Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

3

services.exe

windows10-2004-x64

6

Resubmissions

14/09/2024, 11:48

240914-nyqttssfrf 6

14/09/2024, 11:47

240914-nxz14ssfnh 6

14/09/2024, 11:42

240914-nt22assekg 6

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    services.exe

  • Size

    170KB

  • MD5

    5e94401cb02b643606efa2343211f832

  • SHA1

    27e71319f36ec75ba5705f27febfba6f94c06634

  • SHA256

    7b3501b29fad54316a48c7cbe034f6f97593ef80e262a127c24094ba1cde7f9f

  • SHA512

    884f3d72a662f486c5fbd8f494689650011701faf9ef78fe77dfd9533cd3ddd9f37cac310b156a8bac7bb99ffe7aebe0df973df0281e9ce7f4c03369f614bfc4

  • SSDEEP

    3072:bahKyd2n31F5GWp1icKAArDZz4N9GhbkrNEk+5fJ3qa1+YhWxLzF:bahOxp0yN90QEgP

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\services.exe
    "C:\Users\Admin\AppData\Local\Temp\services.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "services.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2292
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c echo Admin
          3⤵
            PID:1812
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4084
        • C:\Windows\System32\NOTEPAD.EXE
          "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.bat
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:4248
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.bat" "
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Windows\system32\chcp.com
            chcp 65001
            2⤵
              PID:2960
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c echo Admin
              2⤵
                PID:2872

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\services.bat
              Filesize

              25KB

              MD5

              0a214e3b578b2aea45b48dfe3cf2d327

              SHA1

              a1100fe27b3397bbdc6871a7a2c5e310a098a448

              SHA256

              87d8a4024642f8231333c35e0c792d1192024f7305093589cf65639b2573e6e7

              SHA512

              239ccc51e0bdec7a7e8d727b960d4eb9f3e7b07703b6600d5712dca95786fe0fa12ce9041ac7f59aeae646b57b641b95c9bfc966491a4385f88e8e8f13ea6569

              Download Submit