Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 10:45
Static task
static1
Behavioral task
behavioral1
Sample
58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
Resource
win10v2004-20231215-en
General
-
Target
58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe
-
Size
2.7MB
-
MD5
58b8bb8708a1f5ae86f2f4b95a4b0b5d
-
SHA1
cbefe83b9e62e9efda12989c4e3796d8bcdcf5c5
-
SHA256
df3b33e6cec4fa8a86bfd8bbab94743322f84a24bd1b0e626c352cb97bc717d2
-
SHA512
4728c16e09cb8f03aa76e8a0489d29b299eb9430240cd43671d40ba5e8e7e185a08593c7de9988648370582a5af52d9b24b8337aa0213e7a8fb7f8e60b846003
-
SSDEEP
49152:0rxJB9slWY5T97x4rvXtO+jw4ztk9/FdLQz+V759YTZgl0wVHVN8A:0VOlWY9Sjd1ztgFd0SV759YFg6A
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4424 svchost.exe 1928 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 5032 svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svchost.exe 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4492 wrote to memory of 4424 4492 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 88 PID 4492 wrote to memory of 4424 4492 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 88 PID 4492 wrote to memory of 4424 4492 58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe 88 PID 4424 wrote to memory of 1928 4424 svchost.exe 89 PID 4424 wrote to memory of 1928 4424 svchost.exe 89 PID 4424 wrote to memory of 1928 4424 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"C:\Users\Admin\AppData\Local\Temp\58b8bb8708a1f5ae86f2f4b95a4b0b5d.exe"3⤵
- Executes dropped EXE
PID:1928
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5032
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5cde57c7204fd4d791d026cd00b5b4f3c
SHA1be0e417a12914a48cca803d95d00775af03229a9
SHA2560602d4990e62fae8afcdac444f66eabdd3224b0be86f25a0798ac42992be7602
SHA512781170e7396afff18d86277791cb9cead5458cda6f115e2b46e400450fe3ff2d4cc8eeb329b35918db06f46b0d93a133537a486253369f9cc702c53b5250331a
-
Filesize
35KB
MD5345861f739ef259c33abc7ef49b81694
SHA13b6aff327d91e66a207c0557eac6ddefab104598
SHA256fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948
SHA5127b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad