Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/04/2024, 13:32
240412-qtgfpsag84 812/04/2024, 13:32
240412-qtc4aaag83 812/04/2024, 13:32
240412-qtcshsag82 812/04/2024, 13:32
240412-qtb6zsag79 812/04/2024, 13:32
240412-qtbkfsdh4s 809/04/2024, 05:34
240409-f9mmjsbc9t 809/04/2024, 05:33
240409-f9bkaabc8w 809/04/2024, 05:33
240409-f86n2abc71 809/04/2024, 05:33
240409-f8wh3afh27 801/02/2024, 11:29
240201-nlq9tsebck 10Analysis
-
max time kernel
287s -
max time network
306s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/04/2024, 05:33
Static task
static1
Behavioral task
behavioral1
Sample
svchost_dump_SCY - Copy.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
svchost_dump_SCY - Copy.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
svchost_dump_SCY - Copy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
svchost_dump_SCY - Copy.exe
Resource
win11-20240221-en
General
-
Target
svchost_dump_SCY - Copy.exe
-
Size
5.2MB
-
MD5
5fd3d21a968f4b8a1577b5405ab1c36a
-
SHA1
710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
-
SHA256
7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
-
SHA512
085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
-
SSDEEP
98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 692 netsh.exe 2912 netsh.exe 4432 netsh.exe 3704 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2148 svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\System\xxx1.bak svchost_dump_SCY - Copy.exe File created C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File opened for modification C:\Windows\System\svchost.exe svchost_dump_SCY - Copy.exe File created C:\Windows\System\xxx1.bak svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 644 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3984 powershell.exe 3984 powershell.exe 2828 powershell.exe 2828 powershell.exe 2492 svchost_dump_SCY - Copy.exe 2492 svchost_dump_SCY - Copy.exe 948 powershell.exe 948 powershell.exe 4024 powershell.exe 4024 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3920 WMIC.exe Token: SeSecurityPrivilege 3920 WMIC.exe Token: SeTakeOwnershipPrivilege 3920 WMIC.exe Token: SeLoadDriverPrivilege 3920 WMIC.exe Token: SeSystemProfilePrivilege 3920 WMIC.exe Token: SeSystemtimePrivilege 3920 WMIC.exe Token: SeProfSingleProcessPrivilege 3920 WMIC.exe Token: SeIncBasePriorityPrivilege 3920 WMIC.exe Token: SeCreatePagefilePrivilege 3920 WMIC.exe Token: SeBackupPrivilege 3920 WMIC.exe Token: SeRestorePrivilege 3920 WMIC.exe Token: SeShutdownPrivilege 3920 WMIC.exe Token: SeDebugPrivilege 3920 WMIC.exe Token: SeSystemEnvironmentPrivilege 3920 WMIC.exe Token: SeRemoteShutdownPrivilege 3920 WMIC.exe Token: SeUndockPrivilege 3920 WMIC.exe Token: SeManageVolumePrivilege 3920 WMIC.exe Token: 33 3920 WMIC.exe Token: 34 3920 WMIC.exe Token: 35 3920 WMIC.exe Token: 36 3920 WMIC.exe Token: SeIncreaseQuotaPrivilege 3920 WMIC.exe Token: SeSecurityPrivilege 3920 WMIC.exe Token: SeTakeOwnershipPrivilege 3920 WMIC.exe Token: SeLoadDriverPrivilege 3920 WMIC.exe Token: SeSystemProfilePrivilege 3920 WMIC.exe Token: SeSystemtimePrivilege 3920 WMIC.exe Token: SeProfSingleProcessPrivilege 3920 WMIC.exe Token: SeIncBasePriorityPrivilege 3920 WMIC.exe Token: SeCreatePagefilePrivilege 3920 WMIC.exe Token: SeBackupPrivilege 3920 WMIC.exe Token: SeRestorePrivilege 3920 WMIC.exe Token: SeShutdownPrivilege 3920 WMIC.exe Token: SeDebugPrivilege 3920 WMIC.exe Token: SeSystemEnvironmentPrivilege 3920 WMIC.exe Token: SeRemoteShutdownPrivilege 3920 WMIC.exe Token: SeUndockPrivilege 3920 WMIC.exe Token: SeManageVolumePrivilege 3920 WMIC.exe Token: 33 3920 WMIC.exe Token: 34 3920 WMIC.exe Token: 35 3920 WMIC.exe Token: 36 3920 WMIC.