Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/10/2024, 18:57

General

  • Target

    95f0dd8e57251dae192a6297c5ceabaec88735962954084c2f68e58e0a4b788aN.exe

  • Size

    353KB

  • MD5

    a6a41a4f8302e72a074e8f688715b460

  • SHA1

    02f31f2a7868de9670e3eab243e541fd99917cf7

  • SHA256

    95f0dd8e57251dae192a6297c5ceabaec88735962954084c2f68e58e0a4b788a

  • SHA512

    01b0d3db94c5e34efe86adc77a8daa1fff6db97bde2b1a2d72be768f347be672d383de25f4065ac0e7effe1ff929ddffaf182491612fcab17923f67880715cee

  • SSDEEP

    6144:YeC4EwZFoobUk8qp0qpgogZfpjkNY8UKw:8fhuLwflk7Ub

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
  • Stops running service(s) 4 TTPs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Launches sc.exe 22 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95f0dd8e57251dae192a6297c5ceabaec88735962954084c2f68e58e0a4b788aN.exe
    "C:\Users\Admin\AppData\Local\Temp\95f0dd8e57251dae192a6297c5ceabaec88735962954084c2f68e58e0a4b788aN.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Loads dropped DLL
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config wdfilter start=disabled
      2⤵
      • Launches sc.exe
      PID:2488
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config WerSvc start=disabled
      2⤵
      • Launches sc.exe
      PID:2500
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\system32\sc.exe
        sc stop wdfilter
        3⤵
        • Launches sc.exe
        PID:3016
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config WinDefend start=disabled
      2⤵
      • Launches sc.exe
      PID:2784
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\system32\sc.exe
        sc stop WerSvc
        3⤵
        • Launches sc.exe
        PID:2608
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
      2⤵
      • Launches sc.exe
      PID:2580
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\system32\sc.exe
        sc stop WdNisSvc
        3⤵
        • Launches sc.exe
        PID:2604
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
      2⤵
      • Launches sc.exe
      PID:2744
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\system32\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:1512
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Windows\system32\sc.exe
        sc stop XblGameSave
        3⤵
        • Launches sc.exe
        PID:2140
    • C:\Users\Admin\AppData\Local\Temp\wlctzkjk.bat
      "C:\Users\Admin\AppData\Local\Temp\wlctzkjk.bat" ok
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config WerSvc start=disabled
        3⤵
        • Launches sc.exe
        PID:2372
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config wdfilter start=disabled
        3⤵
        • Launches sc.exe
        PID:1028
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
        3⤵
          PID:2756
          • C:\Windows\system32\sc.exe
            sc stop wdfilter
            4⤵
            • Launches sc.exe
            PID:2944
        • C:\Windows\System32\sc.exe
          "C:\Windows\System32\sc.exe" config WinDefend start=disabled
          3⤵
          • Launches sc.exe
          PID:2936
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
          3⤵
            PID:2412
            • C:\Windows\system32\sc.exe
              sc stop WerSvc
              4⤵
              • Launches sc.exe
              PID:2132
          • C:\Windows\System32\sc.exe
            "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
            3⤵
            • Launches sc.exe
            PID:2172
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
            3⤵
              PID:2028
              • C:\Windows\system32\sc.exe
                sc stop WdNisSvc
                4⤵
                • Launches sc.exe
                PID:1928
            • C:\Windows\System32\sc.exe
              "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
              3⤵
              • Launches sc.exe
              PID:1104
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
              3⤵
                PID:2976
                • C:\Windows\system32\sc.exe
                  sc stop WinDefend
                  4⤵
                  • Launches sc.exe
                  PID:1368
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
                3⤵
                  PID:1604
                  • C:\Windows\system32\sc.exe
                    sc stop XblGameSave
                    4⤵
                    • Launches sc.exe
                    PID:1568
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3052
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1496
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
                  3⤵
                    PID:1560
                    • C:\Windows\system32\sc.exe
                      sc stop wdfilter
                      4⤵
                      • Launches sc.exe
                      PID:1160
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c sc stop faceit
                    3⤵
                      PID:1588
                      • C:\Windows\system32\sc.exe
                        sc stop faceit
                        4⤵
                        • Launches sc.exe
                        PID:2492
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f2ea0835-f474-405d-acaa-6c9d77e7e940.bat"
                    2⤵
                    • Deletes itself
                    • Suspicious use of WriteProcessMemory
                    PID:1428
                    • C:\Windows\system32\attrib.exe
                      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\95f0dd8e57251dae192a6297c5ceabaec88735962954084c2f68e58e0a4b788aN.exe"
                      3⤵
                      • Views/modifies file attributes
                      PID:2672
                    • C:\Windows\system32\reg.exe
                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
                      3⤵
                        PID:1940
                      • C:\Windows\system32\timeout.exe
                        timeout /T 1
                        3⤵
                        • Delays execution with timeout.exe
                        PID:2004
                      • C:\Windows\system32\attrib.exe
                        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\95f0dd8e57251dae192a6297c5ceabaec88735962954084c2f68e58e0a4b788aN.exe"
                        3⤵
                        • Views/modifies file attributes
                        PID:2384
                      • C:\Windows\system32\wevtutil.exe
                        wevtutil el
                        3⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2420
                      • C:\Windows\system32\attrib.exe
                        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f2ea0835-f474-405d-acaa-6c9d77e7e940.bat"
                        3⤵
                        • Views/modifies file attributes
                        PID:1652

