Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 20:17
Static task
static1
Behavioral task
behavioral1
Sample
07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
Resource
win10v2004-20220812-en
General
-
Target
07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
-
Size
122KB
-
MD5
45a3f764928cd419befef5afcb73b160
-
SHA1
40716a9a500da92b851a173399784ebf6db90662
-
SHA256
07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46
-
SHA512
1bd974875dfd18e9ce84118bd2b5c7f5a3d5a51ef9f9ac6c0d690b561519d6eb6ca6f8756a4a6129d677234105783693aacb72f63d4beee3dede518f0a9fb804
-
SSDEEP
1536:nnyzF9MFVCujlsQoeQZZ86ukpj0nGGF9v+4DRP:nyzQVCujl71QZZ4kp4F9XtP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2568 explorer.exe 2512 spoolsv.exe 5084 svchost.exe 3236 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\System\tjud.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 924 07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe 924 07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe 2568 explorer.exe 2568 explorer.exe 5084 svchost.exe 5084 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2568 explorer.exe 5084 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 924 07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe 924 07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe 2568 explorer.exe 2568 explorer.exe 2512 spoolsv.exe 2512 spoolsv.exe 5084 svchost.exe 5084 svchost.exe 3236 spoolsv.exe 3236 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 924 wrote to memory of 2568 924 07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe 81 PID 924 wrote to memory of 2568 924 07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe 81 PID 924 wrote to memory of 2568 924 07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe 81 PID 2568 wrote to memory of 2512 2568 explorer.exe 82 PID 2568 wrote to memory of 2512 2568 explorer.exe 82 PID 2568 wrote to memory of 2512 2568 explorer.exe 82 PID 2512 wrote to memory of 5084 2512 spoolsv.exe 83 PID 2512 wrote to memory of 5084 2512 spoolsv.exe 83 PID 2512 wrote to memory of 5084 2512 spoolsv.exe 83 PID 5084 wrote to memory of 3236 5084 svchost.exe 84 PID 5084 wrote to memory of 3236 5084 svchost.exe 84 PID 5084 wrote to memory of 3236 5084 svchost.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe"C:\Users\Admin\AppData\Local\Temp\07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3236
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122KB
MD5c0e98582a93c9a8af27bb74e1307a1b8
SHA1ebb3250fd619ba6d5491d2aafd51731ac302483d
SHA2564afe50abc14d4afc3883c29f6e2648df4ee464c1f3c196d3be9672b39a5fe734
SHA51261fac51c7755822ea6446ce14198e633b16a84240296f9cdea9edeb3f342d9f51d8c35ebdebbab0bf23a323ed2249f3fd0b7f0fd68c9049a6af5481a33925f56
-
Filesize
122KB
MD5f456598f4c3daf2859167b65573d6764
SHA1d426f3fa0f32c09b1c4e63c0815147369fa47ff6
SHA2569449b50922f9b547d499d9958e50d8a2c0cfa842643e8aeffbe2d98bb69597ba
SHA5123c5faa4b8394e3eec55b3a11b861429122c3ab7aca6fc660ace45b28712b735e12902d7c12d21512a445a68196e8a9e7bc099004787a6155caf21cbb118def8d
-
Filesize
122KB
MD51defb37574ba31edb9a2bd62bb1caba0
SHA1fea2208f95f910ecefa6ff166ebe275cd01a3312
SHA256955633c56fd1937c9222c538a5cf49385f2e9806187238d445dfe2f674505f32
SHA51279be173c5566072611747baf67418a0a7fdefe333441e1451cd65bf8d503364555cd38c2c235ef2ec694a1f8fd05f27999b9a1fed31588f4a3ec471a272f694b
-
Filesize
122KB
MD51defb37574ba31edb9a2bd62bb1caba0
SHA1fea2208f95f910ecefa6ff166ebe275cd01a3312
SHA256955633c56fd1937c9222c538a5cf49385f2e9806187238d445dfe2f674505f32
SHA51279be173c5566072611747baf67418a0a7fdefe333441e1451cd65bf8d503364555cd38c2c235ef2ec694a1f8fd05f27999b9a1fed31588f4a3ec471a272f694b
-
Filesize
122KB
MD5175bd2bf3c6b6d6d96ec61eb19c3cbe6
SHA10801b234a7e09e47d798c7be62683b7dca5c87d7
SHA256033eca55cd17d74de61020dfecc795ec28d20353623036820a571bdcdf88b872
SHA512583e5399d25cbfde2388f335c63ae4a4e6e60a0c6b3f9b48b0cfcd2173253254e6efc428c933190bba83029f801f3e5e7db81824ff2d91876a69d554cb5f0430
-
Filesize
122KB
MD5f456598f4c3daf2859167b65573d6764
SHA1d426f3fa0f32c09b1c4e63c0815147369fa47ff6
SHA2569449b50922f9b547d499d9958e50d8a2c0cfa842643e8aeffbe2d98bb69597ba
SHA5123c5faa4b8394e3eec55b3a11b861429122c3ab7aca6fc660ace45b28712b735e12902d7c12d21512a445a68196e8a9e7bc099004787a6155caf21cbb118def8d
-
Filesize
122KB
MD51defb37574ba31edb9a2bd62bb1caba0
SHA1fea2208f95f910ecefa6ff166ebe275cd01a3312
SHA256955633c56fd1937c9222c538a5cf49385f2e9806187238d445dfe2f674505f32
SHA51279be173c5566072611747baf67418a0a7fdefe333441e1451cd65bf8d503364555cd38c2c235ef2ec694a1f8fd05f27999b9a1fed31588f4a3ec471a272f694b
-
Filesize
122KB
MD5175bd2bf3c6b6d6d96ec61eb19c3cbe6
SHA10801b234a7e09e47d798c7be62683b7dca5c87d7
SHA256033eca55cd17d74de61020dfecc795ec28d20353623036820a571bdcdf88b872
SHA512583e5399d25cbfde2388f335c63ae4a4e6e60a0c6b3f9b48b0cfcd2173253254e6efc428c933190bba83029f801f3e5e7db81824ff2d91876a69d554cb5f0430