Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
889dcfb95e9eb0de560fdebb1ca8e134.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
889dcfb95e9eb0de560fdebb1ca8e134.exe
Resource
win10v2004-20231215-en
General
-
Target
889dcfb95e9eb0de560fdebb1ca8e134.exe
-
Size
31KB
-
MD5
889dcfb95e9eb0de560fdebb1ca8e134
-
SHA1
fedd71e7dfb8e621fbcf21076b960124e1e3cfc8
-
SHA256
2f0ccba89b239c41fbf696ac20eb19b457f34b146b64ff23fe7e0ef9dca6b653
-
SHA512
9efd6dea02be28e09cebe2ad35e7850f5f09efc2747fef0cbaf1afb23150e903526e26abcb40fa8bd3520c1a76a52d8cae8d35031f2a29fd51705830cd0750e8
-
SSDEEP
768:HrH0Fg6dCRobVLtmKubsDxKNTy4SmXUKBs2EQVe6:HrHQURobXmKTmk6E0e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2032 cservs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\win32serv = "cservs.exe" 889dcfb95e9eb0de560fdebb1ca8e134.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Images-2007-12.zip cservs.exe File created C:\Windows\Images-2007-12.zip 889dcfb95e9eb0de560fdebb1ca8e134.exe File created C:\Windows\cservs.exe 889dcfb95e9eb0de560fdebb1ca8e134.exe File opened for modification C:\Windows\cservs.exe 889dcfb95e9eb0de560fdebb1ca8e134.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2032 3032 889dcfb95e9eb0de560fdebb1ca8e134.exe 28 PID 3032 wrote to memory of 2032 3032 889dcfb95e9eb0de560fdebb1ca8e134.exe 28 PID 3032 wrote to memory of 2032 3032 889dcfb95e9eb0de560fdebb1ca8e134.exe 28 PID 3032 wrote to memory of 2032 3032 889dcfb95e9eb0de560fdebb1ca8e134.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\889dcfb95e9eb0de560fdebb1ca8e134.exe"C:\Users\Admin\AppData\Local\Temp\889dcfb95e9eb0de560fdebb1ca8e134.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\cservs.exe"C:\Windows\cservs.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5ce674452898fa6e13288185d73d67f25
SHA1b4f46964fd66ed1e4f59a192e24278554b17e9da
SHA256b312eab633ac919eb9fab7b18a54c90389d52bd5445805069f72ece5d8fd686e
SHA512bdebbdc4f1830e6c1e1b2ad2a96035cdd5d52118e200131967b3fc1ceecba282d5e2aa56fcb7c1fecc74ed3b1068a4a540bf0dfc05e18f3a9d5378a8b36b0daa
-
Filesize
31KB
MD5889dcfb95e9eb0de560fdebb1ca8e134
SHA1fedd71e7dfb8e621fbcf21076b960124e1e3cfc8
SHA2562f0ccba89b239c41fbf696ac20eb19b457f34b146b64ff23fe7e0ef9dca6b653
SHA5129efd6dea02be28e09cebe2ad35e7850f5f09efc2747fef0cbaf1afb23150e903526e26abcb40fa8bd3520c1a76a52d8cae8d35031f2a29fd51705830cd0750e8