Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

2b607447d7...60.exe

windows7-x64

10

2b607447d7...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    200s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b607447d7329e4b4cf411321d39be60.exe

  • Size

    1.7MB

  • MD5

    2b607447d7329e4b4cf411321d39be60

  • SHA1

    5e102f5055eb327d965e1ff542708f5c22993cb3

  • SHA256

    c6106ddc8029c3572223d988965baa220e14dbbe120b078a4b5a7d0546f7eb36

  • SHA512

    9640cd9eebcc85971c25a8617c73241ae37029509140bccae1ef6b9e1e74fe1e4ac0a3869c4448b7ad043ccc4b81be7060098627b0cfcadff6a6fbcef6f0e4a8

  • SSDEEP

    24576:h7WsPkA8QsBPyoG0HBrC2zJSKD5YKPmg/ptFL2De60BtKF+ho3njkoo/LZSS9e:hrEQsBT1D5YKPp/j0jN

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe
    "C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\fservice.exe
      C:\Windows\system32\fservice.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\services.exe
        C:\Windows\services.exe -XP
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies WinLogon
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\NET.exe
          NET STOP srservice
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:792
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 STOP srservice
            5⤵
              PID:2416
          • C:\Windows\SysWOW64\NET.exe
            NET STOP navapsvc
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:880
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 STOP navapsvc
              5⤵
                PID:2372
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe.bat
          2⤵
          • Deletes itself
          PID:1492

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe.bat
        Filesize

        133B

        MD5

        5300e7900660b56890cef6fb2a30d084

        SHA1

        343273fde8fbc94031b1d208b532d19cb7188e7a

        SHA256

        f8e986e36ebe53831268b627b4e2cd5c1a77b7b6e6384eb8a3cf90624b820e90

        SHA512

        6ab940529b9476e1b89cd5c05eb38e66a7e323409a5d0ca796ece522ba800cd90bf352d7cad2d479a4d12d5e4134ba3445c8ccd6df74748cb1538a4cf03c1e95

        Download Submit

      • C:\Windows\SysWOW64\fservice.exe
        Filesize

        1.1MB

        MD5

        c83631f686fbca7dbc0c9e9d5a5ee0cd

        SHA1

        1252d7c8732c719db251fb4eb0de5cdbfd8a2e2e

        SHA256

        afa4685f5b37589f8b952703eb2187281101b3e018309591c1463e257196b898

        SHA512

        5b0483051ca0d3bf315fdbc4c23cf6ad8745e4a87c03734e583ed2e3eed8d06d71a83d7e58d4660b27d830ddd5f88d1c364dc17786bc7c3c8d3fc99a8793c726

        Download Submit

      • C:\Windows\SysWOW64\fservice.exe
        Filesize

        725KB

        MD5

        b96167317b1c5f78bcf78535468b59e6

        SHA1

        794ab7055fcc8fe21ca3b57f4ceec4209177475e

        SHA256

        84c8a7859f276473fc0e7802ac1436ae525e7ad9cc1d64af7a115f96d1b3fe27

        SHA512

        05fb435f14d3724a58075d37ba5edf775d34ad3d2e62d9a9d64d87e3f783bf6b43cdf72775dcb4607dd0ba7ec69cec0ce8af58f900eac3a8cf1c9170572b1ecb

        Download Submit

      • C:\Windows\SysWOW64\fservice.exe
        Filesize

        562KB

        MD5

        63792c537f1822e0a21e6bacc110d602

        SHA1

        614aa55ffc59df96320ef451775810f023b53dc6

        SHA256

        a956beb0faf1d3f8ae10bc4dfa01032930b5bded02d2ffe431592219c642735d

        SHA512

        ea34bc924a0c38af2c1ece2268a187f391d2a82d86113624592639173ded861066891c05b62bb9686c4b5f8b559fed53a86abd710de2e85160e7a009b61d8e95

        Download Submit

      • C:\Windows\services.exe
        Filesize

        351KB

        MD5

        5d4ca9409c12359e0aaa4a75ae02453c

        SHA1

        68652e1d8feb46ebbc1c3872ec2d6c6428c7453b

        SHA256

        280f585a9081fb04fb2631189669234c87628b313240a4f5cbf82da7db86049c

        SHA512

        8d70faf551257fe87f865e424b03881312357515d2317ae6ce34b39cf25095e9270fff818cbcafa9bd6be0248988d7ceed1f1451489ed454d930c7fa5fde41d1

