Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2022, 11:40

General

  • Target

    d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe

  • Size

    207KB

  • MD5

    f642efb542e01bcac68b865878971816

  • SHA1

    e0487e035e0988f4abcf540466e0ba5f1a95dac8

  • SHA256

    d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c

  • SHA512

    6948e12981147ab0233ee59f681b837f75761a1574c83f297b15f0edab7148bd886adb7c975c3aaaa3f746ba4869d2a0229ca596c808169b6cec1b0df4cf4864

  • SSDEEP

    3072:zvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unMo:zvEN2U+T6i5LirrllHy4HUcMQY6e

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ec77569406e8824ca37fad5d5d215f302f0e93005c7ef2af961f8474cd6e7c.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3168
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:860
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2296
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3180
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3504
          • C:\Windows\SysWOW64\at.exe
            at 13:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3044
            • C:\Windows\SysWOW64\at.exe
              at 13:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4972
              • C:\Windows\SysWOW64\at.exe
                at 13:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4960

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          206KB

          MD5

          ea4c1ad7b0870ee19353fd4ae68a526f

          SHA1

          3677abff6d06ba17184aedfe1824cc9d13aa6887

          SHA256

          efbff312bb661aee03d99328cd581e54474ff4fc08d7919a202f957b752f95bd

          SHA512

          2b15cc5d6d0db28ff38b56b1cc50b1312b5c0753d763de7eef7b06bdac17489c4364a6940add1cef5ab4c1dc7eab149a537d8b7a3ab78e10a49aa4062366409e

        • C:\Windows\System\explorer.exe

          Filesize

          206KB

          MD5

          9b7eaa9cde0ceb7f613d8a5b2ffbed27

          SHA1

          61ad73b469fb889abb2da30c3d613b89392ba458

          SHA256

          4bfcfd35e8ca3651e1832d6bf17f638f143883f81d40efef756e5a7c755ef290

          SHA512

          d39bd2ce9842d5e45b5f84e62b3a373723f25bb1d47c54ba376b71795fdb1593defc23a5c84ee18735eb917f522f695d0a4e3ff2b5fbc771ae8901d758bc48ab

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          2c8d50f521d8d94113c2cd28ba540513

          SHA1

          9d0d5273ab3b2405df2292cab85a7026c8c2bee4

          SHA256

          2cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b

          SHA512

          9e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524

        • C:\Windows\System\spoolsv.exe

          Filesize

          206KB

          MD5

          2c8d50f521d8d94113c2cd28ba540513

          SHA1

          9d0d5273ab3b2405df2292cab85a7026c8c2bee4

          SHA256

          2cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b

          SHA512

          9e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524

        • C:\Windows\System\svchost.exe

          Filesize

          206KB

          MD5

          90d46586f4880f7488c7dc6579b6f21a

          SHA1

          f8868e95627392220347eab9e1fea728c74f2a2e

          SHA256

          0f79eb4bff133d4721cef0f322b042e7a27ceb56e93505cdd279938442c382fe

          SHA512

          beb35ad9a95d7f58b2bed51d18f6969dc8c9bd2d69dffd9db75ed37f53fc0f73b461d4cbb99af33f08f4c557c8820df3ddc974961c50b81157acda498cee4b6b

        • \??\c:\windows\system\explorer.exe

          Filesize

          206KB

          MD5

          9b7eaa9cde0ceb7f613d8a5b2ffbed27

          SHA1

          61ad73b469fb889abb2da30c3d613b89392ba458

          SHA256

          4bfcfd35e8ca3651e1832d6bf17f638f143883f81d40efef756e5a7c755ef290

          SHA512

          d39bd2ce9842d5e45b5f84e62b3a373723f25bb1d47c54ba376b71795fdb1593defc23a5c84ee18735eb917f522f695d0a4e3ff2b5fbc771ae8901d758bc48ab

        • \??\c:\windows\system\spoolsv.exe

          Filesize

          206KB

          MD5

          2c8d50f521d8d94113c2cd28ba540513

          SHA1

          9d0d5273ab3b2405df2292cab85a7026c8c2bee4

          SHA256

          2cd94383d6091adafeb77d14f67ea0786177e3d9bc08790a4e5aeab9da69a94b

          SHA512

          9e657fac15b7dd7b4b1ccca966cc016fc86cd302f878531b05976a14171c5c5dfcd63cfb6af0cacec662d455b27adff8fbe6dca6a70ff1a8999bf025c300c524

        • \??\c:\windows\system\svchost.exe

          Filesize

          206KB

          MD5

          90d46586f4880f7488c7dc6579b6f21a

          SHA1

          f8868e95627392220347eab9e1fea728c74f2a2e

          SHA256

          0f79eb4bff133d4721cef0f322b042e7a27ceb56e93505cdd279938442c382fe

          SHA512

          beb35ad9a95d7f58b2bed51d18f6969dc8c9bd2d69dffd9db75ed37f53fc0f73b461d4cbb99af33f08f4c557c8820df3ddc974961c50b81157acda498cee4b6b