Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2022, 20:17

General

  • Target

    07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe

  • Size

    122KB

  • MD5

    45a3f764928cd419befef5afcb73b160

  • SHA1

    40716a9a500da92b851a173399784ebf6db90662

  • SHA256

    07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46

  • SHA512

    1bd974875dfd18e9ce84118bd2b5c7f5a3d5a51ef9f9ac6c0d690b561519d6eb6ca6f8756a4a6129d677234105783693aacb72f63d4beee3dede518f0a9fb804

  • SSDEEP

    1536:nnyzF9MFVCujlsQoeQZZ86ukpj0nGGF9v+4DRP:nyzQVCujl71QZZ4kp4F9XtP

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe
    "C:\Users\Admin\AppData\Local\Temp\07ec902716074642b4769a94245fcd611a36dfd1f8fc23b531cae046a008cb46.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:924
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2568
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2512
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5084
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe

    Filesize

    122KB

    MD5

    c0e98582a93c9a8af27bb74e1307a1b8

    SHA1

    ebb3250fd619ba6d5491d2aafd51731ac302483d

    SHA256

    4afe50abc14d4afc3883c29f6e2648df4ee464c1f3c196d3be9672b39a5fe734

    SHA512

    61fac51c7755822ea6446ce14198e633b16a84240296f9cdea9edeb3f342d9f51d8c35ebdebbab0bf23a323ed2249f3fd0b7f0fd68c9049a6af5481a33925f56

  • C:\Windows\System\explorer.exe

    Filesize

    122KB

    MD5

    f456598f4c3daf2859167b65573d6764

    SHA1

    d426f3fa0f32c09b1c4e63c0815147369fa47ff6

    SHA256

    9449b50922f9b547d499d9958e50d8a2c0cfa842643e8aeffbe2d98bb69597ba

    SHA512

    3c5faa4b8394e3eec55b3a11b861429122c3ab7aca6fc660ace45b28712b735e12902d7c12d21512a445a68196e8a9e7bc099004787a6155caf21cbb118def8d

  • C:\Windows\System\spoolsv.exe

    Filesize

    122KB

    MD5

    1defb37574ba31edb9a2bd62bb1caba0

    SHA1

    fea2208f95f910ecefa6ff166ebe275cd01a3312

    SHA256

    955633c56fd1937c9222c538a5cf49385f2e9806187238d445dfe2f674505f32

    SHA512

    79be173c5566072611747baf67418a0a7fdefe333441e1451cd65bf8d503364555cd38c2c235ef2ec694a1f8fd05f27999b9a1fed31588f4a3ec471a272f694b

  • C:\Windows\System\spoolsv.exe

    Filesize

    122KB

    MD5

    1defb37574ba31edb9a2bd62bb1caba0

    SHA1

    fea2208f95f910ecefa6ff166ebe275cd01a3312

    SHA256

    955633c56fd1937c9222c538a5cf49385f2e9806187238d445dfe2f674505f32

    SHA512

    79be173c5566072611747baf67418a0a7fdefe333441e1451cd65bf8d503364555cd38c2c235ef2ec694a1f8fd05f27999b9a1fed31588f4a3ec471a272f694b

  • C:\Windows\System\svchost.exe

    Filesize

    122KB

    MD5

    175bd2bf3c6b6d6d96ec61eb19c3cbe6

    SHA1

    0801b234a7e09e47d798c7be62683b7dca5c87d7

    SHA256

    033eca55cd17d74de61020dfecc795ec28d20353623036820a571bdcdf88b872

    SHA512

    583e5399d25cbfde2388f335c63ae4a4e6e60a0c6b3f9b48b0cfcd2173253254e6efc428c933190bba83029f801f3e5e7db81824ff2d91876a69d554cb5f0430

  • \??\c:\windows\system\explorer.exe

    Filesize

    122KB

    MD5

    f456598f4c3daf2859167b65573d6764

    SHA1

    d426f3fa0f32c09b1c4e63c0815147369fa47ff6

    SHA256

    9449b50922f9b547d499d9958e50d8a2c0cfa842643e8aeffbe2d98bb69597ba

    SHA512

    3c5faa4b8394e3eec55b3a11b861429122c3ab7aca6fc660ace45b28712b735e12902d7c12d21512a445a68196e8a9e7bc099004787a6155caf21cbb118def8d

  • \??\c:\windows\system\spoolsv.exe

    Filesize

    122KB

    MD5

    1defb37574ba31edb9a2bd62bb1caba0

    SHA1

    fea2208f95f910ecefa6ff166ebe275cd01a3312

    SHA256

    955633c56fd1937c9222c538a5cf49385f2e9806187238d445dfe2f674505f32

    SHA512

    79be173c5566072611747baf67418a0a7fdefe333441e1451cd65bf8d503364555cd38c2c235ef2ec694a1f8fd05f27999b9a1fed31588f4a3ec471a272f694b

  • \??\c:\windows\system\svchost.exe

    Filesize

    122KB

    MD5

    175bd2bf3c6b6d6d96ec61eb19c3cbe6

    SHA1

    0801b234a7e09e47d798c7be62683b7dca5c87d7

    SHA256

    033eca55cd17d74de61020dfecc795ec28d20353623036820a571bdcdf88b872

    SHA512

    583e5399d25cbfde2388f335c63ae4a4e6e60a0c6b3f9b48b0cfcd2173253254e6efc428c933190bba83029f801f3e5e7db81824ff2d91876a69d554cb5f0430