Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

63f6744d66...e0.exe

windows7-x64

10

63f6744d66...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe

  • Size

    87KB

  • MD5

    ab639eb2eecd4b4724a4920128ae5c7e

  • SHA1

    fc8a04433be9a046a02e86e1c7d444ff33521836

  • SHA256

    63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0

  • SHA512

    5dc4d1329c64c072d206e4d834291fbc54fb68b2924aa99e260e069f7c588d9396dfed291fba80ebd8ff49fa254f1479e6714cbe18973c05ad5066bd95c19cfa

  • SSDEEP

    1536:1a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoIy:08dfX7y9DZ+N7eB+IIy

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe
    "C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1804
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3548
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4564
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4388
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4028
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4912
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3628
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3852
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1148
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1792
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1864
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1052
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2272,i,11831746627654527593,10138103687018060346,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SPOOLSV.EXE
      Filesize

      87KB

      MD5

      8686653f5abe20fdb50edd99a9341a3d

      SHA1

      0029c293632413ee4d98a606fdf212789ce250e6

      SHA256

      e3b4a33c647a5a887cdc1aa8a619341f15e7e8f70052d8ae8bd0156c51a040b2

      SHA512

      f8aeffe754f9c3e21005fd8f06c87c699f9ad1ce16952ad38d7e909bbac15a89e4f46fb1814f3f66d9acfc377bf69edfc2f95158eddb09ae7192e6dfae549eb7

      Download Submit

    • C:\Recycled\SVCHOST.EXE
      Filesize

      87KB

      MD5

      71e85656fe56e87ca54373387cf78fe1

      SHA1

      6d27826b9394d4a7b52a1e963f63f46900f8724e

      SHA256

      2f498b6ae9837366d01727805eb4561223d3227064893924b43beb2fa26216bf

      SHA512

      7779d2c45d1dde35adb4adae47c2737679c79f2d188ec0b7684084263d375ac26298eb45cae48058599fb41f461312789583a936cc1529ba8feb69f7f46299de

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      104385f2606c2e28389addc2556fadcc

      SHA1

      b6af3bf1bf8207a2f72cbeb47e710d3a5fc366d1

      SHA256

      a97bf279830c9b17c5362fad05002b13a737f433ee8995a22f35d07f25cd48be

      SHA512

      638cce4ae23dbfd6e32c5f254f61a7a2abda41299d7c0902af2f84249665bddef47abe90e07dc2878e0f53293fd2d5340860ad7ddbad7470329f5cdb348227b4

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      638dd3a7ff998132075ec4f6230890b6

      SHA1

      4ad777f5f8864130a751fba8332efa1be8c8271a

      SHA256

      c0e376778243f4f36c714e6a7dc0dd5e50003fbf8fffc61f757271b4fa32819a

      SHA512

      a1450e81a857e6c94bbd477b2897caf47fe9bc7dda782203790ef4546d2d72eb88e7b80607829fc044b8b333e22397c3b2a0cee0187fe87f26acabf7c6695f4e

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      28f12a37081a1119acf9f4f730583c29

      SHA1

      6438ebe4b110d335f85f8e9eab6fb46a5a54c8df

      SHA256

      956316c5c947f0cc0c36d7ed404cb9c2ecf96dbb97ee97110d3a137774c2f747

      SHA512

      de5ca31704dffb7ea3953987b5047605ba59407e1fea117225e43e23243c445ed7d847cfbd2cb8f3367e4a4069bd2e9551ff04f4b42f68c08a63c2e4dcff17ac

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      87KB

      MD5

      0004f3f092f5e824e9f0c90e03b10102

      SHA1

      1649c8e540431cc5c3d3fbb4a77329ef3b13bd2e

      SHA256

      6193e572fd5d979b907d4ec5c24018c08d4ba42d79adea063b96e424994a6bcb

      SHA512

      2550b5b957172ebdeb9c3bba5182d5f71b71a427fdd0419e84665a35fdf5cc88ff68bb28f1805a7133249725604005ac7336368b35ca9bdf053aff38a5c63dcd

      Download Submit

    • memory/1052-88-0x00007FF8AAE50000-0x00007FF8AAE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1052-100-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-128-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-127-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-108-0x00007FF8A85F0000-0x00007FF8A8600000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1052-107-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-106-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-105-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-104-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-103-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-102-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-101-0x00007FF8A85F0000-0x00007FF8A8600000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1052-99-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-98-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-97-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-96-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-95-0x00007FF8AAE50000-0x00007FF8AAE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1052-89-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-92-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1052-91-0x00007FF8AAE50000-0x00007FF8AAE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1052-90-0x00007FF8AAE50000-0x00007FF8AAE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1052-93-0x00007FF8AAE50000-0x00007FF8AAE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1052-94-0x00007FF8EADD0000-0x00007FF8EAFC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1148-77-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1792-82-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1804-27-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1804-31-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1864-85-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2128-87-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2128-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2616-18-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3548-35-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3628-68-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3628-64-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3852-70-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/3852-72-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4028-51-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4388-48-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4564-45-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/4912-62-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download