Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
175s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
Resource
win10v2004-20231215-en
General
-
Target
4ee02d0aaa6c5973e34d05d0d6a7f19c.exe
-
Size
519KB
-
MD5
4ee02d0aaa6c5973e34d05d0d6a7f19c
-
SHA1
1d04a6a5db7e0fa2c06b3f2b4554aeabd9f78c68
-
SHA256
0b90c40e938c22cb9bb9c9e8cf03d215b2e9e796d3e2f278a03c0438fe1a6597
-
SHA512
059be49389131afcee3011f1821ab6f83ed52c6d11dec5caebb4938910fb851b782ad7614e90102332c48726c1d4cd04f426bf7dbce1cc8f6893977a6fa41bab
-
SSDEEP
12288:yo5r7ZZ3RuAEEkCts0FNaWHcE+fcP1wb8HnAB88ZFg:yo5r7ZZ3d2mNa1H8RH/8U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe -
Modifies Installed Components in the registry 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe -
resource yara_rule behavioral2/files/0x000600000002321f-45.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 3108 fservice.exe 4768 services.exe -
Loads dropped DLL 3 IoCs
pid Process 4768 services.exe 4768 services.exe 4768 services.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe File opened for modification C:\Windows\SysWOW64\fservice.exe 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe File opened for modification C:\Windows\system\sservice.exe 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe File created C:\Windows\services.exe fservice.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4740 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 4740 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 3108 fservice.exe 3108 fservice.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe 4768 services.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4768 services.exe 4768 services.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4740 wrote to memory of 3108 4740 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 96 PID 4740 wrote to memory of 3108 4740 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 96 PID 4740 wrote to memory of 3108 4740 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 96 PID 4740 wrote to memory of 1644 4740 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 95 PID 4740 wrote to memory of 1644 4740 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 95 PID 4740 wrote to memory of 1644 4740 4ee02d0aaa6c5973e34d05d0d6a7f19c.exe 95 PID 3108 wrote to memory of 4768 3108 fservice.exe 100 PID 3108 wrote to memory of 4768 3108 fservice.exe 100 PID 3108 wrote to memory of 4768 3108 fservice.exe 100 PID 4768 wrote to memory of 492 4768 services.exe 109 PID 4768 wrote to memory of 492 4768 services.exe 109 PID 4768 wrote to memory of 492 4768 services.exe 109 PID 4768 wrote to memory of 2200 4768 services.exe 106 PID 4768 wrote to memory of 2200 4768 services.exe 106 PID 4768 wrote to memory of 2200 4768 services.exe 106 PID 2200 wrote to memory of 4344 2200 NET.exe 107 PID 2200 wrote to memory of 4344 2200 NET.exe 107 PID 2200 wrote to memory of 4344 2200 NET.exe 107 PID 492 wrote to memory of 2196 492 NET.exe 108 PID 492 wrote to memory of 2196 492 NET.exe 108 PID 492 wrote to memory of 2196 492 NET.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe"C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\4ee02d0aaa6c5973e34d05d0d6a7f19c.exe.bat2⤵PID:1644
-
-
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\services.exeC:\Windows\services.exe -XP3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc4⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc5⤵PID:4344
-
-
-
C:\Windows\SysWOW64\NET.exeNET STOP srservice4⤵
- Suspicious use of WriteProcessMemory
PID:492
-
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice1⤵PID:2196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133B
MD55d84397466f8a032857aab5e6e777835
SHA15f38d388701c1a6f8e4450a933a08c948014be12
SHA2560315c1c07b2d2c1c0443621d2c2bc61cc17df79cbac8a9592adc5a0f333eaa1c
SHA51243ee4b7733ca8d1c924ac3029fddce69c18d766509d8942c009a27eb5dbd8b6c50db9e6e75a8dbc9f7887e5f851de79db56ff4112e0dc8a9592e1ef64b0966f5
-
Filesize
305KB
MD5817b23cb5b6e4a5a743bab6bcf7e1201
SHA19f116b726b8e2d3cd4f7eafcb1e97a6fd5ae1360
SHA2569166594ee566a9c380e228008c115fed0c1efd12d068889c57268ecc28f74896
SHA5120b1e5bff71786832472daf72130521c562e8ff8909d9416987fc24d24f0f8a459ccd2dbdf0184274c41c4dd1cf5d464524b97c9e708474207c8a2e9dc5b100b3
-
Filesize
342KB
MD57ed77990ea8024b8f34c436484bf5109
SHA190019392a1411350127d41900023189593bb835d
SHA25695dbc8dd0745e08fd148766c357b1db40335023fac745d05ffe46ec601aa3ba7
SHA512c9850c438dd57ddf3afccd2bcbf6247b7fb1d9dd4ce637b03af0b9fc6c33582851430b59bc6cb7cf3395974c77eea898789f805eed94b1435c5129e565fe3ad6
-
Filesize
89KB
MD5d44dd9f1afc229119f460475f79ce1b4
SHA1e8b0c3a8cf1fea56ed90efe25857a1f952994c6a
SHA256ae853c948620c2fdf63eb42a89617029a5e04922f9d7f051c5afdcec5b2d18fe
SHA512ae161235f4836e70ee80661ff297158dd3a88cdd79a286fa7cb6054a51703a4ef563e72dde500130a36e9c8d050580bef7104f55888fcd7a9f4dd21a216805d4
-
Filesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
Filesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066
-
Filesize
312KB
MD5f38ce37681a00fe8a7a256bc81600863
SHA1c4db256a34ebc3fcf25f391ecba82f9549e87a9c
SHA25609030eba6aa9d8ee5edd4ee98d9da7c573e77c044cc2f8254981376b71fd6f11
SHA512034afc5693d63cd976f2241c81c4a77792b5152126874a0a7bf0f1dc9f424365fad86efaa5883f9fa0a87e928bc236eeb23f666a2c160743f42c68534269eaad
-
Filesize
519KB
MD54ee02d0aaa6c5973e34d05d0d6a7f19c
SHA11d04a6a5db7e0fa2c06b3f2b4554aeabd9f78c68
SHA2560b90c40e938c22cb9bb9c9e8cf03d215b2e9e796d3e2f278a03c0438fe1a6597
SHA512059be49389131afcee3011f1821ab6f83ed52c6d11dec5caebb4938910fb851b782ad7614e90102332c48726c1d4cd04f426bf7dbce1cc8f6893977a6fa41bab