Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0a5bc0c4ed...7f.exe

windows7-x64

10

0a5bc0c4ed...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a5bc0c4edebf59f51c43532a8695f7f.exe

  • Size

    1.9MB

  • MD5

    0a5bc0c4edebf59f51c43532a8695f7f

  • SHA1

    346ccb61505d0c554997c5b767706a28393bbe69

  • SHA256

    8efdd75cbe81fcbeb47acf6082db087b668808f721aeaacc89d2b79efa4da971

  • SHA512

    9b18adf3d1d7f3100e153033f99728050f2188243d8aaf88f60abd9ed7ef02156d0267a9d5c1cdac7d45e6e3e2e3ea1a37b9054e2fb9f48f72f0bab096f4a9ba

  • SSDEEP

    12288:RFfwcHcu8pMkZ3Fn9d+Vd3SUZ+7EeI1x7f7V3+hT6DaRWz58kc+1xy8SyGR4Z:RJcu8pl9d+VdCUhN1SsNK+1pSyA4Z

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a5bc0c4edebf59f51c43532a8695f7f.exe
    "C:\Users\Admin\AppData\Local\Temp\0a5bc0c4edebf59f51c43532a8695f7f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1524
  • C:\Windows\services.exe
    C:\Windows\services.exe -XP
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Windows\SysWOW64\NET.exe
      NET STOP srservice
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 STOP srservice
        3⤵
          PID:772
      • C:\Windows\SysWOW64\NET.exe
        NET STOP navapsvc
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4000
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP navapsvc
      1⤵
        PID:4360

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\fservice.exe
        Filesize

        1.9MB

        MD5

        0a5bc0c4edebf59f51c43532a8695f7f

        SHA1

        346ccb61505d0c554997c5b767706a28393bbe69

        SHA256

        8efdd75cbe81fcbeb47acf6082db087b668808f721aeaacc89d2b79efa4da971

        SHA512

        9b18adf3d1d7f3100e153033f99728050f2188243d8aaf88f60abd9ed7ef02156d0267a9d5c1cdac7d45e6e3e2e3ea1a37b9054e2fb9f48f72f0bab096f4a9ba

        Download Submit

      • C:\Windows\SysWOW64\fservice.exe
        Filesize

        1.9MB

        MD5

        31d36ca4b092f3f3c6957f19d8da3ee2

        SHA1

        8b3413511e3a37f8d53059f167cd607033565100

        SHA256

        b09956593687c4b9a150b1a96468c8125244f064adb44744c3b0cf1ee0afa7a9

        SHA512

        fdbc9a2f689f64f579275ca4d14bb2da519eba67d58b495242529817ff15601456c14ea8254841dccc8723a4a5e51f42a46935803ad3bd89b54c614fa0adaaed

        Download Submit

      • C:\Windows\services.exe
        Filesize

        381KB

        MD5

        39fb84e9606cf2fd4081480f3f842a78

        SHA1

        2fe666e2427e407fb3e20d4cb8e58604f95ec6c7

        SHA256

        d9575b7f191c1d107ca3e52e408987a9cc6ef4d733f333235f6bd2d824ac3600

        SHA512

        44948d2a97fb96f71a0cf52d2384212f23ea07c23ecac74db74ec0dd9b7ad3fe54cd2169bad37ac348547e1612d5b5b70f3693748fa5166b78d7790caa2a54c3

        Download Submit

      • C:\Windows\services.exe
        Filesize

        125KB

        MD5

        29988069e1ae2739bdc76a3b6ac3d33b

        SHA1

        c4e7ad20e5567529ff1c348788641c64abd88c73

        SHA256

        556bcc72f632a33f141907be3f30892313a5b0610067bfe0f2f2cd228e308ab5

        SHA512

        e8e5118d7d2470110958a546a8017e171532047d54df96a17e8b01da0120f7b0b2f44090405a8e6f9f872a8c49a1e60a9a568e09bf6fc0e7109d1310466b6496

        Download Submit

      • memory/808-0-0x0000000000C20000-0x0000000000C21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/808-33-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1524-8-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1524-32-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-34-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-45-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-35-0x0000000010000000-0x000000001000B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3184-17-0x00000000025B0000-0x00000000025B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3184-36-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-38-0x00000000025B0000-0x00000000025B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3184-39-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-41-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-43-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-22-0x0000000010000000-0x000000001000B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3184-47-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-49-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-51-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-53-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-55-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-57-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-59-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3184-61-0x0000000000400000-0x00000000005F8000-memory.dmp

        Filesize

        2.0MB

        Download