Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/04/2024, 23:16
Static task
static1
Behavioral task
behavioral1
Sample
8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe
Resource
win10v2004-20240226-en
General
-
Target
8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe
-
Size
3.9MB
-
MD5
e50f625af23074889460dc76e73f9c40
-
SHA1
ca3f32c8bce1f7b1b8f36e03928feed509ec8e97
-
SHA256
8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b
-
SHA512
b3f3136921db681633b6ab7e09cd11de39bdd30959e32b2751d4a175edb42fb154c0e1a41e0c9c3ba158192a7571807a6bfd1bfab344ec67f73501fd91b591d7
-
SSDEEP
98304:RSptXL6pUrrW1FpuvDcX9Gdsd/DQ1C75vLpve:4tbIOebX9GqBU05zpG
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 1992 explorer.exe 2280 spoolsv.exe 1416 svchost.exe 3996 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 1992 explorer.exe 1992 explorer.exe 2280 spoolsv.exe 2280 spoolsv.exe 1416 svchost.exe 1416 svchost.exe 3996 spoolsv.exe 3996 spoolsv.exe 3996 spoolsv.exe 3996 spoolsv.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1416 svchost.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe 1992 explorer.exe 1416 svchost.exe 1416 svchost.exe 1416 svchost.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1416 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1992 explorer.exe 1416 svchost.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 2280 spoolsv.exe 2280 spoolsv.exe 2280 spoolsv.exe 2280 spoolsv.exe 1416 svchost.exe 1416 svchost.exe 1416 svchost.exe 1416 svchost.exe 3996 spoolsv.exe 3996 spoolsv.exe 3996 spoolsv.exe 3996 spoolsv.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 380 wrote to memory of 1992 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 86 PID 380 wrote to memory of 1992 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 86 PID 380 wrote to memory of 1992 380 8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe 86 PID 1992 wrote to memory of 2280 1992 explorer.exe 88 PID 1992 wrote to memory of 2280 1992 explorer.exe 88 PID 1992 wrote to memory of 2280 1992 explorer.exe 88 PID 2280 wrote to memory of 1416 2280 spoolsv.exe 89 PID 2280 wrote to memory of 1416 2280 spoolsv.exe 89 PID 2280 wrote to memory of 1416 2280 spoolsv.exe 89 PID 1416 wrote to memory of 3996 1416 svchost.exe 90 PID 1416 wrote to memory of 3996 1416 svchost.exe 90 PID 1416 wrote to memory of 3996 1416 svchost.exe 90 PID 1416 wrote to memory of 2524 1416 svchost.exe 91 PID 1416 wrote to memory of 2524 1416 svchost.exe 91 PID 1416 wrote to memory of 2524 1416 svchost.exe 91 PID 1416 wrote to memory of 628 1416 svchost.exe 101 PID 1416 wrote to memory of 628 1416 svchost.exe 101 PID 1416 wrote to memory of 628 1416 svchost.exe 101 PID 1416 wrote to memory of 4780 1416 svchost.exe 103 PID 1416 wrote to memory of 4780 1416 svchost.exe 103 PID 1416 wrote to memory of 4780 1416 svchost.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe"C:\Users\Admin\AppData\Local\Temp\8e20ced4ef597ed583128275717ee2ca42d7d80814f3dc032c775f589b07674b.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3996
-
-
C:\Windows\SysWOW64\at.exeat 23:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2524
-
-
C:\Windows\SysWOW64\at.exeat 23:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:628
-
-
C:\Windows\SysWOW64\at.exeat 23:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4780
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD547cecd846121bd2570e0989b1b4dc941
SHA1c140e3cc7193025d04282c802893b2a279894338
SHA256d731c2a7b1e606f46972be3582f4b082b14a10216564a881a0e74aeaa0b23e69
SHA5121bd2ce7ba56c313c8e3483203242395b7eacdd0eef4d8324672a265d6abbeae2cfe0029d2160c79109703cb3f65513bef0b04386f257c746c3e680830a14dd56
-
Filesize
3.9MB
MD53f467bfda5c756bccb8da68b8b1b2488
SHA19c2b20b3ade5b9a089d670583670eb972ef6e35f
SHA256ef68a2633b83136fc79ce5e8aa9d0e3f3a08ec42633bbc7c6ba55ebe1e69ae3c
SHA512556cfb176ff5b55011fd0ce9273a8fdca1db14888bec350dab63d97f9b3fe8085e6b6c314508152353306a6b3a73e3bf7efa847d1d2faeb7315204366bcf60fc
-
Filesize
3.9MB
MD5a80205e66ddb43f5d0b1c127920f97a6
SHA192a85095a53e9cfa1787eaee6e5ee02ba3988507
SHA25648cf84258432d7306eb31fe65e207cd83c204cb5c3bac02addd2159a19879cee
SHA512d3aeea2c7591597437fcf764e32677bb907b241c863ba04bef86b2bf4b8e90d0f570d35c3f5a931d0b69987ed5472382bf23c7c61864d3aff7eba121c37ab9d7
-
Filesize
3.9MB
MD501b8978899b4994fa349603a59e0e6b3
SHA127d4280b3d2707aae53c09369bd0635282deed66
SHA256358fbd7abb7ea32b6cbc2fe53a41b97e4d26bda458bd5687082c63c3046fe7bc
SHA5126a4174bbfe14419fe5ba266b7dc2f0fd5f1cceeea2beb296dc6210fc8f3ec5946676b9d7ca232d2d23dddeb5219d72b66fb9aba7ff6b7d5a76c9b7bd79a20440