Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    37s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 04:39

General

  • Target

    parsec-windows.exe

  • Size

    3.9MB

  • MD5

    01ef58e7c144c701b2ea01cfc049dbe4

  • SHA1

    2f572accb519096c9ea805812ba53703c16cceea

  • SHA256

    ae5b66322e5a7c26ad21ccc556bdc1618796166565d2939142c5aa3d76c38ace

  • SHA512

    434fd6d4eb49669617da3a15c2239a2cf524624cc4fcf9f09d8bb78a40ddf2dc5e70105e6708ce7643448f3176301edd64a9b71244c179a836119532d7dd69a6

  • SSDEEP

    98304:QsSoMQnPLeMNCvYa59QKS7XnqSsAVlsX4pIDmjjcrhm2NGbUU:QsSByeMj04VlslQsm2NK

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Stops running service(s) 4 TTPs
  • Modifies Windows Firewall 2 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 15 IoCs
  • Executes dropped EXE 4 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 14 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe
    "C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" control Parsec 200
        3⤵
        • Launches sc.exe
        PID:2588
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" stop Parsec
        3⤵
        • Launches sc.exe
        PID:2556
      • C:\Windows\SysWOW64\sc.exe
        "C:\Windows\System32\sc.exe" delete Parsec
        3⤵
        • Launches sc.exe
        PID:3012
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:2496
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:852
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:2752
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
        3⤵
          PID:2916
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
          3⤵
          • Launches sc.exe
          PID:1732
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start Parsec
          3⤵
          • Launches sc.exe
          PID:948
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
        2⤵
          PID:784
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1500
        • C:\Program Files\Parsec\parsecd.exe
          "C:\Program Files\Parsec\parsecd.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          PID:1536
      • C:\Program Files\Parsec\pservice.exe
        "C:\Program Files\Parsec\pservice.exe"
        1⤵
        • Executes dropped EXE
        PID:2056

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Parsec\skel\appdata.json

        Filesize

        155B

        MD5

        2c669af7ee4adeddf72fa0102aa0378d

        SHA1

        5fcdf2480946eef8f55daa2df5522508e45deccd

        SHA256

        cd5d52066766b7f0fd7222e551a96c539f17c72debd32f8da9f76df4627a6dd5

        SHA512

        553caece520111cab22bb8e92099a2976acd7f2dc8c8766227f8d64259cc9e3104adf1b10019b25edb3a05b92a64afe5466c661f88bf33f2ecacda4fe6edc32f

      • C:\Program Files\Parsec\skel\parsecd-150-93b.dll

        Filesize

        3.3MB

        MD5

        1ff3e1349edd37a206a97943731045c4

        SHA1

        6d1cfc0c0b26191385cb27149433e743b74d479a

        SHA256

        b43debe8105cfd4e2c8f81599497ad4ad38640f19a64f9e530e7d2f64662bf6d

        SHA512

        80f91692c22587e76e26c7ca38b267493d4598bce75e284b3fef4ef03c64ef8ba91d67bb7be2bddd9624e4aa52a67bdeb4b5eac3a86a31529bb18c44f5824fe6

      • C:\Program Files\Parsec\wscripts\firewall-add.vbs

        Filesize

        307B

        MD5

        882374285898f16b5f9ff44afc1ae701

        SHA1

        31c9445557c9b8ecda1f0a6d5ff666e01dd1c3ca

        SHA256

        0be5aa5cc6395a86878f56b131e13db4908e48f06e892ff8f8cf9e2d3b6c8abb

        SHA512

        3b05158b03b57a4d2cbfee9cef6adfe973d080264a88e5cdeb85c59b567529cd1cd2a3b5d8538cb8637d140fd8691dc8826388ab669b7bfb2d5c1c4174069243

      • C:\Program Files\Parsec\wscripts\firewall-remove.vbs

        Filesize

        367B

        MD5

        5d4d70cdf36fcdaa292da1da9133320c

        SHA1

        92dc18d3d1128d43f482ab56804136c687b00713

        SHA256

        75f1dece4fda689a907f6d74b513adb0c1771c1b79ea71160179542c9c4ab2f0

        SHA512

        b54c92fbecb10ddf66d1b7ad950ffbc13f504c71081a8bd56c28c5689a2bf19bd81b467e0697c38f140c72a273eb9eb837105e738c6f1ac4f43344e2ab521778

