Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 19:15
Static task
static1
Behavioral task
behavioral1
Sample
cc35570f8a6ca5eaa3b157d5129cf642.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc35570f8a6ca5eaa3b157d5129cf642.exe
Resource
win10v2004-20240226-en
General
-
Target
cc35570f8a6ca5eaa3b157d5129cf642.exe
-
Size
12.0MB
-
MD5
cc35570f8a6ca5eaa3b157d5129cf642
-
SHA1
183c1a4dd86f9e96aba6020770de442ba1cab90f
-
SHA256
961f5faa6835275d729394a3136e2a932540297fa9ccf7ced9f0bec24b191f39
-
SHA512
638b4c36533d05b96b19f046899fcdc471efc58cd0893def3daa3d83d5c219fb8de67fd436cba3e22586b70a70e35ef7241cb042175c6f9555be52f2112bce58
-
SSDEEP
24576:9lxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBD:9lzOR
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\xnvewyno = "0" svchost.exe -
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2704 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\xnvewyno\ImagePath = "C:\\Windows\\SysWOW64\\xnvewyno\\gkrvxaqc.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 2428 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 gkrvxaqc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2548 set thread context of 2428 2548 gkrvxaqc.exe 41 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2644 sc.exe 2660 sc.exe 2392 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2900 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 28 PID 2156 wrote to memory of 2900 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 28 PID 2156 wrote to memory of 2900 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 28 PID 2156 wrote to memory of 2900 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 28 PID 2156 wrote to memory of 3012 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 30 PID 2156 wrote to memory of 3012 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 30 PID 2156 wrote to memory of 3012 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 30 PID 2156 wrote to memory of 3012 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 30 PID 2156 wrote to memory of 2644 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 32 PID 2156 wrote to memory of 2644 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 32 PID 2156 wrote to memory of 2644 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 32 PID 2156 wrote to memory of 2644 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 32 PID 2156 wrote to memory of 2660 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 34 PID 2156 wrote to memory of 2660 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 34 PID 2156 wrote to memory of 2660 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 34 PID 2156 wrote to memory of 2660 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 34 PID 2156 wrote to memory of 2392 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 36 PID 2156 wrote to memory of 2392 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 36 PID 2156 wrote to memory of 2392 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 36 PID 2156 wrote to memory of 2392 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 36 PID 2156 wrote to memory of 2704 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 39 PID 2156 wrote to memory of 2704 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 39 PID 2156 wrote to memory of 2704 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 39 PID 2156 wrote to memory of 2704 2156 cc35570f8a6ca5eaa3b157d5129cf642.exe 39 PID 2548 wrote to memory of 2428 2548 gkrvxaqc.exe 41 PID 2548 wrote to memory of 2428 2548 gkrvxaqc.exe 41 PID 2548 wrote to memory of 2428 2548 gkrvxaqc.exe 41 PID 2548 wrote to memory of 2428 2548 gkrvxaqc.exe 41 PID 2548 wrote to memory of 2428 2548 gkrvxaqc.exe 41 PID 2548 wrote to memory of 2428 2548 gkrvxaqc.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc35570f8a6ca5eaa3b157d5129cf642.exe"C:\Users\Admin\AppData\Local\Temp\cc35570f8a6ca5eaa3b157d5129cf642.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xnvewyno\2⤵PID:2900
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gkrvxaqc.exe" C:\Windows\SysWOW64\xnvewyno\2⤵PID:3012
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xnvewyno binPath= "C:\Windows\SysWOW64\xnvewyno\gkrvxaqc.exe /d\"C:\Users\Admin\AppData\Local\Temp\cc35570f8a6ca5eaa3b157d5129cf642.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:2644
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xnvewyno "wifi internet conection"2⤵
- Launches sc.exe
PID:2660
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xnvewyno2⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:2704
-
-
C:\Windows\SysWOW64\xnvewyno\gkrvxaqc.exeC:\Windows\SysWOW64\xnvewyno\gkrvxaqc.exe /d"C:\Users\Admin\AppData\Local\Temp\cc35570f8a6ca5eaa3b157d5129cf642.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Windows security bypass
- Sets service image path in registry
- Deletes itself
PID:2428
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12.1MB
MD54555d932ab22ae5ff7caeb2a1cf79e18
SHA17088d7fc047e57e6f6ab6e22ab81a6d94eb49e6a
SHA2566384c6ef34b55e93b40fc036441af73e6130429dee62138cc2f556bc4ca664f5
SHA512600864323db393262f162e38d2f371a121234ae0360c74c32a60053c718b0c82b176f7ea53eab506d19e61a10a0f0a7c4387a66cf94886e375ab28caf7171e7c
-
Filesize
1.6MB
MD5db8c452cded2a0a0ce979a2ffb6edb9b
SHA1174f8269cc6bd95b38d3968a7dea5aee4f706530
SHA25642e4c523e4a816db8199b5b9b1bc7725ca7c55a95d6870a8dc8446568c4d36c4
SHA512e77b071fc604384a723de663275234cad6db3df090ce97e89e482aadca16be27af2d5c756adc3911c4ea4ff3e4d0bf31ba50fff02f54dc0e44d6c96ceb72ae3c