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 2828 powershell.exe Token: SeIncreaseQuotaPrivilege 2728 WMIC.exe Token: SeSecurityPrivilege 2728 WMIC.exe Token: SeTakeOwnershipPrivilege 2728 WMIC.exe Token: SeLoadDriverPrivilege 2728 WMIC.exe Token: SeSystemProfilePrivilege 2728 WMIC.exe Token: SeSystemtimePrivilege 2728 WMIC.exe Token: SeProfSingleProcessPrivilege 2728 WMIC.exe Token: SeIncBasePriorityPrivilege 2728 WMIC.exe Token: SeCreatePagefilePrivilege 2728 WMIC.exe Token: SeBackupPrivilege 2728 WMIC.exe Token: SeRestorePrivilege 2728 WMIC.exe Token: SeShutdownPrivilege 2728 WMIC.exe Token: SeDebugPrivilege 2728 WMIC.exe Token: SeSystemEnvironmentPrivilege 2728 WMIC.exe Token: SeRemoteShutdownPrivilege 2728 WMIC.exe Token: SeUndockPrivilege 2728 WMIC.exe Token: SeManageVolumePrivilege 2728 WMIC.exe Token: 33 2728 WMIC.exe Token: 34 2728 WMIC.exe Token: 35 2728 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2492 wrote to memory of 3920 2492 svchost_dump_SCY - Copy.exe 77 PID 2492 wrote to memory of 3920 2492 svchost_dump_SCY - Copy.exe 77 PID 2492 wrote to memory of 2912 2492 svchost_dump_SCY - Copy.exe 79 PID 2492 wrote to memory of 2912 2492 svchost_dump_SCY - Copy.exe 79 PID 2492 wrote to memory of 4432 2492 svchost_dump_SCY - Copy.exe 80 PID 2492 wrote to memory of 4432 2492 svchost_dump_SCY - Copy.exe 80 PID 2492 wrote to memory of 3984 2492 svchost_dump_SCY - Copy.exe 83 PID 2492 wrote to memory of 3984 2492 svchost_dump_SCY - Copy.exe 83 PID 2492 wrote to memory of 2828 2492 svchost_dump_SCY - Copy.exe 85 PID 2492 wrote to memory of 2828 2492 svchost_dump_SCY - Copy.exe 85 PID 2492 wrote to memory of 2720 2492 svchost_dump_SCY - Copy.exe 87 PID 2492 wrote to memory of 2720 2492 svchost_dump_SCY - Copy.exe 87 PID 2492 wrote to memory of 644 2492 svchost_dump_SCY - Copy.exe 89 PID 2492 wrote to memory of 644 2492 svchost_dump_SCY - Copy.exe 89 PID 2492 wrote to memory of 2148 2492 svchost_dump_SCY - Copy.exe 91 PID 2492 wrote to memory of 2148 2492 svchost_dump_SCY - Copy.exe 91 PID 2148 wrote to memory of 2728 2148 svchost.exe 94 PID 2148 wrote to memory of 2728 2148 svchost.exe 94 PID 2148 wrote to memory of 3704 2148 svchost.exe 96 PID 2148 wrote to memory of 3704 2148 svchost.exe 96 PID 2148 wrote to memory of 692 2148 svchost.exe 98 PID 2148 wrote to memory of 692 2148 svchost.exe 98 PID 2148 wrote to memory of 948 2148 svchost.exe 100 PID 2148 wrote to memory of 948 2148 svchost.exe 100 PID 2148 wrote to memory of 4024 2148 svchost.exe 102 PID 2148 wrote to memory of 4024 2148 svchost.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:2912
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes2⤵
- Modifies Windows Firewall
PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /TN "Timer"2⤵PID:2720
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:644
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:3704
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
- Suspicious behavior: EnumeratesProcesses
PID:948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4024
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD565e096ec6f4418ede91340e8e9e9686a
SHA125d31c0acc193b21264bea7d15721af5c9cb411b
SHA256601102ba83d0a58bfe96573730d18c667829eb76b5c5aecfa578a14c29209f3c
SHA5121ec4fa953cdad82639147e01b6d3920c1562c39d5b6d5e4594351cea7f1d0caad471dd1f354a05154ff8c572049f49048527442218fe4b437bbcf7236d4c38ac
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.7MB
MD5277abb67ec3376d7c576732a62c39916
SHA170faa899ea7c8618289668813f04c69613fd6995
SHA25662ce6ee974509a141b66d66c4dfe41565f9ba90f3d62cd286d7a08834f2b10d4
SHA512f385313c49f7b153488f12be7ea04ed5c1220a85b7dc1382dcb862b8d5b155c5999971d3e8c7b37abdfcf8c2ff23f971a0a477a24f23ff8d08e2bcbe90f5021b
-
Filesize
10.2MB
MD5f7f52add22dadf28181ba60fc032cbc4
SHA1ba3b1ed390e1d56c3666304c7c18c8b01a1d6002
SHA256e7e575d0338c4606c31609bbb1a7de93e52498722769a99a29ee80210a512bda
SHA512cbe8a9080ca39dd2e3ef40a01cb80daa7c68419a768a516d96ddeae92ba9854c14e95f968edb977dac1a370406e1e9cffb34833c73b6d79800d7f63a13b2a94b
-
Filesize
5.2MB
MD55fd3d21a968f4b8a1577b5405ab1c36a
SHA1710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA2567ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f