      • C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs

        Filesize

        115B

        MD5

        c78520c3162c1962f3164714b37eb4d0

        SHA1

        67c19b8aea7ad99465976dbcd3efcfdd7d62e3fe

        SHA256

        dea38bd553abe93c689de42d0220add18f9be3e3d2fa53f97eb8649f586df4f3

        SHA512

        cfbfc2c7dd8019f98b77e8881680ef9d0135a210fb9b0136a4992c236d971e247aa1641cd2eafdc5f6f5bb61002b30ea14b226127c4cef04f3b3d6be3a941fcc

      • C:\Program Files\Parsec\wscripts\service-install.vbs

        Filesize

        412B

        MD5

        971e2a344a6e17347a81eeb21ada7ba7

        SHA1

        37e034c29adda9b118b75bfdc7c6f41aac71e257

        SHA256

        01f62a12de3307b375dff3ebcd6961d76ffcbc24f70682c7875655a811ce76a1

        SHA512

        5ea0750dc07ff1a0eb1807043b48fb9ed54f6dcb96ce03cb543b0ea36d326779814b6cb87091373574911662a35d75b576e35c5b8d781db36fe1503f8287c65d

      • C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs

        Filesize

        164B

        MD5

        f7b0c63e7aea5cbd96f7bf1021b28b73

        SHA1

        fc5b11a6bf022740de3ba15455b06ad3f061366b

        SHA256

        71f9cc28497b959377439f6611615ef582745dd5b9cca02b5c4b24bb1fc3dfb8

        SHA512

        c957b7b45b188af0b6e6698507e94564e8e5ccc8dbf5f0237827df373878291095887422584f7f3b7833cbcdd682531fa75c974ba1137031b32bf2ffba268191

      • C:\Program Files\Parsec\wscripts\service-remove.vbs

        Filesize

        150B

        MD5

        b90e75dd7903cb2d6328bb3714865c7a

        SHA1

        2d32868deb198726ed5feb80b66542bad7fbacee

        SHA256

        970b3c2a9ea1906a177810990478932e3517f47aba267cf2ab9e4ba65e7b475f

        SHA512

        3d4bfb86ec98fd85843ae5b63dcf5f475c6500380f02bb4d0dee15a5f7e2334abdbbcd9420b8ac05b5beb8a63b9ea16abcd70ae01c04b87a423fc288ff4dca0a

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • \Program Files\Parsec\parsecd.exe

        Filesize

        454KB

        MD5

        62beb668110b4c5ddad09bb20d921cb6

        SHA1

        f3706372c01d1e607ff8c605307de6ef2c26c1a4

        SHA256

        6f1be9e26e403a885cc3b1ff0e4dbecbc96c0821119d25990c3e211564f215d5

        SHA512

        8994c3f1c78b0a816ecf30e463af8d6ddfd0a0ce7b962cbf13e9bbd360d37a024b8ee69c76745f4c332a4786dbfb9216667b1d03c32c60a7c06e85359a2186ee

      • \Program Files\Parsec\pservice.exe

        Filesize

        408KB

        MD5

        46cd3fc327af9109bd143ba7f16df397

        SHA1

        53d2a6bcf0d21168050b852e287c2ef62f52f909

        SHA256

        5a699a165838c739e449ac19a52e0a05b841bcee1a27f7d348f0dd04c8e277a3

        SHA512

        d6e35f0dd4f6ef259dd7040d80cd469f27eb460836a4c767d40678ce82b46ce4c38b329c0cf3b41236cea2f0333f94669cfbef05ef484d91035f52ad4c1a5ca3

      • \Users\Admin\AppData\Local\Temp\nst73CA.tmp\ApplicationID.dll

        Filesize

        196KB

        MD5

        a858c1a57e32485505b1977cf0a125be

        SHA1

        25d86c4b51f7cc10fc70e3a0493a39c4460cc350

        SHA256

        1462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4

        SHA512

        32b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d

      • \Users\Admin\AppData\Local\Temp\nst73CA.tmp\System.dll

        Filesize

        12KB

        MD5

        cff85c549d536f651d4fb8387f1976f2

        SHA1

        d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

        SHA256

        8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

        SHA512

        531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

      • \Users\Admin\AppData\Local\Temp\nst73CA.tmp\nsDialogs.dll

        Filesize

        9KB

        MD5

        6c3f8c94d0727894d706940a8a980543

        SHA1

        0d1bcad901be377f38d579aafc0c41c0ef8dcefd

        SHA256

        56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

        SHA512

        2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355