Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

115ca675f0...8c.exe

windows7-x64

10

115ca675f0...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    115ca675f0098d320aeeaca88e9b248c.exe

  • Size

    52KB

  • MD5

    115ca675f0098d320aeeaca88e9b248c

  • SHA1

    c254ec13ab67c6c3b5fdbeee8151a1c5544e95b3

  • SHA256

    fa26c4168f6518c8c4169e170046652565718984f29b6cf78f38f993bbf043b6

  • SHA512

    c2fdff3229f61ba68eaa3417c5de6eefef2625c382d51dc38c624e936073bf03ca64a3bbed7ec9da2b3ecc84f4ee0723a2ff234e46e805d67117fa3dfa9cc75e

  • SSDEEP

    768:Yl0RWNvjjZpolW1dmaW4KpQDxdjjmADoOEsxzWM6H8A7DOEAc:cAQbcy0Oc

Score
10/10
evasion

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Stops running service(s) 3 TTPs
    evasion
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\115ca675f0098d320aeeaca88e9b248c.exe
    "C:\Users\Admin\AppData\Local\Temp\115ca675f0098d320aeeaca88e9b248c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Windows\SysWOW64\net.exe
      net stop wscsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop wscsvc
        3⤵
          PID:2080
      • C:\Windows\SysWOW64\net.exe
        net stop sharedaccess
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop sharedaccess
          3⤵
            PID:1972
        • C:\Windows\SysWOW64\sc.exe
          sc delete wscsvc
          2⤵
          • Launches sc.exe
          PID:4460
        • C:\Windows\SysWOW64\sc.exe
          sc delete sharedaccess
          2⤵
          • Launches sc.exe
          PID:2412

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\svcctrl.exe
        Filesize

        41KB

        MD5

        11268d494f61b568f72a3a0ff09c4076

        SHA1

        2d29f7e709a41ba6207a7a438dde2d12c229b8ed

        SHA256

        aef81f820d4e6f4ae3015b088f21ae806d5d8c1a8c6ff3e3da482fbd04ec7c0e

        SHA512

        87b18bd137b7d38fba899ffa9315aaf0615ffdc771f6180735294b0bac45d6db72437cd714865be0d39145e524bc45ddd691eda24c3ff40558cbf27fa75a48fc

        Download Submit