Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
09/01/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Resource
win10v2004-20231215-en
General
-
Target
4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
-
Size
519KB
-
MD5
4ee02d0aaa6c5973e34d05d0d6a7f19c
-
SHA1
1d04a6a5db7e0fa2c06b3f2b4554aeabd9f78c68
-
SHA256
0b90c40e938c22cb9bb9c9e8cf03d215b2e9e796d3e2f278a03c0438fe1a6597
-
SHA512
059be49389131afcee3011f1821ab6f83ed52c6d11dec5caebb4938910fb851b782ad7614e90102332c48726c1d4cd04f426bf7dbce1cc8f6893977a6fa41bab
-
SSDEEP
12288:yo5r7ZZ3RuAEEkCts0FNaWHcE+fcP1wb8HnAB88ZFg:yo5r7ZZ3d2mNa1H8RH/8U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe -
resource yara_rule behavioral1/files/0x000d000000014636-66.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2592 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2824 fservice.exe 2628 services.exe -
Loads dropped DLL 4 IoCs
pid Process 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 2628 services.exe 2628 services.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fservice.exe 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\system\sservice.exe 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe File created C:\Windows\services.exe fservice.exe File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe File opened for modification C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 2824 fservice.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe 2628 services.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2628 services.exe 2628 services.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2824 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 30 PID 2188 wrote to memory of 2824 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 30 PID 2188 wrote to memory of 2824 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 30 PID 2188 wrote to memory of 2824 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 30 PID 2188 wrote to memory of 2592 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 29 PID 2188 wrote to memory of 2592 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 29 PID 2188 wrote to memory of 2592 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 29 PID 2188 wrote to memory of 2592 2188 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 29 PID 2824 wrote to memory of 2628 2824 fservice.exe 31 PID 2824 wrote to memory of 2628 2824 fservice.exe 31 PID 2824 wrote to memory of 2628 2824 fservice.exe 31 PID 2824 wrote to memory of 2628 2824 fservice.exe 31 PID 2628 wrote to memory of 2888 2628 services.exe 35 PID 2628 wrote to memory of 2888 2628 services.exe 35 PID 2628 wrote to memory of 2888 2628 services.exe 35 PID 2628 wrote to memory of 2888 2628 services.exe 35 PID 2628 wrote to memory of 2788 2628 services.exe 33 PID 2628 wrote to memory of 2788 2628 services.exe 33 PID 2628 wrote to memory of 2788 2628 services.exe 33 PID 2628 wrote to memory of 2788 2628 services.exe 33 PID 2888 wrote to memory of 1632 2888 NET.exe 36 PID 2888 wrote to memory of 1632 2888 NET.exe 36 PID 2888 wrote to memory of 1632 2888 NET.exe 36 PID 2888 wrote to memory of 1632 2888 NET.exe 36 PID 2788 wrote to memory of 1644 2788 NET.exe 37 PID 2788 wrote to memory of 1644 2788 NET.exe 37 PID 2788 wrote to memory of 1644 2788 NET.exe 37 PID 2788 wrote to memory of 1644 2788 NET.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe"C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe.bat2⤵
- Deletes itself
PID:2592
-
-
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\services.exeC:\Windows\services.exe -XP3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc4⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc5⤵PID:1644
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP srservice4⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice5⤵PID:1632
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133B
MD55d84397466f8a032857aab5e6e777835
SHA15f38d388701c1a6f8e4450a933a08c948014be12
SHA2560315c1c07b2d2c1c0443621d2c2bc61cc17df79cbac8a9592adc5a0f333eaa1c
SHA51243ee4b7733ca8d1c924ac3029fddce69c18d766509d8942c009a27eb5dbd8b6c50db9e6e75a8dbc9f7887e5f851de79db56ff4112e0dc8a9592e1ef64b0966f5
-
Filesize
5KB
MD5a850884752fcf5cdda3c11f6f513ce73
SHA12d8b5ff7a7871b08cee5b275793c4525e205ffe3
SHA2566846f579c49b3aee63a58d28ed16021f5615b2f90d88eb55ead776b8c0b838ac
SHA512a05dd7865e702d89fd48f3740cc14ee8be24f8c397c7dd2cfae0e3d50f9624d4ce09f94fe603b7a22002487d990a2fa4e5c996a540cacafedd247252490de2ac
-
Filesize
1KB
MD52b9305e02eeb74f2c0212762c478796d
SHA115eb2c7fdc6901e327a0419f3844b9e9dfed3d9f
SHA256975cb998c0fa0d88f002d406e678029f453553a9f822d6214ab9519f546e90cd
SHA51242abb63df8bafb1bee67edd127fd674b92412f17ff04f8b74166e615e7f8d0deec517469a3f42c6dd384ff1871580bd2c4d985ed913d6eccf31b3d87a227f1c2
-
Filesize
49KB
MD547ee7b3b041db6c1ed350760b0d71413
SHA1204c5adb9b908b7378da17b30baab53187a38249
SHA2567b92b0ff73ff8696fcbc543d2284b90dff123529d13ad8f3c462e43d469b1d36
SHA51243d340d34c0041970361173ae3e018b927a5b2d5af53dc903ba23e0b6694e519fa5ebaf041a1db8bbe4410bd4667cebf6d1468ed2516a406f1e49a4675392d4a
-
Filesize
71KB
MD5a94efb7850d40fa57a0ead0b025250b4
SHA116fd08ce4ccadfe59d8924d15fc5560da69bc5ec
SHA256f312c2b8b8d1a04861555c77b3e0b0ecce100f8096ce4e7ac843a801765b8662
SHA512ebbaff15c34f311c1bcc2794dd58db865fd6a6ff9fa474d68e229ffa6855850aa4a1a385fdedea7754a20b913b7d2cbf5248e9fdb15a7bb680fea1a1360e098e
-
Filesize
15KB
MD5c845465367025572c9364e9544a0bbed
SHA165e905c6d53145e97197666810b57af461f19fca
SHA256c5a23dfbba87d72c6ee391a27a1612b9791e7f7436e04a935e9094d91aca0ebb
SHA512df613ba494ce371c7c1baaa475f4fbc0c7c8bac55f095f8632600c56638c37130f819aaa4b3edf5e1be85ecb1f24d4f3f97c485b9278fa5122206cb83daa1b66
-
Filesize
13KB
MD53ecad5dc1a9c635879500b1a5200fefc
SHA1461b92f3e9212add5c8edfa2ca255e3883cc7274
SHA2561672e44582b8f567b5f6982780606438e474fff76f59b21927215328b02fe8d8
SHA51200e1d91a1ba8b284c7112bf14c07de39d22199bc9360e8d86d4456ab3c3a570f5ae14b65e7f0233a2d932b21f3ceae5ce16d6da559fb9049649de7cbd807d00f
-
Filesize
1KB
MD57d22e72fdb2e7b3aa6da3114145ea840
SHA1c713c0c79fbe65349f359dd6b96d859d6269a4e9
SHA256c636a1a1ec7d708cbae1b10d1c6350c6bdf3f97851b8cce40e758db128486929
SHA5128cd4f3e23280dcd34ee5f1b0e5e90a25d42a219de87456678eea65d750800df00804375fee76b92d97533c14fa850631ec78ef5c90f5c080474f8c48bbd2b674
-
Filesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066