        Download Submit

      • C:\Windows\services.exe
        Filesize

        1.7MB

        MD5

        2b607447d7329e4b4cf411321d39be60

        SHA1

        5e102f5055eb327d965e1ff542708f5c22993cb3

        SHA256

        c6106ddc8029c3572223d988965baa220e14dbbe120b078a4b5a7d0546f7eb36

        SHA512

        9640cd9eebcc85971c25a8617c73241ae37029509140bccae1ef6b9e1e74fe1e4ac0a3869c4448b7ad043ccc4b81be7060098627b0cfcadff6a6fbcef6f0e4a8

        Download Submit

      • C:\Windows\system\sservice.exe
        Filesize

        699KB

        MD5

        f119e21a304b2abde405a277397834dc

        SHA1

        130b068c8df08051b7dd1353dfbd5bed744ba02d

        SHA256

        8507e739f5cbe0777d5e1d57e7225f80e05015b53cfa5c24c31290b1a2f443ff

        SHA512

        a710f39475846175ead92f1a6cc1fab2d193106d629c425d4d608745f70102a3d0beae49b0a436a646d049d5c750dd67b6b56b0d30c3365bb6d5e4ca7d0319cf

        Download Submit

      • \Windows\SysWOW64\fservice.exe
        Filesize

        633KB

        MD5

        150cf70d6afab712cde519b3dc772572

        SHA1

        2aac6066d459a40dce5ab3423ea169732ccde0f6

        SHA256

        1e79ffd69d0df0275f191770098cdd45a0adb9007b91b4201741a8985fa942eb

        SHA512

        b1310ae39870dae29168394fe1e7e5cc28a4e7478d7081ddf5ad77a19390135595e68de3bb139b4d5bafc0eb16766ebd78f58f07faaf126e311f1d6ed9665dcb

        Download Submit

      • \Windows\SysWOW64\fservice.exe
        Filesize

        1014KB

        MD5

        e13327722ccdf152c2b63334fd7657f3

        SHA1

        1e983ba044c0c1bf076813fabce69aa6424cb764

        SHA256

        abf0d015dc0329e1877e326c42640be72af1bd9c087a8bb218b2de78b9d5cc3e

        SHA512

        cc108e610c264fdfb7edf2a9e263b7927d35170f51747ff8862a6cba8a3cbbb7c93bf5f8ef250f3d21225fde6bb6f775bda0d93caf0471605b16dad8ed04457a

        Download Submit

      • \Windows\SysWOW64\reginv.dll
        Filesize

        36KB

        MD5

        d4a3f90e159ffbcbc4f9740de4b7f171

        SHA1

        0542f5d1e2c23dca8d90766b3a8537dc3880e5c9

        SHA256

        2200dd5f83d2fb8c5d3994206a4fa9ff34b4cbfe56ed39a9a03c954cf45d8f77

        SHA512

        5493beb50b5f7d8ec52f32718d01696916ae173456005d0c1294ce695161ce5004aff58ee3892bf5db0f9b23720146a6d3ae8ffbcbbd81f84d894fdc8cf75a94

        Download Submit

      • \Windows\SysWOW64\winkey.dll
        Filesize

        24KB

        MD5

        43e7d9b875c921ba6be38d45540fb9dd

        SHA1

        f22a73fc0d4aa3ea6c0b8f61d974b028f308acc4

        SHA256

        f1b2b0abe844e6ba812c7f8709a463a7f6c56fa6ac38d376a0739cc3469f795b

        SHA512

        2e74e23c0875b69b82319391c392132f28f4eb45aa412805130382498ae48969a06a2b3a7528b626fa7d7ddb6b006f19f0ef8d73cf73cb9a0c0df44a21077622

        Download Submit

      • memory/1664-30-0x0000000003080000-0x000000000327F000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1664-19-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1664-24-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1664-49-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-35-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2536-61-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-70-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-69-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-68-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-32-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-67-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-41-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-38-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-66-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-65-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-64-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2536-63-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-10-0x0000000002F00000-0x00000000030FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-59-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-1-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-50-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-2-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2616-4-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-0-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-3-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-11-0x0000000000400000-0x00000000005FF000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-12-0x0000000000240000-0x0000000000241000-memory.dmp

        Filesize

        4KB

        Download