Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4ee02d0aaa...9c.exe

windows7-x64

10

4ee02d0aaa...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ee02d0aaa6c5973e34d05d0d6a7f19c.exe

  • Size

    519KB

  • MD5

    4ee02d0aaa6c5973e34d05d0d6a7f19c

  • SHA1

    1d04a6a5db7e0fa2c06b3f2b4554aeabd9f78c68

  • SHA256

    0b90c40e938c22cb9bb9c9e8cf03d215b2e9e796d3e2f278a03c0438fe1a6597

  • SHA512

    059be49389131afcee3011f1821ab6f83ed52c6d11dec5caebb4938910fb851b782ad7614e90102332c48726c1d4cd04f426bf7dbce1cc8f6893977a6fa41bab

  • SSDEEP

    12288:yo5r7ZZ3RuAEEkCts0FNaWHcE+fcP1wb8HnAB88ZFg:yo5r7ZZ3d2mNa1H8RH/8U

Score
10/10
aspackv2persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
    "C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Modifies Installed Components in the registry
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe.bat
      2⤵
        PID:1644
      • C:\Windows\SysWOW64\fservice.exe
        C:\Windows\system32\fservice.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3108
        • C:\Windows\services.exe
          C:\Windows\services.exe -XP
          3⤵
          • Modifies WinLogon for persistence
          • Adds policy Run key to start application
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies WinLogon
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4768
          • C:\Windows\SysWOW64\NET.exe
            NET STOP navapsvc
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2200
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 STOP navapsvc
              5⤵
                PID:4344
            • C:\Windows\SysWOW64\NET.exe
              NET STOP srservice
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:492
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 STOP srservice
        1⤵
          PID:2196

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe.bat
          Filesize

          133B

          MD5

          5d84397466f8a032857aab5e6e777835

          SHA1

          5f38d388701c1a6f8e4450a933a08c948014be12

          SHA256

          0315c1c07b2d2c1c0443621d2c2bc61cc17df79cbac8a9592adc5a0f333eaa1c

          SHA512

          43ee4b7733ca8d1c924ac3029fddce69c18d766509d8942c009a27eb5dbd8b6c50db9e6e75a8dbc9f7887e5f851de79db56ff4112e0dc8a9592e1ef64b0966f5

          Download Submit

        • C:\Windows\SysWOW64\fservice.exe
          Filesize

          305KB

          MD5

          817b23cb5b6e4a5a743bab6bcf7e1201

          SHA1

          9f116b726b8e2d3cd4f7eafcb1e97a6fd5ae1360

          SHA256

          9166594ee566a9c380e228008c115fed0c1efd12d068889c57268ecc28f74896

          SHA512

          0b1e5bff71786832472daf72130521c562e8ff8909d9416987fc24d24f0f8a459ccd2dbdf0184274c41c4dd1cf5d464524b97c9e708474207c8a2e9dc5b100b3

          Download Submit

        • C:\Windows\SysWOW64\fservice.exe
          Filesize

          342KB

          MD5

          7ed77990ea8024b8f34c436484bf5109

          SHA1

          90019392a1411350127d41900023189593bb835d

          SHA256

          95dbc8dd0745e08fd148766c357b1db40335023fac745d05ffe46ec601aa3ba7

          SHA512

          c9850c438dd57ddf3afccd2bcbf6247b7fb1d9dd4ce637b03af0b9fc6c33582851430b59bc6cb7cf3395974c77eea898789f805eed94b1435c5129e565fe3ad6

          Download Submit

        • C:\Windows\SysWOW64\fservice.exe
          Filesize

          89KB

          MD5

          d44dd9f1afc229119f460475f79ce1b4

          SHA1

          e8b0c3a8cf1fea56ed90efe25857a1f952994c6a

          SHA256

          ae853c948620c2fdf63eb42a89617029a5e04922f9d7f051c5afdcec5b2d18fe

          SHA512

          ae161235f4836e70ee80661ff297158dd3a88cdd79a286fa7cb6054a51703a4ef563e72dde500130a36e9c8d050580bef7104f55888fcd7a9f4dd21a216805d4

          Download Submit

        • C:\Windows\SysWOW64\reginv.dll
          Filesize

          36KB

          MD5

          562e0d01d6571fa2251a1e9f54c6cc69

          SHA1

          83677ad3bc630aa6327253c7b3deffbd4a8ce905

          SHA256

          c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

          SHA512

          166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

          Download Submit

        • C:\Windows\SysWOW64\winkey.dll
          Filesize

          13KB

          MD5

          b4c72da9fd1a0dcb0698b7da97daa0cd

          SHA1

          b25a79e8ea4c723c58caab83aed6ea48de7ed759

          SHA256

          45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

          SHA512

          f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

          Download Submit

        • C:\Windows\services.exe
          Filesize

          312KB

          MD5

          f38ce37681a00fe8a7a256bc81600863

          SHA1

          c4db256a34ebc3fcf25f391ecba82f9549e87a9c

          SHA256

          09030eba6aa9d8ee5edd4ee98d9da7c573e77c044cc2f8254981376b71fd6f11

          SHA512

          034afc5693d63cd976f2241c81c4a77792b5152126874a0a7bf0f1dc9f424365fad86efaa5883f9fa0a87e928bc236eeb23f666a2c160743f42c68534269eaad

          Download Submit

        • C:\Windows\system\sservice.exe
          Filesize

          519KB

          MD5

          4ee02d0aaa6c5973e34d05d0d6a7f19c

          SHA1

          1d04a6a5db7e0fa2c06b3f2b4554aeabd9f78c68

          SHA256

          0b90c40e938c22cb9bb9c9e8cf03d215b2e9e796d3e2f278a03c0438fe1a6597

          SHA512

          059be49389131afcee3011f1821ab6f83ed52c6d11dec5caebb4938910fb851b782ad7614e90102332c48726c1d4cd04f426bf7dbce1cc8f6893977a6fa41bab

          Download Submit

        • memory/3108-37-0x00000000009D0000-0x00000000009FD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3108-35-0x0000000002110000-0x0000000002111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3108-15-0x00000000009D0000-0x00000000009FD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3108-22-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3108-24-0x00000000009D0000-0x00000000009FD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3108-30-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3108-32-0x00000000024B0000-0x00000000024B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3108-23-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3108-40-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4740-3-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4740-2-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4740-1-0x00000000022A0000-0x00000000022CD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4740-0-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4740-5-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4740-4-0x00000000022A0000-0x00000000022CD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4740-18-0x00000000022A0000-0x00000000022CD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4740-6-0x0000000002670000-0x0000000002672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4740-7-0x0000000002220000-0x0000000002221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4740-21-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4768-51-0x0000000010000000-0x000000001000B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/4768-36-0x00000000007D0000-0x00000000007FD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4768-39-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4768-50-0x0000000000750000-0x0000000000751000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4768-49-0x0000000003CB0000-0x0000000003CB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4768-47-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4768-43-0x00000000007D0000-0x00000000007FD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4768-42-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4768-41-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4768-60-0x00000000007D0000-0x00000000007FD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4768-63-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4768-64-0x0000000000400000-0x0000000000612000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4768-65-0x0000000000750000-0x0000000000751000-memory.dmp

          Filesize

          4KB

          Download