Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2022, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
Resource
win10v2004-20220812-en
General
-
Target
d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
-
Size
207KB
-
MD5
f642efb542e01bcac68b865878971816
-
SHA1
e0487e035e0988f4abcf540466e0ba5f1a95dac8
-
SHA256
d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c
-
SHA512
6948e12981147ab0233ee59f681b837f75761a1574c83f297b15f0edab7148bd886adb7c975c3aaaa3f746ba4869d2a0229ca596c808169b6cec1b0df4cf4864
-
SSDEEP
3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unMo:zvEN2U+T6i5LirrllHy4HUcMQY6e
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 860 explorer.exe 2296 spoolsv.exe 3180 svchost.exe 3504 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3168 d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe 3168 d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe 860 explorer.exe 860 explorer.exe 860 explorer.exe 860 explorer.exe 860 explorer.exe 860 explorer.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe 3180 svchost.exe 3180 svchost.exe 860 explorer.exe 860 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 860 explorer.exe 3180 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3168 d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe 3168 d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe 860 explorer.exe 860 explorer.exe 2296 spoolsv.exe 2296 spoolsv.exe 3180 svchost.exe 3180 svchost.exe 3504 spoolsv.exe 3504 spoolsv.exe 860 explorer.exe 860 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3168 wrote to memory of 860 3168 d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe 81 PID 3168 wrote to memory of 860 3168 d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe 81 PID 3168 wrote to memory of 860 3168 d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe 81 PID 860 wrote to memory of 2296 860 explorer.exe 82 PID 860 wrote to memory of 2296 860 explorer.exe 82 PID 860 wrote to memory of 2296 860 explorer.exe 82 PID 2296 wrote to memory of 3180 2296 spoolsv.exe 83 PID 2296 wrote to memory of 3180 2296 spoolsv.exe 83 PID 2296 wrote to memory of 3180 2296 spoolsv.exe 83 PID 3180 wrote to memory of 3504 3180 svchost.exe 84 PID 3180 wrote to memory of 3504 3180 svchost.exe 84 PID 3180 wrote to memory of 3504 3180 svchost.exe 84 PID 3180 wrote to memory of 3044 3180 svchost.exe 85 PID 3180 wrote to memory of 3044 3180 svchost.exe 85 PID 3180 wrote to memory of 3044 3180 svchost.exe 85 PID 3180 wrote to memory of 4972 3180 svchost.exe 94 PID 3180 wrote to memory of 4972 3180 svchost.exe 94 PID 3180 wrote to memory of 4972 3180 svchost.exe 94 PID 3180 wrote to memory of 4960 3180 svchost.exe 96 PID 3180 wrote to memory of 4960 3180 svchost.exe 96 PID 3180 wrote to memory of 4960 3180 svchost.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe"C:\Users\Admin\AppData\Local\Temp\d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3504
-
-
C:\Windows\SysWOW64\at.exeat 13:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3044
-
-
C:\Windows\SysWOW64\at.exeat 13:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4972
-
-
C:\Windows\SysWOW64\at.exeat 13:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4960
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5ea4c1ad7b0870ee19353fd4ae68a526f
SHA13677abff6d06ba17184aedfe1824cc9d13aa6887
SHA256efbff312bb661aee03d99328cd581e54474ff4fc08d7919a202f957b752f95bd
SHA5122b15cc5d6d0db28ff38b56b1cc50b1312b5c0753d763de7eef7b06bdac17489c4364a6940add1cef5ab4c1dc7eab149a537d8b7a3ab78e10a49aa4062366409e
-
Filesize
206KB
MD59b7eaa9cde0ceb7f613d8a5b2ffbed27
SHA161ad73b469fb889abb2da30c3d613b89392ba458
SHA2564bfcfd35e8ca3651e1832d6bf17f638f143883f81d40efef756e5a7c755ef290
SHA512d39bd2ce9842d5e45b5f84e62b3a373723f25bb1d47c54ba376b71795fdb1593defc23a5c84ee18735eb917f522f695d0a4e3ff2b5fbc771ae8901d758bc48ab
-
Filesize
206KB
MD52c8d50f521d8d94113c2cd28ba540513
SHA19d0d5273ab3b2405df2292cab85a7026c8c2bee4
SHA2562cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b
SHA5129e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524
-
Filesize
206KB
MD52c8d50f521d8d94113c2cd28ba540513
SHA19d0d5273ab3b2405df2292cab85a7026c8c2bee4
SHA2562cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b
SHA5129e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524
-
Filesize
206KB
MD590d46586f4880f7488c7dc6579b6f21a
SHA1f8868e95627392220347eab9e1fea728c74f2a2e
SHA2560f79eb4bff133d4721cef0f322b042e7a27ceb56e93505cdd279938442c382fe
SHA512beb35ad9a95d7f58b2bed51d18f6969dc8c9bd2d69dffd9db75ed37f53fc0f73b461d4cbb99af33f08f4c557c8820df3ddc974961c50b81157acda498cee4b6b
-
Filesize
206KB
MD59b7eaa9cde0ceb7f613d8a5b2ffbed27
SHA161ad73b469fb889abb2da30c3d613b89392ba458
SHA2564bfcfd35e8ca3651e1832d6bf17f638f143883f81d40efef756e5a7c755ef290
SHA512d39bd2ce9842d5e45b5f84e62b3a373723f25bb1d47c54ba376b71795fdb1593defc23a5c84ee18735eb917f522f695d0a4e3ff2b5fbc771ae8901d758bc48ab
-
Filesize
206KB
MD52c8d50f521d8d94113c2cd28ba540513
SHA19d0d5273ab3b2405df2292cab85a7026c8c2bee4
SHA2562cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b
SHA5129e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524
-
Filesize
206KB
MD590d46586f4880f7488c7dc6579b6f21a
SHA1f8868e95627392220347eab9e1fea728c74f2a2e
SHA2560f79eb4bff133d4721cef0f322b042e7a27ceb56e93505cdd279938442c382fe
SHA512beb35ad9a95d7f58b2bed51d18f6969dc8c9bd2d69dffd9db75ed37f53fc0f73b461d4cbb99af33f08f4c557c8820df3ddc974961c50b81157acda498cee4b6b