Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2024, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
5c0dd9bdca98af3d296496f07a3d8cd5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5c0dd9bdca98af3d296496f07a3d8cd5.exe
Resource
win10v2004-20231215-en
General
-
Target
5c0dd9bdca98af3d296496f07a3d8cd5.exe
-
Size
606KB
-
MD5
5c0dd9bdca98af3d296496f07a3d8cd5
-
SHA1
4c1967fbd36d4b6f85965d418ef331713ed8c126
-
SHA256
8ed3425a9032e3bf6af2f8f99812aecb98266d7946d04c9e14c2065c175171a6
-
SHA512
7851bbe09cdb174575e63e3e97cc4fecbfaa85fc5ef667979d7fa785684ec1decf3cb3614e2ae2527a3f0410f919daba368a8db89a80eeb2c45cb0fddd06ecfd
-
SSDEEP
12288:8aOuKf6/agO+Xuc6G1ZRqLFuVOohOMDXasrXCckE3G:8ag5+Xj1nqcLDXa2CvEW
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1280 svchost.exe 3312 5c0dd9bdca98af3d296496f07a3d8cd5.exe 5060 svchost.exe 4956 update.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe svchost.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svchost.exe 5c0dd9bdca98af3d296496f07a3d8cd5.exe File opened for modification C:\Windows\KB835221.log update.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 4956 update.exe Token: SeRestorePrivilege 4956 update.exe Token: SeShutdownPrivilege 4956 update.exe Token: SeSecurityPrivilege 4956 update.exe Token: SeTakeOwnershipPrivilege 4956 update.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4620 wrote to memory of 1280 4620 5c0dd9bdca98af3d296496f07a3d8cd5.exe 86 PID 4620 wrote to memory of 1280 4620 5c0dd9bdca98af3d296496f07a3d8cd5.exe 86 PID 4620 wrote to memory of 1280 4620 5c0dd9bdca98af3d296496f07a3d8cd5.exe 86 PID 1280 wrote to memory of 3312 1280 svchost.exe 89 PID 1280 wrote to memory of 3312 1280 svchost.exe 89 PID 1280 wrote to memory of 3312 1280 svchost.exe 89 PID 3312 wrote to memory of 4956 3312 5c0dd9bdca98af3d296496f07a3d8cd5.exe 92 PID 3312 wrote to memory of 4956 3312 5c0dd9bdca98af3d296496f07a3d8cd5.exe 92 PID 3312 wrote to memory of 4956 3312 5c0dd9bdca98af3d296496f07a3d8cd5.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"C:\Users\Admin\AppData\Local\Temp\5c0dd9bdca98af3d296496f07a3d8cd5.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\a6b349ebddab1e316c392d548ed70c\update\update.exec:\a6b349ebddab1e316c392d548ed70c\update\update.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5060
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
544KB
MD5dd723698f56877704ba8184f36548293
SHA13fe89f986063f8ff23c1895f086e5769ac48a12f
SHA256c99a8a682a36307ce727a4bd77a708033791774f28c89136d9f3abeff9632957
SHA512b674c240ab2aec233d76a8ea62435ebbb9f8386b5ee85fc1213d770a6880c607952b7d4d7874ca1c14542740a5d1ea50c80094b6ae3a6fac05e52c85ccec9eb8
-
Filesize
571KB
MD577e0acbf3c2898956b4b3172d2d8e1d8
SHA1d89f773b5cad5ffaf41bb1975451e0eebe800d50
SHA256e3b51ebf4b5fe29c9b1d99c53f2724ff50c41841152ead93beabf1ec494a865d
SHA512e41633927ee3ad242cd24456f49c2af4210dfb7da61c3a64d552c66b6643c41a75af0edbe8ad8fde208db32e0cd85a0b4671c45045d6fa8c24af7dac449a968f
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
615KB
MD559bb3bf43d1cbef1287186d5a00e04a5
SHA1f09950a598e19210e9c1a9cb6b04a4462e286db0
SHA256df2ca8e25498ce9d36da642168e44333ceae620029db4c93b4a30021988ac7bd
SHA512b6fffb4245c4f43b2578ff65e43691a572644af4c1740f59b53ee85bcd3477b18b7c951d558c46c3fb5161e1a21b49efc48eff5e7e69d33d3296a276b5b99f04
-
Filesize
6KB
MD5f63ea3dc2d0b3caa958ec933e29dcaab
SHA137673e1944ca3d088fc66deca93eaf7fdbe31c8f
SHA25611ea895544bc0917865b3e84de69bdcb353fc80eeed0de7588feb71ada6f7bdd
SHA5120ad1601f7c69cf73cc09d5a3aeb64ecfd164295a94e655ee6df1bbcf56a7076b79790d9346522b2d4ace720bd17cfa5beffb8a53dc71d0467c3d67a368d98c0b
-
Filesize
544KB
MD56c5b2ee20e8c9bae26d30595056d0bd7
SHA1f0b514c9beb3fb94b8928dae1b9b7f8e59b40fef
SHA2562be6c9398e33d9a0ce4d1da9f3437d5ef4f71515bbb21a2a3c8ab075ad886f8d
SHA512084eea524e393761114fa811a08b2d440eef0b1882312c3891dcd3abc5c35844db457be02ff5ae9cb1d8b4ded0096d31ea72befbc198e11b03d93e5bc695874a
-
Filesize
387B
MD505ffc8f5b730218b7348db3c5ea6e8ed
SHA196383215f5d7688e20e3e996015d0b87c962595c
SHA256fb35807db481a00babb273cf723e595ec2cd1ffb4f8f182d00bf973269d8e724
SHA5121093e07b4281d1c17ba239bb06abbe3b11513f9066bb37909d850fdf775b85be178ea14a6a622d42afb6fe3307e7862c4a3dd7a37249e491a14c44b283c30b1a