Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b4d16a23c4...cd.exe

windows7-x64

10

b4d16a23c4...cd.exe

windows10-2004-x64

10

b4eca0b762...e1.exe

windows7-x64

1

b4eca0b762...e1.exe

windows10-2004-x64

1

b4f9f36ada...07.exe

windows7-x64

10

b4f9f36ada...07.exe

windows10-2004-x64

10

b5002c08a1...bc.exe

windows7-x64

10

b5002c08a1...bc.exe

windows10-2004-x64

10

b55e92f4a2...a6.exe

windows7-x64

10

b55e92f4a2...a6.exe

windows10-2004-x64

10

b5687bfac8...82.exe

windows7-x64

10

b5687bfac8...82.exe

windows10-2004-x64

10

b580ffe62d...98.exe

windows7-x64

7

b580ffe62d...98.exe

windows10-2004-x64

7

b599b9b1d6...6f.exe

windows7-x64

7

b599b9b1d6...6f.exe

windows10-2004-x64

10

b5ac1858b7...1a.exe

windows7-x64

5

b5ac1858b7...1a.exe

windows10-2004-x64

5

b65e1ac2a1...74.exe

windows7-x64

10

b65e1ac2a1...74.exe

windows10-2004-x64

10

b67576c827...e2.exe

windows7-x64

10

b67576c827...e2.exe

windows10-2004-x64

10

b68768d198...a8.exe

windows7-x64

7

b68768d198...a8.exe

windows10-2004-x64

7

b6982d011a...3b.exe

windows7-x64

10

b6982d011a...3b.exe

windows10-2004-x64

10

b6b7f4db83...cc.exe

windows7-x64

3

b6b7f4db83...cc.exe

windows10-2004-x64

3

b6baedc86e...7b.exe

windows7-x64

10

b6baedc86e...7b.exe

windows10-2004-x64

10

b6cd4cbecb...e2.exe

windows7-x64

10

b6cd4cbecb...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5002c08a1be3be44a14092d1eb62f69858b5e772df4f86e67339a2250c522bc.exe

  • Size

    351KB

  • MD5

    8bb974a955b5fe6ff74c775a1c3c7570

  • SHA1

    bece48b62c2932ff93535cbeeb8d8a486e54f486

  • SHA256

    b5002c08a1be3be44a14092d1eb62f69858b5e772df4f86e67339a2250c522bc

  • SHA512

    7b93154b13a7f2c9c568acdeb659817f6fe05ced86eec930725032a9e588e56f6e2e062551586a03c14f57498428cb84e9dfd7ca45fc646b137db8cefc486204

  • SSDEEP

    6144:YeC4EwZFoobUk8qp0qpgogZfpjkNaXiCEa4+G:8fhuLwflkaO

Score
10/10
defense_evasionevasionexecutiontrojan

Malware Config

Signatures

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 2 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    defense_evasiontrojan
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Launches sc.exe 22 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5002c08a1be3be44a14092d1eb62f69858b5e772df4f86e67339a2250c522bc.exe
    "C:\Users\Admin\AppData\Local\Temp\b5002c08a1be3be44a14092d1eb62f69858b5e772df4f86e67339a2250c522bc.exe"
    1⤵
    • Modifies Windows Defender DisableAntiSpyware settings
    • Modifies Windows Defender Real-time Protection settings
    • Loads dropped DLL
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config WerSvc start=disabled
      2⤵
      • Launches sc.exe
      PID:2540
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config wdfilter start=disabled
      2⤵
      • Launches sc.exe
      PID:2504
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\system32\sc.exe
        sc stop wdfilter
        3⤵
        • Launches sc.exe
        PID:2756
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config WinDefend start=disabled
      2⤵
      • Launches sc.exe
      PID:2800
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\system32\sc.exe
        sc stop WerSvc
        3⤵
        • Launches sc.exe
        PID:2624
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
      2⤵
      • Launches sc.exe
      PID:2176
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\system32\sc.exe
        sc stop WdNisSvc
        3⤵
        • Launches sc.exe
        PID:2676
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
      2⤵
      • Launches sc.exe
      PID:2656
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\system32\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:2652
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\system32\sc.exe
        sc stop XblGameSave
        3⤵
        • Launches sc.exe
        PID:1992
    • C:\Users\Admin\AppData\Local\Temp\rokkfbgh.bat
      "C:\Users\Admin\AppData\Local\Temp\rokkfbgh.bat" ok
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config wdfilter start=disabled
        3⤵
        • Launches sc.exe
        PID:1676
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" config WerSvc start=disabled
        3⤵
        • Launches sc.exe
        PID:2012
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
        3⤵
          PID:2784
          • C:\Windows\system32\sc.exe
            sc stop wdfilter
            4⤵
            • Launches sc.exe
            PID:2140
        • C:\Windows\System32\sc.exe
          "C:\Windows\System32\sc.exe" config WinDefend start=disabled
          3⤵
          • Launches sc.exe
          PID:2916
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
          3⤵
            PID:1420
            • C:\Windows\system32\sc.exe
              sc stop WerSvc
              4⤵
              • Launches sc.exe
              PID:1200
          • C:\Windows\System32\sc.exe
            "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
            3⤵
            • Launches sc.exe
            PID:2856
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
            3⤵
              PID:1732
              • C:\Windows\system32\sc.exe
                sc stop WdNisSvc
                4⤵
                • Launches sc.exe
                PID:2308
            • C:\Windows\System32\sc.exe
              "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
              3⤵
              • Launches sc.exe
              PID:448
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
              3⤵
                PID:2088
                • C:\Windows\system32\sc.exe
                  sc stop WinDefend
                  4⤵
                  • Launches sc.exe
                  PID:1276
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
                3⤵
                  PID:688
                  • C:\Windows\system32\sc.exe
                    sc stop XblGameSave
                    4⤵
                    • Launches sc.exe
                    PID:2136
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:788
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
                  3⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2552
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
                  3⤵
                    PID:2396
                    • C:\Windows\system32\sc.exe
                      sc stop wdfilter
                      4⤵
                      • Launches sc.exe
                      PID:1880
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c sc stop faceit
                    3⤵
                      PID:2188
                      • C:\Windows\system32\sc.exe
                        sc stop faceit
                        4⤵
                        • Launches sc.exe
                        PID:2000
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a9a3d058-0110-4aa1-8eaf-7037c36d582f.bat"
                    2⤵
                    • Deletes itself
                    • Suspicious use of WriteProcessMemory
                    PID:1860
                    • C:\Windows\system32\attrib.exe
                      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\b5002c08a1be3be44a14092d1eb62f69858b5e772df4f86e67339a2250c522bc.exe"
                      3⤵
                      • Views/modifies file attributes
                      PID:2588
                    • C:\Windows\system32\reg.exe
                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
                      3⤵
                        PID:1728
                      • C:\Windows\system32\timeout.exe
                        timeout /T 1
                        3⤵
                        • Delays execution with timeout.exe
                        PID:1920
                      • C:\Windows\system32\attrib.exe
                        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\b5002c08a1be3be44a14092d1eb62f69858b5e772df4f86e67339a2250c522bc.exe"
                        3⤵
                        • Views/modifies file attributes
                        PID:2156
                      • C:\Windows\system32\wevtutil.exe
                        wevtutil el
                        3⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2060
                      • C:\Windows\system32\attrib.exe
                        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\a9a3d058-0110-4aa1-8eaf-7037c36d582f.bat"
                        3⤵
                        • Views/modifies file attributes
                        PID:1660

