Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    17/11/2023, 22:58

General

  • Target

    NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe

  • Size

    211KB

  • MD5

    3aa153304f53a2ea33e4c74a4ad07dd0

  • SHA1

    620eb2916f6c484e6ddc95932e8ef7b3720a137f

  • SHA256

    91e8a25e056ef3d6d6c733170ba9ae92e2dac95866c2c7ef865eb97cf77b91b1

  • SHA512

    b16947b8f6b7558dc410657032722520dc9b7491045763ca071133b358904b15a795017d99adba66ea08843f2094951b137335456776a6e21f8fcbf81fc6af8a

  • SSDEEP

    3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1Fqnj:b1iNKQxENHLfMgw7y9Zrs

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.3aa153304f53a2ea33e4c74a4ad07dd0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:764
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2104
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2888
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2624
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    eadf51ad1695128b070f2fa4f0956991

    SHA1

    c69ef227a11445ce37a7db30880a1c25fbe0dfe9

    SHA256

    f742b4a5e3283f21a1c2616faf2cda521fcf3fbd2cd887e144b8f2804a84169b

    SHA512

    b1b83abfa1baa2826a67e9460dc0b5e004787f8bbe5413ed344488c1df8f7e018ce5f4c2368bbfcda6b9a2b3662adbb3884b7bb5befe83899e9f371e5c3b40c1

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    7399365c217819b86b7eaa6a5f283cd0

    SHA1

    99a0b753c4d5ec07c6771445ed0ac76fd53906e9

    SHA256

    9a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5

    SHA512

    abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    7399365c217819b86b7eaa6a5f283cd0

    SHA1

    99a0b753c4d5ec07c6771445ed0ac76fd53906e9

    SHA256

    9a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5

    SHA512

    abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    1f32dbbf091651b3c357dfd88fa228e2

    SHA1

    6d30ef9eee3e8708d8fda2d4f40d87ceac05739e

    SHA256

    660dea3a2c1925eef7a9e7882a2de3aca0a56c843e75fda5f644cd9a5c60b0f5

    SHA512

    36cc1bf5b85d5e1c1fa90fb8c9becac22f4baab864016cfc96685afd5c548e04d579c8a39b2572deba24225763ab2b43e36252aadb8832fe31d54b7a87f9735e

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    c0098356e98ab3681b66102567bdc4bd

    SHA1

    12f6ff757a1ea1de06de0fdda0fc50660211e495

    SHA256

    a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79

    SHA512

    11106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    c0098356e98ab3681b66102567bdc4bd

    SHA1

    12f6ff757a1ea1de06de0fdda0fc50660211e495

    SHA256

    a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79

    SHA512

    11106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e

  • \??\c:\windows\spoolsw.exe

    Filesize

    211KB

    MD5

    7399365c217819b86b7eaa6a5f283cd0

    SHA1

    99a0b753c4d5ec07c6771445ed0ac76fd53906e9

    SHA256

    9a620f754391ab893285c1b6f2ccd80551608da85cd319627398e2c0e296adf5

    SHA512

    abee12c63444c453b759c597016b174601ce4ea80cddfca8731b1d7a4a12f9e0f02323c28bed0acee3bc32b9217bb0ef0b5acee7ef272609eff9609abb7323a4

  • \??\c:\windows\swchost.exe

    Filesize

    211KB

    MD5

    1f32dbbf091651b3c357dfd88fa228e2

    SHA1

    6d30ef9eee3e8708d8fda2d4f40d87ceac05739e

    SHA256

    660dea3a2c1925eef7a9e7882a2de3aca0a56c843e75fda5f644cd9a5c60b0f5

    SHA512

    36cc1bf5b85d5e1c1fa90fb8c9becac22f4baab864016cfc96685afd5c548e04d579c8a39b2572deba24225763ab2b43e36252aadb8832fe31d54b7a87f9735e

  • \??\c:\windows\userinit.exe

    Filesize

    211KB

    MD5

    c0098356e98ab3681b66102567bdc4bd

    SHA1

    12f6ff757a1ea1de06de0fdda0fc50660211e495

    SHA256

    a7da676df7732697313594dac461ddd4bebb8940129a0f8b078dcefd3b485f79

    SHA512

    11106e9116d48c56ec7234d427f9c4af004061aba449ec221d155b9d5b133e17232fa8ee8075be3c054e5233992e1c74b5d774e0e4f81a5b08494274bf71af2e