Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

2b607447d7...60.exe

windows7-x64

10

2b607447d7...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b607447d7329e4b4cf411321d39be60.exe

  • Size

    1.7MB

  • MD5

    2b607447d7329e4b4cf411321d39be60

  • SHA1

    5e102f5055eb327d965e1ff542708f5c22993cb3

  • SHA256

    c6106ddc8029c3572223d988965baa220e14dbbe120b078a4b5a7d0546f7eb36

  • SHA512

    9640cd9eebcc85971c25a8617c73241ae37029509140bccae1ef6b9e1e74fe1e4ac0a3869c4448b7ad043ccc4b81be7060098627b0cfcadff6a6fbcef6f0e4a8

  • SSDEEP

    24576:h7WsPkA8QsBPyoG0HBrC2zJSKD5YKPmg/ptFL2De60BtKF+ho3njkoo/LZSS9e:hrEQsBT1D5YKPp/j0jN

Score
10/10
persistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe
    "C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Loads dropped DLL
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4288
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\2b607447d7329e4b4cf411321d39be60.exe.bat
      2⤵
        PID:4452
      • C:\Windows\SysWOW64\fservice.exe
        C:\Windows\system32\fservice.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1664
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP navapsvc
      1⤵
        PID:4508
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 STOP srservice
        1⤵
          PID:4640
        • C:\Windows\SysWOW64\NET.exe
          NET STOP navapsvc
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2604
        • C:\Windows\SysWOW64\NET.exe
          NET STOP srservice
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3140
        • C:\Windows\services.exe
          C:\Windows\services.exe -XP
          1⤵
          • Modifies WinLogon for persistence
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5072

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\fservice.exe
          Filesize

          389KB

          MD5

          dc0082f72a49fe72eb94ba9a0ee861a3

          SHA1

          cac1c9660002ed11a8eaace04802824f7d2efeff

          SHA256

          f93089e1706f0491833852d5f84682c643bbcfa6a88048c2ca0acbde7dc6464e

          SHA512

          ec6a33766ce3452ade211497edea910e6d06f8d30bf189bbfd4a13d411a2b1de74d0784a76137e1115520d9644358ef02a8c844f37c1a4b9ac9ee41b95206127

          Download Submit

        • C:\Windows\SysWOW64\fservice.exe
          Filesize

          897KB

          MD5

          385953e3eae111e9b62d27e7ad47d08f

          SHA1

          01dfc97cc3dea7e64a6f9642f7cf9a0cb873317a

          SHA256

          889a373a10ca9e2135ca0109d7b41bf38a6d16be816665f6fbe31a01f7cadacf

          SHA512

          d921845a0e21493977b761b7d3b7c7217c81aaca526a659d26ae6f08d57f1cbcc2486d7aaaa5ab9a0579930c7578cc8c39ed379522299825c4bab8eed1cd683a

          Download Submit

        • memory/1664-33-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1664-9-0x0000000000700000-0x0000000000701000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4288-1-0x0000000002280000-0x0000000002281000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4288-35-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4288-0-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-41-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-45-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-38-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-39-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-40-0x00000000025B0000-0x00000000025B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5072-18-0x00000000025B0000-0x00000000025B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5072-42-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-43-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-44-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-37-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-46-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-47-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-48-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-49-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-50-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-51-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5072-52-0x0000000000400000-0x00000000005FF000-memory.dmp

          Filesize

          2.0MB

          Download