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\a9a3d058-0110-4aa1-8eaf-7037c36d582f.bat
                    Filesize

                    776B

                    MD5

                    308491fcdaeacddcf6340b10363da286

                    SHA1

                    13702312b4e2f25187dee61b97508bd141b7e29f

                    SHA256

                    714d32f1415da27a5d494f63f921b5dcff3f5a87209d64590c328a086e1d2b42

                    SHA512

                    4647cc9b39a3ce55a152b5d54a0648b226624c2b88da6a3557604e58f7f021e87c13eb9b0c8273a18322d8c6eb6ec13ecd0edf91409701e0986e4db2e5ee226e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\rokkfbgh.bat
                    Filesize

                    352KB

                    MD5

                    14c32fe06d1dc98f2497621d61942a1d

                    SHA1

                    b0e174fcbeb55480c6e9701a41fe386a4911911c

                    SHA256

                    1291d21404aa27df6a61c975de7a7273dc2e8ae317cae9462468783de486efe2

                    SHA512

                    eaf99837d2f50dff9ce2b3d75b85c908114c1dc358de660ef66863f22211ed4ce4c83aef229c1cc365ee6e03a3e97e3ea22e376ca3f17f830b3b9850e02ab4e0

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6GK0Y96N0KW5GHCPI41L.temp
                    Filesize

                    7KB

                    MD5

                    6349f4dd2c23c1b06e6d29e00f8ca6d8

                    SHA1

                    e8c6cce25539b3abf66dfc7596905c38c3d708af

                    SHA256

                    e98a851f86228a1e67977e8677380fbde4ddef5d6ed06d75825f8a7f88c65a22

                    SHA512

                    58cc805a9bb7bec2d9760582f2ea813e8f4dd0d752946421d6a42a6b6800b9d2c3defd979a265ef5bb9946e498e3f3ade6f6ebc719913b35477dbed80c521187

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\spf\unknown.log
                    Filesize

                    190B

                    MD5

                    750a0ac2dcf9a39b9bdf5927a78b14b2

                    SHA1

                    27f4469fd498d067ea43006b57ba8dee05fe0335

                    SHA256

                    21f3371f7bdf7a29a9ed5e52292c5f0baa241935338d660e5c8a9f9ef7accde1

                    SHA512

                    4c73c36b05f254ab5fd02507888bf35dcbdf4a3d836b6bcc15385dd058f2f55390ba41abf97c920ad179cf5f13471bfc1e801cd117a0d037f9e4c782191ddf9c

                    Download Submit

                  • memory/788-28-0x000000001B630000-0x000000001B912000-memory.dmp

                    Filesize

                    2.9MB

                    Download

                  • memory/788-29-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1644-14-0x000000013EBB0000-0x000000013EBEE000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/2280-18-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2280-2-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2280-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2280-1-0x000000013E920000-0x000000013E95E000-memory.dmp

                    Filesize

                    248KB

                    Download

                  • memory/2552-36-0x0000000000380000-0x0000000000388000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/2552-35-0x000000001B730000-0x000000001BA12000-memory.dmp

                    Filesize

                    2.9MB

                    Download