Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/08/2024, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
Svhost.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Svhost.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Svhost.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Svhost.exe
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
Svhost.exe
Resource
macos-20240711.1-en
Behavioral task
behavioral6
Sample
Svhost.exe
Resource
macos-20240711.1-en
General
-
Target
Svhost.exe
-
Size
399KB
-
MD5
7d4970831fafb993a4b0de345cb6832b
-
SHA1
ff95a1c11fe502a396f65cb817abf6796dfb791a
-
SHA256
fa47d6d85592087d1cba503253670920ac9545deb3176006fc79606b21ae966c
-
SHA512
9b27ecaca0dc6b7b68acdcfc4308f213b94ddfea3cbc357ee96e1cc82bd2e3cfb06c4c8a9ce5647fbde18931f5e2b34e5a119295c4548d719b7a85d425657b84
-
SSDEEP
6144:PaSpJQYtBJ5666+e6VlWT8b9L+s82y00ZFlTzubWKrhtwwD:PPph95o+PVle8Is8LZFFCrhtw4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdAvast Antivirus Upgrade.exe" Svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe" Svhost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Loads dropped DLL 3 IoCs
pid Process 4800 Process not Found 1420 WmiApSrv.exe 2360 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\xdwdfghfghfg = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\xdwdMicrosoft Dynamics Upgrade.exe" Svhost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\xdwd.dll Svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
pid Process 432 timeout.exe 4868 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 4184 taskkill.exe 3040 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3761892313-3378554128-2287991803-1000\{043B4ED8-C8D2-40E8-9F3A-806518F7BD9D} explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1420 WmiApSrv.exe 1420 WmiApSrv.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe 1488 Svhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1488 Svhost.exe Token: SeDebugPrivilege 4184 taskkill.exe Token: SeShutdownPrivilege 3180 explorer.exe Token: SeCreatePagefilePrivilege 3180 explorer.exe Token: SeShutdownPrivilege 3180 explorer.exe Token: SeCreatePagefilePrivilege 3180 explorer.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1488 wrote to memory of 4612 1488 Svhost.exe 84 PID 1488 wrote to memory of 4612 1488 Svhost.exe 84 PID 4612 wrote to memory of 4160 4612 CMD.exe 86 PID 4612 wrote to memory of 4160 4612 CMD.exe 86 PID 1488 wrote to memory of 1212 1488 Svhost.exe 90 PID 1488 wrote to memory of 1212 1488 Svhost.exe 90 PID 1488 wrote to memory of 1440 1488 Svhost.exe 92 PID 1488 wrote to memory of 1440 1488 Svhost.exe 92 PID 1440 wrote to memory of 4184 1440 CMD.exe 94 PID 1440 wrote to memory of 4184 1440 CMD.exe 94 PID 1212 wrote to memory of 1808 1212 cmd.exe 95 PID 1212 wrote to memory of 1808 1212 cmd.exe 95 PID 1488 wrote to memory of 32 1488 Svhost.exe 96 PID 1488 wrote to memory of 32 1488 Svhost.exe 96 PID 32 wrote to memory of 2016 32 cmd.exe 98 PID 32 wrote to memory of 2016 32 cmd.exe 98 PID 1488 wrote to memory of 5012 1488 Svhost.exe 99 PID 1488 wrote to memory of 5012 1488 Svhost.exe 99 PID 5012 wrote to memory of 4868 5012 cmd.exe 101 PID 5012 wrote to memory of 4868 5012 cmd.exe 101 PID 5012 wrote to memory of 3180 5012 cmd.exe 102 PID 5012 wrote to memory of 3180 5012 cmd.exe 102 PID 5012 wrote to memory of 3040 5012 cmd.exe 103 PID 5012 wrote to memory of 3040 5012 cmd.exe 103 PID 5012 wrote to memory of 432 5012 cmd.exe 104 PID 5012 wrote to memory of 432 5012 cmd.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Svhost.exe"C:\Users\Admin\AppData\Local\Temp\Svhost.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost.exe" /tr "C:\Users\Admin\AppData\Roaming\xdwdAvast Antivirus Upgrade.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost.exe" /tr "C:\Users\Admin\AppData\Roaming\xdwdAvast Antivirus Upgrade.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "svchost.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\system32\schtasks.exeschtASks /deLeTe /F /Tn "svchost.exe"3⤵PID:1808
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C taskkill /im explorer.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\system32\taskkill.exetaskkill /im explorer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "svchost.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\system32\schtasks.exeschtASks /deLeTe /F /Tn "svchost.exe"3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9263.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\system32\timeout.exetimeout 53⤵
- Delays execution with timeout.exe
PID:4868
-
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Windows\system32\taskkill.exetaskkill /im xdwdAvast Antivirus Upgrade.exe /f3⤵
- Kills process with taskkill
PID:3040
-
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:432
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1340
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵PID:3524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
262B
MD51903fbaead4e164a4800b390f9d8777d
SHA1c0127375f00b693e112f692fc719c5098ac8423d
SHA256f461d109a868d263b8274fac3bdd13ea7c73035fafb8f96d299f56a94e226e4b
SHA512068ff68b33d127bd44e895637639b11c5dc8b45c14bf97f23283c0a86eaf059b48a2e630759692cf1e3550c1ee6758a596dab63abea72bcb4b443cd324b9a421
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6