Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2022, 13:00
Static task
static1
Behavioral task
behavioral1
Sample
e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe
Resource
win10v2004-20220812-en
General
-
Target
e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe
-
Size
206KB
-
MD5
31544ee3caa4bbee6b4acdcfc6a62d00
-
SHA1
85c674a12e471e81d7d31354e28ccdd26c78ff30
-
SHA256
e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da
-
SHA512
8f667a7ae266a87f8227fad14788080136cb38fdb7edb0442076e3f7e51b095a2b4e7dc719cf7d0ef7d1cc1eb304d78d3120cc388949d4f8af8d0b59f65a20e5
-
SSDEEP
3072:2vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uniNeZ:2vEN2U+T6i5LirrllHy4HUcMQY6VEZ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2448 explorer.exe 1132 spoolsv.exe 2824 svchost.exe 372 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3916 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 3916 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe 2824 svchost.exe 2824 svchost.exe 2448 explorer.exe 2448 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2448 explorer.exe 2824 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3916 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 3916 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 2448 explorer.exe 2448 explorer.exe 1132 spoolsv.exe 1132 spoolsv.exe 2824 svchost.exe 2824 svchost.exe 372 spoolsv.exe 372 spoolsv.exe 2448 explorer.exe 2448 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3916 wrote to memory of 2448 3916 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 79 PID 3916 wrote to memory of 2448 3916 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 79 PID 3916 wrote to memory of 2448 3916 e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe 79 PID 2448 wrote to memory of 1132 2448 explorer.exe 80 PID 2448 wrote to memory of 1132 2448 explorer.exe 80 PID 2448 wrote to memory of 1132 2448 explorer.exe 80 PID 1132 wrote to memory of 2824 1132 spoolsv.exe 81 PID 1132 wrote to memory of 2824 1132 spoolsv.exe 81 PID 1132 wrote to memory of 2824 1132 spoolsv.exe 81 PID 2824 wrote to memory of 372 2824 svchost.exe 82 PID 2824 wrote to memory of 372 2824 svchost.exe 82 PID 2824 wrote to memory of 372 2824 svchost.exe 82 PID 2824 wrote to memory of 1820 2824 svchost.exe 83 PID 2824 wrote to memory of 1820 2824 svchost.exe 83 PID 2824 wrote to memory of 1820 2824 svchost.exe 83 PID 2824 wrote to memory of 2508 2824 svchost.exe 92 PID 2824 wrote to memory of 2508 2824 svchost.exe 92 PID 2824 wrote to memory of 2508 2824 svchost.exe 92 PID 2824 wrote to memory of 3348 2824 svchost.exe 94 PID 2824 wrote to memory of 3348 2824 svchost.exe 94 PID 2824 wrote to memory of 3348 2824 svchost.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe"C:\Users\Admin\AppData\Local\Temp\e22dfa78ab72af556afa8b7f6ee7e7d831cf43e3ced76e62e83feddaa43c36da.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:372
-
-
C:\Windows\SysWOW64\at.exeat 15:02 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1820
-
-
C:\Windows\SysWOW64\at.exeat 15:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2508
-
-
C:\Windows\SysWOW64\at.exeat 15:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3348
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD55784fa21b6f17303b49ffcb6d63dcddd
SHA1cb47b47a84c4f5153da9bde818856d47c6f9c6e9
SHA256083f07759b79cf98aca5485e6e1b6f89da8c42da4223b482cd2f7819399e4e8f
SHA512cc52bbf78a8d1b68c94887cdcbf32dcaa10e32e3ba91e97eb897667079bf0727351a4aad7515157027c61f6dd09b90b7a198dd2cad49e3592d37e1f97c3b1e2c
-
Filesize
206KB
MD5ee53e1bf46ee85a4a5828056568d0d05
SHA13957c33931d6253b4418a2d8410bd61d66f21b21
SHA256bd3be09ab606d6ef7a1ef0033070ce40e018c854bf038432ea92904cd6a01355
SHA512529e7ef2eb5b3116b434db803b904038dbe6b7d8dc4cebe7fa216916ba036acd6b08a977266231bef0c957fb2d3a1f04c056fa2e143606f40506a7f08e474f4f
-
Filesize
206KB
MD526fbd416deb89229644bf199abf34fd4
SHA112488ea1d467ccc88f7d57b168b89ca33e07c7a6
SHA256ba99d69d1b05558648887fcc919b47bd603c3a1aa0b4090463afb5f98f339090
SHA512a3304e9d2ffd992e8c9536bbc761ee71e2aa1f64168642e232db19e8f2e62534e879737cb4fa60734abfe6fa2c9e07560323f74cb080a720d3121e4fc78317d3
-
Filesize
206KB
MD526fbd416deb89229644bf199abf34fd4
SHA112488ea1d467ccc88f7d57b168b89ca33e07c7a6
SHA256ba99d69d1b05558648887fcc919b47bd603c3a1aa0b4090463afb5f98f339090
SHA512a3304e9d2ffd992e8c9536bbc761ee71e2aa1f64168642e232db19e8f2e62534e879737cb4fa60734abfe6fa2c9e07560323f74cb080a720d3121e4fc78317d3
-
Filesize
206KB
MD548dd95b4aa1cf84aefedada1efc03c9f
SHA1944e1e1d7acd6ec3c22251276d1d999f3f056406
SHA25681d9c07547fb9408b0f48ae192562ca2f649164a698eb58d36ee9a8a4cdc4ad9
SHA5128b966bcb3dc8783af25e9e4e08c467c095f4e2812f4e1bfdc94e6b1b8fdb9a50168ca970bf5b4fd87739abbcf20fb47c903a9cf664fc96db1c19907cb1c78592
-
Filesize
206KB
MD5ee53e1bf46ee85a4a5828056568d0d05
SHA13957c33931d6253b4418a2d8410bd61d66f21b21
SHA256bd3be09ab606d6ef7a1ef0033070ce40e018c854bf038432ea92904cd6a01355
SHA512529e7ef2eb5b3116b434db803b904038dbe6b7d8dc4cebe7fa216916ba036acd6b08a977266231bef0c957fb2d3a1f04c056fa2e143606f40506a7f08e474f4f
-
Filesize
206KB
MD526fbd416deb89229644bf199abf34fd4
SHA112488ea1d467ccc88f7d57b168b89ca33e07c7a6
SHA256ba99d69d1b05558648887fcc919b47bd603c3a1aa0b4090463afb5f98f339090
SHA512a3304e9d2ffd992e8c9536bbc761ee71e2aa1f64168642e232db19e8f2e62534e879737cb4fa60734abfe6fa2c9e07560323f74cb080a720d3121e4fc78317d3
-
Filesize
206KB
MD548dd95b4aa1cf84aefedada1efc03c9f
SHA1944e1e1d7acd6ec3c22251276d1d999f3f056406
SHA25681d9c07547fb9408b0f48ae192562ca2f649164a698eb58d36ee9a8a4cdc4ad9
SHA5128b966bcb3dc8783af25e9e4e08c467c095f4e2812f4e1bfdc94e6b1b8fdb9a50168ca970bf5b4fd87739abbcf20fb47c903a9cf664fc96db1c19907cb1c78592