Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 00:37
Static task
static1
Behavioral task
behavioral1
Sample
b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
Resource
win10v2004-20240226-en
General
-
Target
b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe
-
Size
206KB
-
MD5
cc46def2c67d319aec841722dff26c03
-
SHA1
dcc8f27c4fd27152172ff2bedba3ea5c552248a9
-
SHA256
b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f
-
SHA512
a4e08a42cdf1570c4ac16c890bb9c6272b48f0f10126dc566aa715d7400c71e975adc7b5447afa51f1dcd47a6781b3962c56cc80e587ef90c481b5f95a311b03
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJds:/VqoCl/YgjxEufVU0TbTyDDalbs
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 64 explorer.exe 3352 spoolsv.exe 2040 svchost.exe 2660 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe 64 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 64 explorer.exe 2040 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 64 explorer.exe 64 explorer.exe 3352 spoolsv.exe 3352 spoolsv.exe 2040 svchost.exe 2040 svchost.exe 2660 spoolsv.exe 2660 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1516 wrote to memory of 64 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 88 PID 1516 wrote to memory of 64 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 88 PID 1516 wrote to memory of 64 1516 b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe 88 PID 64 wrote to memory of 3352 64 explorer.exe 90 PID 64 wrote to memory of 3352 64 explorer.exe 90 PID 64 wrote to memory of 3352 64 explorer.exe 90 PID 3352 wrote to memory of 2040 3352 spoolsv.exe 91 PID 3352 wrote to memory of 2040 3352 spoolsv.exe 91 PID 3352 wrote to memory of 2040 3352 spoolsv.exe 91 PID 2040 wrote to memory of 2660 2040 svchost.exe 93 PID 2040 wrote to memory of 2660 2040 svchost.exe 93 PID 2040 wrote to memory of 2660 2040 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe"C:\Users\Admin\AppData\Local\Temp\b61470a1038947af79e297fe6cc8254073ebac72f5bec5785e458bbb1197d15f.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5aabd7896ad61853c22a51aefcb0a411c
SHA126558aa496b5f92622e8769d29f0ed2f046d4ba4
SHA256dd5252b3f267ee3fc15d8a713bedde346201cb8e23d1826a0ccf81e7b67040fa
SHA512016703213ce768e96d09badeeac62a1e52d223ad426f1d98b990e930d076081d658807afa5656b2ef24a9d57fa64d203027d9b81d9f612d0921715af1972d413
-
Filesize
207KB
MD5c495e1da8769ebc51f765d9aa9df04e0
SHA192433b3721db7dd43d15f0cfa94b36cd661c015f
SHA2562984bef1cfbe2451309f34f880c4ef759453cf10c77978a58c5a8c44dbbb47f5
SHA512d8ad4b092d1536e2ff0961749023be4afe356bc1b3797e87a73c0495d2c01efaf29b9c1c62b4a0a657d84cf79e0f573f24d996bc7ddafae8802527907795f83c
-
Filesize
206KB
MD5fca30bfe7c5e3b55269ff6bce89299e2
SHA1b96bd150b6afecf44cf2d9aad1162447968989c6
SHA25690a4affcdc84df2b5c37a19d9716e4562bb8cca566c0289bac6a4aad66b6e737
SHA512f4d86eaae898130de45dae6a581740adf93413a96c54be3a1e77eb3027a9c7e961d7f430771c18add298e94540122eef33349c516489f5fbaad30ca2fb656dc7