Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

servoces64.exe

windows7-x64

10

servoces64.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    servoces64.exe

  • Size

    16.8MB

  • Sample

    240712-ty25ratcqf

  • MD5

    540c3c9ae1b97353b49de9a216532d72

  • SHA1

    bda2524601ab7cbe91287c9095f743acae55441a

  • SHA256

    0d2c84253c9a3ab2339605c4c54b1e52e8ffbb192d0b1a050b27096cdaf2f4d6

  • SHA512

    1625d62a1614d940ab44cc9c62004f32da85712d16fbeb1be015838151259f87bbfdb74387ad290db37e62d0a165e4e8c826a001b70918eb2f9111144c739d88

  • SSDEEP

    393216:OKe0h1uQjMppTvR6USajrgzKHc9bqNJy:TUQjopzR6Unjrrce

Score
10/10
evasionexecutionpersistence

Malware Config

Targets

    • Target

      servoces64.exe

    • Size

      16.8MB

    • MD5

      540c3c9ae1b97353b49de9a216532d72

    • SHA1

      bda2524601ab7cbe91287c9095f743acae55441a

    • SHA256

      0d2c84253c9a3ab2339605c4c54b1e52e8ffbb192d0b1a050b27096cdaf2f4d6

    • SHA512

      1625d62a1614d940ab44cc9c62004f32da85712d16fbeb1be015838151259f87bbfdb74387ad290db37e62d0a165e4e8c826a001b70918eb2f9111144c739d88

    • SSDEEP

      393216:OKe0h1uQjMppTvR6USajrgzKHc9bqNJy:TUQjopzR6Unjrrce

    Score
    10/10
    evasionexecutionpersistence

    • Modifies security service

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Power Settings

1
T1653

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.