Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

b095b45efc...89.exe

windows7-x64

10

b095b45efc...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b095b45efce9e6ac37c9081b9d4ac79f076b43c3d44eddc8f9ab6281b4a40689.exe

  • Size

    122KB

  • MD5

    052987e8936df481fcfc85ddf9e6fee6

  • SHA1

    4fb863617d76cbe1572df02c6e0c951b3ea9d731

  • SHA256

    b095b45efce9e6ac37c9081b9d4ac79f076b43c3d44eddc8f9ab6281b4a40689

  • SHA512

    27e6a53a9d678e50d1c982f6376b824445064cb80c0ad8d3ea7e7f1751e6e9def9823ca8bafe509bc322fb0ed8ebf125479b624a3ceecb377dee88ab6cfd5eef

  • SSDEEP

    1536:nFyzF9MFVCujlsQoeQZZ86ukpj0nGGF9v+4DR5X:FyzQVCujl71QZZ4kp4F9Xtx

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b095b45efce9e6ac37c9081b9d4ac79f076b43c3d44eddc8f9ab6281b4a40689.exe
    "C:\Users\Admin\AppData\Local\Temp\b095b45efce9e6ac37c9081b9d4ac79f076b43c3d44eddc8f9ab6281b4a40689.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1952
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1944
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:960
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1644
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    122KB

    MD5

    5f987ebccbae4c4a97f921f276dc8483

    SHA1

    56fd68683c3c204f862b6e4017ad263bc4b9200e

    SHA256

    fe88092fe4c23b0599a713a90e5e7f89b4e320d6ed55caaeed67c52ace2b0420

    SHA512

    b338fc0697e0bbf89d5567434812d3d12ac7dc7736bc9255b63e0cea9cdd3afee256fdd8f35d3f584e5cf3a605ea5d2c377e0f30a35aec0d3d3637c4faf6a701

    Download Submit

  • C:\Windows\system\explorer.exe
    Filesize

    122KB

    MD5

    c39f41ccc08e7e699e86f4a5c13652ca

    SHA1

    b8e1c073edd594de1e099b92396b154dc0f781c4

    SHA256

    a7c4b8d46aee80ee09091714662a5ba24d74414ea5b636afd2424c94b43d16b1

    SHA512

    0e105710bf2f9a269c0282f54b352df8ec9ed43553b6160f276a510498f019e162ec21e3f4cadd898ec9243cae281b7cbdeb522b1fdca512e7a0d73d954fbc39

    Download Submit

  • C:\Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    c024d1c2d3bc7712e4b5fb4727e91a88

    SHA1

    91968c8361b77e8e1b7f1fea7c4b862092117814

    SHA256

    e688b0c4cce79f3518c13c3c6ad1f5820ca7fadbd1e6b8f991e433220f2e8798

    SHA512

    566d6cb4d5636bfa99df31f0944e405d5f4e9c74737932fe5ef1c2ce19799851220162fe764f0a5afcd25437e13b2bcaf98c911cd4987374644db71b87e099db

    Download Submit

  • C:\Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    c024d1c2d3bc7712e4b5fb4727e91a88

    SHA1

    91968c8361b77e8e1b7f1fea7c4b862092117814

    SHA256

    e688b0c4cce79f3518c13c3c6ad1f5820ca7fadbd1e6b8f991e433220f2e8798

    SHA512

    566d6cb4d5636bfa99df31f0944e405d5f4e9c74737932fe5ef1c2ce19799851220162fe764f0a5afcd25437e13b2bcaf98c911cd4987374644db71b87e099db

    Download Submit

  • C:\Windows\system\svchost.exe
    Filesize

    122KB

    MD5

    be6f2c57e7e3ea317bfead9b5e638467

    SHA1

    8b918be3e5db0110451b27a2c5321ed6ae43f149

    SHA256

    917ab518afffdca084138542a920fda3c5c32540a8ad2fd106d05774350e20cc

    SHA512

    ba5383517e16a82515ee641183c38cf883e14b055b233e683b6e7c33dba67d78324c2056fb7644d69b1064f62fe0724a662cfcad9ede1c4e08eac64a54d05bc6

    Download Submit

  • \??\c:\windows\system\explorer.exe
    Filesize

    122KB

    MD5

    c39f41ccc08e7e699e86f4a5c13652ca

    SHA1

    b8e1c073edd594de1e099b92396b154dc0f781c4

    SHA256

    a7c4b8d46aee80ee09091714662a5ba24d74414ea5b636afd2424c94b43d16b1

    SHA512

    0e105710bf2f9a269c0282f54b352df8ec9ed43553b6160f276a510498f019e162ec21e3f4cadd898ec9243cae281b7cbdeb522b1fdca512e7a0d73d954fbc39

    Download Submit

  • \??\c:\windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    c024d1c2d3bc7712e4b5fb4727e91a88

    SHA1

    91968c8361b77e8e1b7f1fea7c4b862092117814

    SHA256

    e688b0c4cce79f3518c13c3c6ad1f5820ca7fadbd1e6b8f991e433220f2e8798

    SHA512

    566d6cb4d5636bfa99df31f0944e405d5f4e9c74737932fe5ef1c2ce19799851220162fe764f0a5afcd25437e13b2bcaf98c911cd4987374644db71b87e099db