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\f2ea0835-f474-405d-acaa-6c9d77e7e940.bat

                    Filesize

                    780B

                    MD5

                    dcb591d59be814d62b266f6b51f8a6de

                    SHA1

                    df9d860da8612d70267ce6a1082a1dacec2ce9ab

                    SHA256

                    fe586650955c564b0ec089422ff64bab3075460c1f7a15b6a6f9d92dfd0ff59b

                    SHA512

                    d8c9ea1f427fc7d8e5721b415dc4a43d35e9a9d9a045a4f24c09d9b83e130aa2f1f13d10492c41edb22b26af15623b4ad42fbe2af7cb8ea2fda8555375f373d5

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    5ea87f7762f76397478150a5a946e22c

                    SHA1

                    a80f34345fc8fd8334b4d14b0fb55c7ab3085900

                    SHA256

                    7a5fa164703f0acef280e56d2ae48ffc79d453673628088dce82ae9c6c6b70eb

                    SHA512

                    5fd696d4a16196aea5270dffd8137745131ac6454be1722fb73eddf1af63be586d0d648dde41066afaaaa3362930434fd04c21d41f48eb10d87212db57803fa5

                  • C:\Users\Admin\AppData\Roaming\spf\unknown.log

                    Filesize

                    190B

                    MD5

                    fc35dcc5c3f75cd55b9f6964c99ae722

                    SHA1

                    e5c5c7e70c4e67c919c66a7d0d0d8abf1c21e41a

                    SHA256

                    d25a4abbae08de49d80992dec16f50d97098293acc0567aa7ca62a1cc17b71f7

                    SHA512

                    87221dce1bdb909212505462eeb0ce5d3cac30443a9eb06b5420913ae2a71795b1edec1e2eb53e1fb7084474ca36a36ebc9732f2b14c2c87effe7f23abe6d027

                  • \Users\Admin\AppData\Local\Temp\wlctzkjk.bat

                    Filesize

                    354KB

                    MD5

                    3c1b91544d041ed49a8f99fcb07953b8

                    SHA1

                    aff46cce0993e38d6c75ba23db47325d8989d6c3

                    SHA256

                    a0f3e0b8ced95b558c555f091e534b3ba86e65e6636ee80f78bc39972dc17a08

                    SHA512

                    f5d8c7b54654e9cfeee299d769b1201e8e6357e5d2e22aac4549c6b223cf7a2c1cae146324da69d3d365c23b74be397dbea832415a44ca14d4efd8be78d76cb5

                  • memory/1136-10-0x000000013E5C0000-0x000000013E5FE000-memory.dmp

                    Filesize

                    248KB

                  • memory/1496-36-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

                    Filesize

                    32KB

                  • memory/1496-35-0x000000001B750000-0x000000001BA32000-memory.dmp

                    Filesize

                    2.9MB

                  • memory/2360-18-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/2360-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

                    Filesize

                    4KB

                  • memory/2360-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/2360-1-0x000000013EB50000-0x000000013EB8E000-memory.dmp

                    Filesize

                    248KB

                  • memory/3052-28-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

                    Filesize

                    2.9MB

                  • memory/3052-29-0x0000000001D80000-0x0000000001D88000-memory.dmp

                    Filesize

                    32KB