada861bad6fdcae6475.exe 3528 helloserv.exe 3528 helloserv.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2324 wrote to memory of 3528 2324 0480e4cfa319fada861bad6fdcae6475.exe 94 PID 2324 wrote to memory of 3528 2324 0480e4cfa319fada861bad6fdcae6475.exe 94 PID 2324 wrote to memory of 3528 2324 0480e4cfa319fada861bad6fdcae6475.exe 94 PID 3528 wrote to memory of 608 3528 helloserv.exe 95 PID 3528 wrote to memory of 608 3528 helloserv.exe 95 PID 3528 wrote to memory of 608 3528 helloserv.exe 95 PID 3528 wrote to memory of 2972 3528 helloserv.exe 96 PID 3528 wrote to memory of 2972 3528 helloserv.exe 96 PID 3528 wrote to memory of 2972 3528 helloserv.exe 96 PID 3528 wrote to memory of 972 3528 helloserv.exe 97 PID 3528 wrote to memory of 972 3528 helloserv.exe 97 PID 3528 wrote to memory of 972 3528 helloserv.exe 97 PID 2972 wrote to memory of 1232 2972 w32tm.exe 101 PID 972 wrote to memory of 1036 972 w32tm.exe 102 PID 2972 wrote to memory of 1232 2972 w32tm.exe 101 PID 972 wrote to memory of 1036 972 w32tm.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\0480e4cfa319fada861bad6fdcae6475.exe"C:\Users\Admin\AppData\Local\Temp\0480e4cfa319fada861bad6fdcae6475.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\helloserv.exe"C:\Windows\helloserv.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set allowedprogram "C:\Windows\helloserv.exe" enable3⤵
- Modifies Windows Firewall
PID:608
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov3⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\w32tm.exew32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov4⤵PID:1232
-
-
-
C:\Windows\SysWOW64\w32tm.exew32tm /config /update3⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\w32tm.exew32tm /config /update4⤵PID:1036
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD51af5061a3e77f00a04846c3f32d1e3e1
SHA114b81281b7f593f4b78bfb5855a47a07c455766f
SHA256242842aa959166ff36e4e3b933f3ae4ec1eb1ce0da9a9c2062d72945a2b00bf9
SHA51256a0683dc40e87797c5f83bd806edfcc57d6c8436827574074bf0a4f6f3fddaa88d434d3a315ebc99a79a21b0331c11d6f3ddb69d57b7c0ba61f8e998bf2c7b4
-
Filesize
3KB
MD59922d5d6ccdf4dd041ed86cbe27028fa
SHA12cc67fc01ba9d80f5fefe4f2481a5bde9994c873
SHA2564407795043e0edd2a1d533c5794cf3d0aa531dcc90bd55c9d4902c38b70cadc3
SHA5122fa96f7b1f6fef848e5bd26c4ff30e375c573df914777b4dd943beec2d75d7c7648735fbaea70ba3a5b4753c7c36d30acab6d5d1c594e0c3945dca1b07442b62
-
Filesize
116KB
MD50480e4cfa319fada861bad6fdcae6475
SHA10f7d5ab1f91894d04acfedb15ba387e9ed34da08
SHA25698ba0eace481b0462e7e306f87b151a9445f6e71f676a97a9bdab77d643bc1fd
SHA5127056d7945a7e606a9df1220b9720ee9e5484f18c26be364d64c76398979625862471447d7ecd4256c948b7f9e3298e14b28290f6e8fcbbb5817691276c7829c6