    Download Submit

  • \??\c:\windows\system\svchost.exe
    Filesize

    122KB

    MD5

    be6f2c57e7e3ea317bfead9b5e638467

    SHA1

    8b918be3e5db0110451b27a2c5321ed6ae43f149

    SHA256

    917ab518afffdca084138542a920fda3c5c32540a8ad2fd106d05774350e20cc

    SHA512

    ba5383517e16a82515ee641183c38cf883e14b055b233e683b6e7c33dba67d78324c2056fb7644d69b1064f62fe0724a662cfcad9ede1c4e08eac64a54d05bc6

    Download Submit

  • \Windows\system\explorer.exe
    Filesize

    122KB

    MD5

    c39f41ccc08e7e699e86f4a5c13652ca

    SHA1

    b8e1c073edd594de1e099b92396b154dc0f781c4

    SHA256

    a7c4b8d46aee80ee09091714662a5ba24d74414ea5b636afd2424c94b43d16b1

    SHA512

    0e105710bf2f9a269c0282f54b352df8ec9ed43553b6160f276a510498f019e162ec21e3f4cadd898ec9243cae281b7cbdeb522b1fdca512e7a0d73d954fbc39

    Download Submit

  • \Windows\system\explorer.exe
    Filesize

    122KB

    MD5

    c39f41ccc08e7e699e86f4a5c13652ca

    SHA1

    b8e1c073edd594de1e099b92396b154dc0f781c4

    SHA256

    a7c4b8d46aee80ee09091714662a5ba24d74414ea5b636afd2424c94b43d16b1

    SHA512

    0e105710bf2f9a269c0282f54b352df8ec9ed43553b6160f276a510498f019e162ec21e3f4cadd898ec9243cae281b7cbdeb522b1fdca512e7a0d73d954fbc39

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    c024d1c2d3bc7712e4b5fb4727e91a88

    SHA1

    91968c8361b77e8e1b7f1fea7c4b862092117814

    SHA256

    e688b0c4cce79f3518c13c3c6ad1f5820ca7fadbd1e6b8f991e433220f2e8798

    SHA512

    566d6cb4d5636bfa99df31f0944e405d5f4e9c74737932fe5ef1c2ce19799851220162fe764f0a5afcd25437e13b2bcaf98c911cd4987374644db71b87e099db

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    c024d1c2d3bc7712e4b5fb4727e91a88

    SHA1

    91968c8361b77e8e1b7f1fea7c4b862092117814

    SHA256

    e688b0c4cce79f3518c13c3c6ad1f5820ca7fadbd1e6b8f991e433220f2e8798

    SHA512

    566d6cb4d5636bfa99df31f0944e405d5f4e9c74737932fe5ef1c2ce19799851220162fe764f0a5afcd25437e13b2bcaf98c911cd4987374644db71b87e099db

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    c024d1c2d3bc7712e4b5fb4727e91a88

    SHA1

    91968c8361b77e8e1b7f1fea7c4b862092117814

    SHA256

    e688b0c4cce79f3518c13c3c6ad1f5820ca7fadbd1e6b8f991e433220f2e8798

    SHA512

    566d6cb4d5636bfa99df31f0944e405d5f4e9c74737932fe5ef1c2ce19799851220162fe764f0a5afcd25437e13b2bcaf98c911cd4987374644db71b87e099db

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    122KB

    MD5

    c024d1c2d3bc7712e4b5fb4727e91a88

    SHA1

    91968c8361b77e8e1b7f1fea7c4b862092117814

    SHA256

    e688b0c4cce79f3518c13c3c6ad1f5820ca7fadbd1e6b8f991e433220f2e8798

    SHA512

    566d6cb4d5636bfa99df31f0944e405d5f4e9c74737932fe5ef1c2ce19799851220162fe764f0a5afcd25437e13b2bcaf98c911cd4987374644db71b87e099db

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    122KB

    MD5

    be6f2c57e7e3ea317bfead9b5e638467

    SHA1

    8b918be3e5db0110451b27a2c5321ed6ae43f149

    SHA256

    917ab518afffdca084138542a920fda3c5c32540a8ad2fd106d05774350e20cc

    SHA512

    ba5383517e16a82515ee641183c38cf883e14b055b233e683b6e7c33dba67d78324c2056fb7644d69b1064f62fe0724a662cfcad9ede1c4e08eac64a54d05bc6

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    122KB

    MD5

    be6f2c57e7e3ea317bfead9b5e638467

    SHA1

    8b918be3e5db0110451b27a2c5321ed6ae43f149

    SHA256

    917ab518afffdca084138542a920fda3c5c32540a8ad2fd106d05774350e20cc

    SHA512

    ba5383517e16a82515ee641183c38cf883e14b055b233e683b6e7c33dba67d78324c2056fb7644d69b1064f62fe0724a662cfcad9ede1c4e08eac64a54d05bc6

    Download Submit

  • memory/1952-57-0x00000000750A1000-0x00000000750A3000-memory.dmp

    Filesize

    8KB

    Download