Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2024, 00:37

General

  • Target

    b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe

  • Size

    206KB

  • MD5

    cc46def2c67d319aec841722dff26c03

  • SHA1

    dcc8f27c4fd27152172ff2bedba3ea5c552248a9

  • SHA256

    b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f

  • SHA512

    a4e08a42cdf1570c4ac16c890bb9c6272b48f0f10126dc566aa715d7400c71e975adc7b5447afa51f1dcd47a6781b3962c56cc80e587ef90c481b5f95a311b03

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJds:/VqoCl/YgjxEufVU0TbTyDDalbs

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
    "C:\Users\Admin\AppData\Local\Temp\b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:64
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3352
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2040
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    aabd7896ad61853c22a51aefcb0a411c

    SHA1

    26558aa496b5f92622e8769d29f0ed2f046d4ba4

    SHA256

    dd5252b3f267ee3fc15d8a713bedde346201cb8e23d1826a0ccf81e7b67040fa

    SHA512

    016703213ce768e96d09badeeac62a1e52d223ad426f1d98b990e930d076081d658807afa5656b2ef24a9d57fa64d203027d9b81d9f612d0921715af1972d413

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    207KB

    MD5

    c495e1da8769ebc51f765d9aa9df04e0

    SHA1

    92433b3721db7dd43d15f0cfa94b36cd661c015f

    SHA256

    2984bef1cfbe2451309f34f880c4ef759453cf10c77978a58c5a8c44dbbb47f5

    SHA512

    d8ad4b092d1536e2ff0961749023be4afe356bc1b3797e87a73c0495d2c01efaf29b9c1c62b4a0a657d84cf79e0f573f24d996bc7ddafae8802527907795f83c

  • C:\Windows\Resources\svchost.exe

    Filesize

    206KB

    MD5

    fca30bfe7c5e3b55269ff6bce89299e2

    SHA1

    b96bd150b6afecf44cf2d9aad1162447968989c6

    SHA256

    90a4affcdc84df2b5c37a19d9716e4562bb8cca566c0289bac6a4aad66b6e737

    SHA512

    f4d86eaae898130de45dae6a581740adf93413a96c54be3a1e77eb3027a9c7e961d7f430771c18add298e94540122eef33349c516489f5fbaad30ca2fb656dc7

  • memory/1516-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1516-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2660-32-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3352-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB