Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
189s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
27/11/2022, 18:54
General
-
Target
7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe
-
Size
45KB
-
MD5
2994abd723b58d66f299e850b6612407
-
SHA1
2ed7d52364bd8f0be095674a000fe6d9301a51d9
-
SHA256
7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f
-
SHA512
4692ef1d5ce7d6ebd2dcdf3dd93accf92d3001795e5efbd8f85c2ccee34495cca00f49aa5d7f659c7f24f1c55258f76d1bdeacb3f60175e1f0de236602f7c8af
-
SSDEEP
768:E1AuwHyeFo6NPIFAoslbf8eRYLGXdoIFbb5omuKWcbsvwnoT9D88888888888JXX:EOxyeFo6NPCAosxYyXdF5oy3VoKX
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
-
Executes dropped EXE 15 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 29 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 23 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe"C:\Users\Admin\AppData\Local\Temp\7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\userinit.exeC:\Windows\system32\userinit.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Explorer.exeExplorer.exe "C:\recycled\SVCHOST.exe"4⤵
-
-
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SVCHOST.EXEC:\recycled\SVCHOST.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\SPOOLSV.EXEC:\recycled\SPOOLSV.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\recycled\CTFMON.EXEC:\recycled\CTFMON.EXE :agent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7970437bfe8c8754fa29bde7712bd0e8313d2e91bd53d85ac814bdacf091833f.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD55c1d64c20ac478b738479b36e0463653
SHA11517cff4a95bb43ed877538cba5f8c9590024272
SHA2561b8ba0f415d7920b85ed6fcfc162cd05ae41df4291accac936f34a8a98d562f9
SHA5129a720c0c53d47f8f7c88491189494d65ea477aa341e9d9f6af6ac8a672ff85d4eda8d00a495899a62f6a351d450d4e0b5746ea2407135ad58972077d04197ec3
-
Filesize
45KB
MD55c1d64c20ac478b738479b36e0463653
SHA11517cff4a95bb43ed877538cba5f8c9590024272
SHA2561b8ba0f415d7920b85ed6fcfc162cd05ae41df4291accac936f34a8a98d562f9
SHA5129a720c0c53d47f8f7c88491189494d65ea477aa341e9d9f6af6ac8a672ff85d4eda8d00a495899a62f6a351d450d4e0b5746ea2407135ad58972077d04197ec3
-
Filesize
45KB
MD55c1d64c20ac478b738479b36e0463653
SHA11517cff4a95bb43ed877538cba5f8c9590024272
SHA2561b8ba0f415d7920b85ed6fcfc162cd05ae41df4291accac936f34a8a98d562f9
SHA5129a720c0c53d47f8f7c88491189494d65ea477aa341e9d9f6af6ac8a672ff85d4eda8d00a495899a62f6a351d450d4e0b5746ea2407135ad58972077d04197ec3
-
Filesize
45KB
MD55c1d64c20ac478b738479b36e0463653
SHA11517cff4a95bb43ed877538cba5f8c9590024272
SHA2561b8ba0f415d7920b85ed6fcfc162cd05ae41df4291accac936f34a8a98d562f9
SHA5129a720c0c53d47f8f7c88491189494d65ea477aa341e9d9f6af6ac8a672ff85d4eda8d00a495899a62f6a351d450d4e0b5746ea2407135ad58972077d04197ec3
-
Filesize
45KB
MD55c1d64c20ac478b738479b36e0463653
SHA11517cff4a95bb43ed877538cba5f8c9590024272
SHA2561b8ba0f415d7920b85ed6fcfc162cd05ae41df4291accac936f34a8a98d562f9
SHA5129a720c0c53d47f8f7c88491189494d65ea477aa341e9d9f6af6ac8a672ff85d4eda8d00a495899a62f6a351d450d4e0b5746ea2407135ad58972077d04197ec3
-
Filesize
45KB
MD5a04b04b9a794416c8d3db01304db7b33
SHA1654d08c0b916613a704246297a4288907c2de8cd
SHA256adf1268b1d3fd615086ac575e3ec22838fc89eb9b10427fdeb5bdb8bed65b173
SHA51281c7897094eca69589bcbd0edc3c230c98427ad9d0a5078dbe4b7dd66e467b0ac32c23fe1e81e42f028bc26ef69feeabc3ed9e43819aeaaad21bb5b441043da4
-
Filesize
45KB
MD5a04b04b9a794416c8d3db01304db7b33
SHA1654d08c0b916613a704246297a4288907c2de8cd
SHA256adf1268b1d3fd615086ac575e3ec22838fc89eb9b10427fdeb5bdb8bed65b173
SHA51281c7897094eca69589bcbd0edc3c230c98427ad9d0a5078dbe4b7dd66e467b0ac32c23fe1e81e42f028bc26ef69feeabc3ed9e43819aeaaad21bb5b441043da4
-
Filesize
45KB
MD5a04b04b9a794416c8d3db01304db7b33
SHA1654d08c0b916613a704246297a4288907c2de8cd
