Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2024, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
889dcfb95e9eb0de560fdebb1ca8e134.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
889dcfb95e9eb0de560fdebb1ca8e134.exe
Resource
win10v2004-20231215-en
General
-
Target
889dcfb95e9eb0de560fdebb1ca8e134.exe
-
Size
31KB
-
MD5
889dcfb95e9eb0de560fdebb1ca8e134
-
SHA1
fedd71e7dfb8e621fbcf21076b960124e1e3cfc8
-
SHA256
2f0ccba89b239c41fbf696ac20eb19b457f34b146b64ff23fe7e0ef9dca6b653
-
SHA512
9efd6dea02be28e09cebe2ad35e7850f5f09efc2747fef0cbaf1afb23150e903526e26abcb40fa8bd3520c1a76a52d8cae8d35031f2a29fd51705830cd0750e8
-
SSDEEP
768:HrH0Fg6dCRobVLtmKubsDxKNTy4SmXUKBs2EQVe6:HrHQURobXmKTmk6E0e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4004 cservs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\win32serv = "cservs.exe" 889dcfb95e9eb0de560fdebb1ca8e134.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Images-2007-12.zip 889dcfb95e9eb0de560fdebb1ca8e134.exe File created C:\Windows\cservs.exe 889dcfb95e9eb0de560fdebb1ca8e134.exe File opened for modification C:\Windows\cservs.exe 889dcfb95e9eb0de560fdebb1ca8e134.exe File opened for modification C:\Windows\Images-2007-12.zip cservs.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 224 wrote to memory of 4004 224 889dcfb95e9eb0de560fdebb1ca8e134.exe 84 PID 224 wrote to memory of 4004 224 889dcfb95e9eb0de560fdebb1ca8e134.exe 84 PID 224 wrote to memory of 4004 224 889dcfb95e9eb0de560fdebb1ca8e134.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\889dcfb95e9eb0de560fdebb1ca8e134.exe"C:\Users\Admin\AppData\Local\Temp\889dcfb95e9eb0de560fdebb1ca8e134.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\cservs.exe"C:\Windows\cservs.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5889dcfb95e9eb0de560fdebb1ca8e134
SHA1fedd71e7dfb8e621fbcf21076b960124e1e3cfc8
SHA2562f0ccba89b239c41fbf696ac20eb19b457f34b146b64ff23fe7e0ef9dca6b653
SHA5129efd6dea02be28e09cebe2ad35e7850f5f09efc2747fef0cbaf1afb23150e903526e26abcb40fa8bd3520c1a76a52d8cae8d35031f2a29fd51705830cd0750e8