Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
03/10/2022, 03:25
General
-
Target
785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe
-
Size
89KB
-
MD5
59570179859c1eb4286b100aaf25cd74
-
SHA1
5a87f58be1d93e2c440d80e2a3415b0f143a9d33
-
SHA256
785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920
-
SHA512
f3dae0c5b9cfbef900908c69613e5c5e9b772ef0f3cfdbcd6ed6ea8dceab94635d7bcd09d6ec028f61531ba268a419dded5010a53740be4b62a0aade93c1c88f
-
SSDEEP
1536:7keK40T/mx7y9v7Z/Z2V/GSAFRfBh7VoKI:AD40Dmx7y9DZ/Z2hGVaKI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
Executes dropped EXE 15 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe"C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\785ed07200948fccfa7c4ac7690f4010c0741af387c4ce012a40e8070e036920.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
89KB
MD5aaa87d1daeecf393e10dbdcdd8968b7c
SHA1e8ee19ae2f861d3e065f90e107248f0b085db956
SHA256dbe29e95e9ef5cc0ee9cd111867a3cbd0622f0980d25d3ac33129efb89b4e83b
SHA5122ab1823d46f8478b9de8e39b1fabe714a330258dcf752649034c8cea930fd375eda630d9b94d87a73a03e41a9f58397b55373d5bd6e5112895472c8a6e930ed7
-
Filesize
89KB
MD5f2cc35954c1717580c4d46846392997a
SHA16e701d676e1852af1f01edb25a068fc380cb16cb
SHA2563601e320873966e7505e02a657c3e9595f9d28ee1b8d3e68cb8742e39b0a6179
SHA5126c397d8a873f61d42907ded3e2324ecc948c0a27c7e80f50296dd3b1b00a49b290c8455b222049b6518ef64522bc4e2ea4fc0abc8d621d640481d8419bec10f4
-
Filesize
89KB
MD540d6f5a6a6d5ad1b9157b75d324cdf2e
SHA162916e8b66bacba9125276b1388ee43f05d8f3c3
SHA2563c1c9c93facf81d961ec1659863815c434577ae785d74017e55f4962492d0983
SHA5128a1fc2272bc171898dd99af6a00b76572f50d8872fd43f220615851029338bfe4db1c0ad44d56aeeee207a34f8500090aa77bb0e94e64c5d90c45087d2f6d6f6
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB