Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 06:14
Behavioral task
behavioral1
Sample
2b607447d7329e4b4cf411321d39be60.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2b607447d7329e4b4cf411321d39be60.exe
Resource
win10v2004-20231222-en
General
-
Target
2b607447d7329e4b4cf411321d39be60.exe
-
Size
1.7MB
-
MD5
2b607447d7329e4b4cf411321d39be60
-
SHA1
5e102f5055eb327d965e1ff542708f5c22993cb3
-
SHA256
c6106ddc8029c3572223d988965baa220e14dbbe120b078a4b5a7d0546f7eb36
-
SHA512
9640cd9eebcc85971c25a8617c73241ae37029509140bccae1ef6b9e1e74fe1e4ac0a3869c4448b7ad043ccc4b81be7060098627b0cfcadff6a6fbcef6f0e4a8
-
SSDEEP
24576:h7WsPkA8QsBPyoG0HBrC2zJSKD5YKPmg/ptFL2De60BtKF+ho3njkoo/LZSS9e:hrEQsBT1D5YKPp/j0jN
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" 2b607447d7329e4b4cf411321d39be60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 2b607447d7329e4b4cf411321d39be60.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" 2b607447d7329e4b4cf411321d39be60.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" 2b607447d7329e4b4cf411321d39be60.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} 2b607447d7329e4b4cf411321d39be60.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ 2b607447d7329e4b4cf411321d39be60.exe -
Executes dropped EXE 2 IoCs
pid Process 1664 fservice.exe 5072 services.exe -
Loads dropped DLL 5 IoCs
pid Process 5072 services.exe 5072 services.exe 5072 services.exe 1664 fservice.exe 4288 2b607447d7329e4b4cf411321d39be60.exe -
resource yara_rule behavioral2/memory/4288-0-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/4288-35-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/1664-33-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/files/0x000600000001e5df-7.dat upx behavioral2/files/0x000600000001e5df-6.dat upx behavioral2/memory/5072-37-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-38-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-39-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-41-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-42-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-43-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-44-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-45-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-46-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-47-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-48-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-49-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-50-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-51-0x0000000000400000-0x00000000005FF000-memory.dmp upx behavioral2/memory/5072-52-0x0000000000400000-0x00000000005FF000-memory.dmp upx -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 2b607447d7329e4b4cf411321d39be60.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe 2b607447d7329e4b4cf411321d39be60.exe File opened for modification C:\Windows\SysWOW64\fservice.exe 2b607447d7329e4b4cf411321d39be60.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\system\sservice.exe 2b607447d7329e4b4cf411321d39be60.exe File opened for modification C:\Windows\system\sservice.exe 2b607447d7329e4b4cf411321d39be60.exe File created C:\Windows\services.exe fservice.exe File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe 5072 services.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5072 services.exe 5072 services.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4288 wrote to memory of 1664 4288 2b607447d7329e4b4cf411321d39be60.exe 31 PID 4288 wrote to memory of 1664 4288 2b607447d7329e4b4cf411321d39be60.exe 31 PID 4288 wrote to memory of 1664 4288 2b607447d7329e4b4cf411321d39be60.exe 31 PID 1664 wrote to memory of 5072 1664 fservice.exe 30 PID 1664 wrote to memory of 5072 1664 fservice.exe 30 PID 1664 wrote to memory of 5072 1664 fservice.exe 30 PID 5072 wrote to memory of 3140 5072 services.exe 28 PID 5072 wrote to memory of 3140 5072 services.exe 28 PID 5072 wrote to memory of 3140 5072 services.exe 28 PID 5072 wrote to memory of 2604 5072 services.exe 27 PID 5072 wrote to memory of 2604 5072 services.exe 27 PID 5072 wrote to memory of 2604 5072 services.exe 27 PID 2604 wrote to memory of 4508 2604 NET.exe 21 PID 2604 wrote to memory of 4508 2604 NET.exe 21 PID 2604 wrote to memory of 4508 2604 NET.exe 21 PID 3140 wrote to memory of 4640 3140 NET.exe 25 PID 3140 wrote to memory of 4640 3140 NET.exe 25 PID 3140 wrote to memory of 4640 3140 NET.exe 25 PID 4288 wrote to memory of 4452 4288 2b607447d7329e4b4cf411321d39be60.exe 24 PID 4288 wrote to memory of 4452 4288 2b607447d7329e4b4cf411321d39be60.exe 24 PID 4288 wrote to memory of 4452 4288 2b607447d7329e4b4cf411321d39be60.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe"C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe.bat2⤵PID:4452
-
-
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1664
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc1⤵PID:4508
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice1⤵PID:4640
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc1⤵
- Suspicious use of WriteProcessMemory
PID:2604
-
C:\Windows\SysWOW64\NET.exeNET STOP srservice1⤵
- Suspicious use of WriteProcessMemory
PID:3140
-
C:\Windows\services.exeC:\Windows\services.exe -XP1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
389KB
MD5dc0082f72a49fe72eb94ba9a0ee861a3
SHA1cac1c9660002ed11a8eaace04802824f7d2efeff
SHA256f93089e1706f0491833852d5f84682c643bbcfa6a88048c2ca0acbde7dc6464e
SHA512ec6a33766ce3452ade211497edea910e6d06f8d30bf189bbfd4a13d411a2b1de74d0784a76137e1115520d9644358ef02a8c844f37c1a4b9ac9ee41b95206127
-
Filesize
897KB
MD5385953e3eae111e9b62d27e7ad47d08f
SHA101dfc97cc3dea7e64a6f9642f7cf9a0cb873317a
SHA256889a373a10ca9e2135ca0109d7b41bf38a6d16be816665f6fbe31a01f7cadacf
SHA512d921845a0e21493977b761b7d3b7c7217c81aaca526a659d26ae6f08d57f1cbcc2486d7aaaa5ab9a0579930c7578cc8c39ed379522299825c4bab8eed1cd683a