Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 10:45
Static task
static1
Behavioral task
behavioral1
Sample
58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
Resource
win10v2004-20231215-en
General
-
Target
58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
-
Size
2.7MB
-
MD5
58b8bb8708a1f5ae86f2f4b95a4b0b5d
-
SHA1
cbefe83b9e62e9efda12989c4e3796d8bcdcf5c5
-
SHA256
df3b33e6cec4fa8a86bfd8bbab94743322f84a24bd1b0e626c352cb97bc717d2
-
SHA512
4728c16e09cb8f03aa76e8a0489d29b299eb9430240cd43671d40ba5e8e7e185a08593c7de9988648370582a5af52d9b24b8337aa0213e7a8fb7f8e60b846003
-
SSDEEP
49152:0rxJB9slWY5T97x4rvXtO+jw4ztk9/FdLQz+V759YTZgl0wVHVN8A:0VOlWY9Sjd1ztgFd0SV759YFg6A
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2864 svchost.exe 3000 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 3068 svchost.exe -
Loads dropped DLL 5 IoCs
pid Process 2864 svchost.exe 2864 svchost.exe 3000 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 3000 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 3000 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe -
Drops file in Program Files directory 39 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2652 wrote to memory of 2864 2652 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 18 PID 2652 wrote to memory of 2864 2652 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 18 PID 2652 wrote to memory of 2864 2652 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 18 PID 2652 wrote to memory of 2864 2652 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 18 PID 2864 wrote to memory of 3000 2864 svchost.exe 17 PID 2864 wrote to memory of 3000 2864 svchost.exe 17 PID 2864 wrote to memory of 3000 2864 svchost.exe 17 PID 2864 wrote to memory of 3000 2864 svchost.exe 17 PID 2864 wrote to memory of 3000 2864 svchost.exe 17 PID 2864 wrote to memory of 3000 2864 svchost.exe 17 PID 2864 wrote to memory of 3000 2864 svchost.exe 17
Processes
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3068
-
C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864
-
C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2652
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
894KB
MD5bc8ee2734f3ab08b112533b21ed81da3
SHA15c5200bc49ec02622e5e065bdf55c6d9fefd076a
SHA2563b87b254048b9300cb251bd5bd056b045bec74722a313a4362265e4ad1b8ef48
SHA5127dc35cd60d5fc6f06a1099227c6a93f0c318782222971097b2ca68d174180d5f6f6e7c01b649c21b565310bbe745c2ce2aef3b4519a60288cdc502da5297d9d1
-
Filesize
382KB
MD59f8aa645596f231cfde343374d35de7c
SHA1d056f747a6906ac6c3931f63462b5a0b3d4984a9
SHA256bdc0f10ed056a3a9e30032ff2ff2ef9e413e9cda6f48e3600d6812045a048770
SHA512ae658c33a0f553363ef1d4f5995b3c5d569aa189dd1fc6dcf4dcf0b81252391ab8e8cb6f43e5dad8f4d6cd5983b93748c8c4e729ebce7533a78967cb7f320531
-
Filesize
35KB
MD5345861f739ef259c33abc7ef49b81694
SHA13b6aff327d91e66a207c0557eac6ddefab104598
SHA256fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948
SHA5127b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad
-
Filesize
1.4MB
MD5f9d457d55fcba05894a610bc40b671bf
SHA10f6f0cd90656cebcc95e64ce40b5d464437409f4
SHA256dc94e0085bee2a35c8df061017fa6a1c79987766d8492a52cfdccf97a1f3101f
SHA5122d3acf361689bbd37a0223d3518cb867819ebc67e2bea739c4d9c851e67a294f5abacfca5ac907e0482b7d57a6a055d48f5d9cedb84a7f545950fbbf1266fbbb
-
Filesize
1.4MB
MD508ad65ad37d0c5bdfdd2327cfe04c4e2
SHA188fb86c8051f89291ca2190b0e857a59f2779193
SHA2566ea52a2cf95b589413fa4a8501e9320673ad64d0a6d38d67c07fc30b5ddbb8f9
SHA5123d153a895fccf35386f84f00edac1043973d0bf9ef0f373076286470edda6db0aafb3c5fe983bc27308bb0333250e53a32fd72f2f57cc75fd618fce4525ecc0d
-
Filesize
92KB
MD5dcc5b366f25d2b7befb860408090e232
SHA15e40cf7fe93df0c64ab3b94734e292de8fb4fae1
SHA256fd7e748e1241f867e5915d45bcd10d67b267582dee0767bb58366dfa1fe85db2
SHA5127376d645af38b5bf921fc63ef9652c26e4d62fae1a4de0b4516e64b35e8fb82e7468c26252d59e3e39caeac83dd929f6f5fcef87434d0ef370892289914b7b19
-
Filesize
381KB
MD5172f0c3416e6bf04dffe11ccf60933a6
SHA18e353d437c64391dbce08000a12eed75f52dccf9
SHA2561a2edef50048f5d9e9446c5c0e047097531d76ffa49618127486cae90b2bab0f
SHA512df89cd074f0f4c99ed8209ca43020cfecf516b7a7a5cfd2e1430e03728c25a9cb04c714ab7afb72870a8cd0923f4e66f2afda8cd621accb5d91b4d8e2ad6256e