SHA256adf1268b1d3fd615086ac575e3ec22838fc89eb9b10427fdeb5bdb8bed65b173
SHA51281c7897094eca69589bcbd0edc3c230c98427ad9d0a5078dbe4b7dd66e467b0ac32c23fe1e81e42f028bc26ef69feeabc3ed9e43819aeaaad21bb5b441043da4
-
Filesize
45KB
MD5a04b04b9a794416c8d3db01304db7b33
SHA1654d08c0b916613a704246297a4288907c2de8cd
SHA256adf1268b1d3fd615086ac575e3ec22838fc89eb9b10427fdeb5bdb8bed65b173
SHA51281c7897094eca69589bcbd0edc3c230c98427ad9d0a5078dbe4b7dd66e467b0ac32c23fe1e81e42f028bc26ef69feeabc3ed9e43819aeaaad21bb5b441043da4
-
Filesize
45KB
MD5a04b04b9a794416c8d3db01304db7b33
SHA1654d08c0b916613a704246297a4288907c2de8cd
SHA256adf1268b1d3fd615086ac575e3ec22838fc89eb9b10427fdeb5bdb8bed65b173
SHA51281c7897094eca69589bcbd0edc3c230c98427ad9d0a5078dbe4b7dd66e467b0ac32c23fe1e81e42f028bc26ef69feeabc3ed9e43819aeaaad21bb5b441043da4
-
Filesize
45KB
MD5519f9ccb8c978b2d7ff33608c5733fd3
SHA1b27ae5f0f82916117b27a8e9dae2c94f5876145c
SHA256dff55ae43b4cb1d6b93bd8763e2256eb4e04e332e579a8cbd2f985fb80b6f806
SHA512411a272d68b34bfffc315d2024629cb3c9d7af9b1caeb3f1296b1192a754a430d76672d43561e903353efa676b8cd98458385305931750bb32ed25a237e2eff5
-
Filesize
45KB
MD5519f9ccb8c978b2d7ff33608c5733fd3
SHA1b27ae5f0f82916117b27a8e9dae2c94f5876145c
SHA256dff55ae43b4cb1d6b93bd8763e2256eb4e04e332e579a8cbd2f985fb80b6f806
SHA512411a272d68b34bfffc315d2024629cb3c9d7af9b1caeb3f1296b1192a754a430d76672d43561e903353efa676b8cd98458385305931750bb32ed25a237e2eff5
-
Filesize
45KB
MD5519f9ccb8c978b2d7ff33608c5733fd3
SHA1b27ae5f0f82916117b27a8e9dae2c94f5876145c
SHA256dff55ae43b4cb1d6b93bd8763e2256eb4e04e332e579a8cbd2f985fb80b6f806
SHA512411a272d68b34bfffc315d2024629cb3c9d7af9b1caeb3f1296b1192a754a430d76672d43561e903353efa676b8cd98458385305931750bb32ed25a237e2eff5
-
Filesize
45KB
MD5519f9ccb8c978b2d7ff33608c5733fd3
SHA1b27ae5f0f82916117b27a8e9dae2c94f5876145c
SHA256dff55ae43b4cb1d6b93bd8763e2256eb4e04e332e579a8cbd2f985fb80b6f806
SHA512411a272d68b34bfffc315d2024629cb3c9d7af9b1caeb3f1296b1192a754a430d76672d43561e903353efa676b8cd98458385305931750bb32ed25a237e2eff5
-
Filesize
45KB
MD5519f9ccb8c978b2d7ff33608c5733fd3
SHA1b27ae5f0f82916117b27a8e9dae2c94f5876145c
SHA256dff55ae43b4cb1d6b93bd8763e2256eb4e04e332e579a8cbd2f985fb80b6f806
SHA512411a272d68b34bfffc315d2024629cb3c9d7af9b1caeb3f1296b1192a754a430d76672d43561e903353efa676b8cd98458385305931750bb32ed25a237e2eff5
-
Filesize
65B
MD5ad0b0b4416f06af436328a3c12dc491b
SHA1743c7ad130780de78ccbf75aa6f84298720ad3fa
SHA25623521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416
SHA512884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
1KB
MD50269b6347e473980c5378044ac67aa1f
SHA1c3334de50e320ad8bce8398acff95c363d039245
SHA25668f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2
SHA512e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b
-
Filesize
45KB
MD55c1d64c20ac478b738479b36e0463653
SHA11517cff4a95bb43ed877538cba5f8c9590024272
SHA2561b8ba0f415d7920b85ed6fcfc162cd05ae41df4291accac936f34a8a98d562f9
SHA5129a720c0c53d47f8f7c88491189494d65ea477aa341e9d9f6af6ac8a672ff85d4eda8d00a495899a62f6a351d450d4e0b5746ea2407135ad58972077d04197ec3
-
Filesize
45KB
MD5a04b04b9a794416c8d3db01304db7b33
SHA1654d08c0b916613a704246297a4288907c2de8cd
SHA256adf1268b1d3fd615086ac575e3ec22838fc89eb9b10427fdeb5bdb8bed65b173
SHA51281c7897094eca69589bcbd0edc3c230c98427ad9d0a5078dbe4b7dd66e467b0ac32c23fe1e81e42f028bc26ef69feeabc3ed9e43819aeaaad21bb5b441043da4
-
Filesize
45KB
MD5519f9ccb8c978b2d7ff33608c5733fd3
SHA1b27ae5f0f82916117b27a8e9dae2c94f5876145c
SHA256dff55ae43b4cb1d6b93bd8763e2256eb4e04e332e579a8cbd2f985fb80b6f806
SHA512411a272d68b34bfffc315d2024629cb3c9d7af9b1caeb3f1296b1192a754a430d76672d43561e903353efa676b8cd98458385305931750bb32ed25a237e2eff5
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
104KB