Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
0a5bc0c4edebf59f51c43532a8695f7f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0a5bc0c4edebf59f51c43532a8695f7f.exe
Resource
win10v2004-20231222-en
General
-
Target
0a5bc0c4edebf59f51c43532a8695f7f.exe
-
Size
1.9MB
-
MD5
0a5bc0c4edebf59f51c43532a8695f7f
-
SHA1
346ccb61505d0c554997c5b767706a28393bbe69
-
SHA256
8efdd75cbe81fcbeb47acf6082db087b668808f721aeaacc89d2b79efa4da971
-
SHA512
9b18adf3d1d7f3100e153033f99728050f2188243d8aaf88f60abd9ed7ef02156d0267a9d5c1cdac7d45e6e3e2e3ea1a37b9054e2fb9f48f72f0bab096f4a9ba
-
SSDEEP
12288:RFfwcHcu8pMkZ3Fn9d+Vd3SUZ+7EeI1x7f7V3+hT6DaRWz58kc+1xy8SyGR4Z:RJcu8pl9d+VdCUhN1SsNK+1pSyA4Z
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" 0a5bc0c4edebf59f51c43532a8695f7f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" 0a5bc0c4edebf59f51c43532a8695f7f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 0a5bc0c4edebf59f51c43532a8695f7f.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ 0a5bc0c4edebf59f51c43532a8695f7f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" 0a5bc0c4edebf59f51c43532a8695f7f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} 0a5bc0c4edebf59f51c43532a8695f7f.exe -
Executes dropped EXE 2 IoCs
pid Process 1524 fservice.exe 3184 services.exe -
Loads dropped DLL 5 IoCs
pid Process 3184 services.exe 3184 services.exe 3184 services.exe 1524 fservice.exe 808 0a5bc0c4edebf59f51c43532a8695f7f.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 0a5bc0c4edebf59f51c43532a8695f7f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fservice.exe 0a5bc0c4edebf59f51c43532a8695f7f.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe 0a5bc0c4edebf59f51c43532a8695f7f.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe 0a5bc0c4edebf59f51c43532a8695f7f.exe File opened for modification C:\Windows\system\sservice.exe 0a5bc0c4edebf59f51c43532a8695f7f.exe File created C:\Windows\services.exe fservice.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe 3184 services.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3184 services.exe 3184 services.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 808 wrote to memory of 1524 808 0a5bc0c4edebf59f51c43532a8695f7f.exe 33 PID 808 wrote to memory of 1524 808 0a5bc0c4edebf59f51c43532a8695f7f.exe 33 PID 808 wrote to memory of 1524 808 0a5bc0c4edebf59f51c43532a8695f7f.exe 33 PID 1524 wrote to memory of 3184 1524 fservice.exe 23 PID 1524 wrote to memory of 3184 1524 fservice.exe 23 PID 1524 wrote to memory of 3184 1524 fservice.exe 23 PID 3184 wrote to memory of 4596 3184 services.exe 24 PID 3184 wrote to memory of 4596 3184 services.exe 24 PID 3184 wrote to memory of 4596 3184 services.exe 24 PID 3184 wrote to memory of 4000 3184 services.exe 30 PID 3184 wrote to memory of 4000 3184 services.exe 30 PID 3184 wrote to memory of 4000 3184 services.exe 30 PID 4000 wrote to memory of 4360 4000 NET.exe 26 PID 4000 wrote to memory of 4360 4000 NET.exe 26 PID 4000 wrote to memory of 4360 4000 NET.exe 26 PID 4596 wrote to memory of 772 4596 NET.exe 27 PID 4596 wrote to memory of 772 4596 NET.exe 27 PID 4596 wrote to memory of 772 4596 NET.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a5bc0c4edebf59f51c43532a8695f7f.exe"C:\Users\Admin\AppData\Local\Temp\0a5bc0c4edebf59f51c43532a8695f7f.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1524
-
-
C:\Windows\services.exeC:\Windows\services.exe -XP1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\NET.exeNET STOP srservice2⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice3⤵PID:772
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc2⤵
- Suspicious use of WriteProcessMemory
PID:4000
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc1⤵PID:4360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD50a5bc0c4edebf59f51c43532a8695f7f
SHA1346ccb61505d0c554997c5b767706a28393bbe69
SHA2568efdd75cbe81fcbeb47acf6082db087b668808f721aeaacc89d2b79efa4da971
SHA5129b18adf3d1d7f3100e153033f99728050f2188243d8aaf88f60abd9ed7ef02156d0267a9d5c1cdac7d45e6e3e2e3ea1a37b9054e2fb9f48f72f0bab096f4a9ba
-
Filesize
1.9MB
MD531d36ca4b092f3f3c6957f19d8da3ee2
SHA18b3413511e3a37f8d53059f167cd607033565100
SHA256b09956593687c4b9a150b1a96468c8125244f064adb44744c3b0cf1ee0afa7a9
SHA512fdbc9a2f689f64f579275ca4d14bb2da519eba67d58b495242529817ff15601456c14ea8254841dccc8723a4a5e51f42a46935803ad3bd89b54c614fa0adaaed
-
Filesize
381KB
MD539fb84e9606cf2fd4081480f3f842a78
SHA12fe666e2427e407fb3e20d4cb8e58604f95ec6c7
SHA256d9575b7f191c1d107ca3e52e408987a9cc6ef4d733f333235f6bd2d824ac3600
SHA51244948d2a97fb96f71a0cf52d2384212f23ea07c23ecac74db74ec0dd9b7ad3fe54cd2169bad37ac348547e1612d5b5b70f3693748fa5166b78d7790caa2a54c3
-
Filesize
125KB
MD529988069e1ae2739bdc76a3b6ac3d33b
SHA1c4e7ad20e5567529ff1c348788641c64abd88c73
SHA256556bcc72f632a33f141907be3f30892313a5b0610067bfe0f2f2cd228e308ab5
SHA512e8e5118d7d2470110958a546a8017e171532047d54df96a17e8b01da0120f7b0b2f44090405a8e6f9f872a8c49a1e60a9a568e09bf6fc0e7109d1310466b6496