Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 00:35
Static task
static1
Behavioral task
behavioral1
Sample
d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
Resource
win10v2004-20240226-en
General
-
Target
d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
-
Size
206KB
-
MD5
9f9eb1d413db97ce17f5e0719de171ed
-
SHA1
dcd68fc17e73f37becb6671a7dd79d896cb647ea
-
SHA256
d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314
-
SHA512
3cd82e449c02b7ca181efe68e6d7a3e271ef00dceb44b83280ef3f61b22ea9c85ddb5f82e222be35a0f2e1b1300fe7609728bea69e745f2cc71aac08c59e44a6
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJd9:/VqoCl/YgjxEufVU0TbTyDDalb9
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2020 explorer.exe 4576 spoolsv.exe 4336 svchost.exe 4436 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2020 explorer.exe 4336 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 2020 explorer.exe 2020 explorer.exe 4576 spoolsv.exe 4576 spoolsv.exe 4336 svchost.exe 4336 svchost.exe 4436 spoolsv.exe 4436 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 448 wrote to memory of 2020 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 89 PID 448 wrote to memory of 2020 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 89 PID 448 wrote to memory of 2020 448 d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe 89 PID 2020 wrote to memory of 4576 2020 explorer.exe 91 PID 2020 wrote to memory of 4576 2020 explorer.exe 91 PID 2020 wrote to memory of 4576 2020 explorer.exe 91 PID 4576 wrote to memory of 4336 4576 spoolsv.exe 92 PID 4576 wrote to memory of 4336 4576 spoolsv.exe 92 PID 4576 wrote to memory of 4336 4576 spoolsv.exe 92 PID 4336 wrote to memory of 4436 4336 svchost.exe 93 PID 4336 wrote to memory of 4436 4336 svchost.exe 93 PID 4336 wrote to memory of 4436 4336 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe"C:\Users\Admin\AppData\Local\Temp\d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4436
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD52593f3e0e428d23dbfcb063110ee903e
SHA134b4c061d70e6e6b0b9b0752ac7964a2fcc29a08
SHA2564c430e4ee80e56aacc402678063ab915da93a92e6807d1633f5d00ad81c1bbdb
SHA51254e8dc69f247d1ba4c7a5250b2a644a9c9ce040d12c0d86084cd4c53481fdea9a21fa8878868158a48fc1c1e7d2c8552544b06f6e2ab36c9a7b7e85bfb7deecb
-
Filesize
206KB
MD57270423292f958a636aac2aa5580179f
SHA14874c715f8211b0c128da1f7ccea3b17c80bc113
SHA256cb15dbc6ed039e3080c98765c5a67392b36be2cc556c8f2056797a04a51a53e7
SHA512f1fd5b1ab22adfe0cbb2e976c758068d2bc94bc2e54700c224bf5d01f1016c8c0a6f803db290c15ea26cf0859eab78c236197d90f4074ff2e8d1b550d3aca22f
-
Filesize
206KB
MD591afb6ab0b50b4a8d2daa5010a389790
SHA17c4116708931a006181d61bb8af87dd96b435fc3
SHA2565277d9df9efc9039c0f80af2a15cd64b97860fee21b5dde467fa10bbecde8cb2
SHA5123f95c486c58c424a12bc1cf66aed43116459266f31706c5d9a773e4daac9a2fef79a58bb72653d91f018267fec49ee18633ab40812c8efefff0a8e5fc2a6ba3a