Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2024, 00:35

General

  • Target

    d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe

  • Size

    206KB

  • MD5

    9f9eb1d413db97ce17f5e0719de171ed

  • SHA1

    dcd68fc17e73f37becb6671a7dd79d896cb647ea

  • SHA256

    d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314

  • SHA512

    3cd82e449c02b7ca181efe68e6d7a3e271ef00dceb44b83280ef3f61b22ea9c85ddb5f82e222be35a0f2e1b1300fe7609728bea69e745f2cc71aac08c59e44a6

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJd9:/VqoCl/YgjxEufVU0TbTyDDalb9

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe
    "C:\Users\Admin\AppData\Local\Temp\d44d9ceb2fade1d8df84bd7bf57e5b79425c306b49bc55e74c73f849bdc2c314.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:448
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2020
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4576
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4336
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    2593f3e0e428d23dbfcb063110ee903e

    SHA1

    34b4c061d70e6e6b0b9b0752ac7964a2fcc29a08

    SHA256

    4c430e4ee80e56aacc402678063ab915da93a92e6807d1633f5d00ad81c1bbdb

    SHA512

    54e8dc69f247d1ba4c7a5250b2a644a9c9ce040d12c0d86084cd4c53481fdea9a21fa8878868158a48fc1c1e7d2c8552544b06f6e2ab36c9a7b7e85bfb7deecb

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    206KB

    MD5

    7270423292f958a636aac2aa5580179f

    SHA1

    4874c715f8211b0c128da1f7ccea3b17c80bc113

    SHA256

    cb15dbc6ed039e3080c98765c5a67392b36be2cc556c8f2056797a04a51a53e7

    SHA512

    f1fd5b1ab22adfe0cbb2e976c758068d2bc94bc2e54700c224bf5d01f1016c8c0a6f803db290c15ea26cf0859eab78c236197d90f4074ff2e8d1b550d3aca22f

  • C:\Windows\Resources\svchost.exe

    Filesize

    206KB

    MD5

    91afb6ab0b50b4a8d2daa5010a389790

    SHA1

    7c4116708931a006181d61bb8af87dd96b435fc3

    SHA256

    5277d9df9efc9039c0f80af2a15cd64b97860fee21b5dde467fa10bbecde8cb2

    SHA512

    3f95c486c58c424a12bc1cf66aed43116459266f31706c5d9a773e4daac9a2fef79a58bb72653d91f018267fec49ee18633ab40812c8efefff0a8e5fc2a6ba3a

  • memory/448-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/448-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4436-32-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4576-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB