Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 01:54
Static task
static1
Behavioral task
behavioral1
Sample
bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
Resource
win10v2004-20240226-en
General
-
Target
bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
-
Size
373KB
-
MD5
de5ca1c8ae8d17cdf1325a553a9ab49c
-
SHA1
064e73d5bbe85f592aeb9b526c6784838c25583f
-
SHA256
bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63
-
SHA512
bbd421bd089c140d8a1b7bde2c1bbf11120e321f2a4e52382825890e198a1d0f9077a6aea0ae7ff9e2035a2adeb9433873453b57de569ca25cc09b705566ad59
-
SSDEEP
6144:nvEN2U+T6i5LirrllHy4HUcMQY6nzGnEDdilYJOUYzGnEDdilYJOUd:vENN+T5xYrllrU7QY6zGnO8YJwGnO8YR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 1648 explorer.exe 2484 spoolsv.exe 4112 svchost.exe 2204 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4480 bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe 4480 bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe 1648 explorer.exe 1648 explorer.exe 1648 explorer.exe 1648 explorer.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe 1648 explorer.exe 1648 explorer.exe 4112 svchost.exe 4112 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1648 explorer.exe 4112 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4480 bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe 4480 bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe 1648 explorer.exe 1648 explorer.exe 2484 spoolsv.exe 2484 spoolsv.exe 4112 svchost.exe 4112 svchost.exe 2204 spoolsv.exe 2204 spoolsv.exe 1648 explorer.exe 1648 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4480 wrote to memory of 1648 4480 bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe 86 PID 4480 wrote to memory of 1648 4480 bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe 86 PID 4480 wrote to memory of 1648 4480 bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe 86 PID 1648 wrote to memory of 2484 1648 explorer.exe 88 PID 1648 wrote to memory of 2484 1648 explorer.exe 88 PID 1648 wrote to memory of 2484 1648 explorer.exe 88 PID 2484 wrote to memory of 4112 2484 spoolsv.exe 89 PID 2484 wrote to memory of 4112 2484 spoolsv.exe 89 PID 2484 wrote to memory of 4112 2484 spoolsv.exe 89 PID 4112 wrote to memory of 2204 4112 svchost.exe 90 PID 4112 wrote to memory of 2204 4112 svchost.exe 90 PID 4112 wrote to memory of 2204 4112 svchost.exe 90 PID 4112 wrote to memory of 4488 4112 svchost.exe 91 PID 4112 wrote to memory of 4488 4112 svchost.exe 91 PID 4112 wrote to memory of 4488 4112 svchost.exe 91 PID 4112 wrote to memory of 3436 4112 svchost.exe 103 PID 4112 wrote to memory of 3436 4112 svchost.exe 103 PID 4112 wrote to memory of 3436 4112 svchost.exe 103 PID 4112 wrote to memory of 2916 4112 svchost.exe 105 PID 4112 wrote to memory of 2916 4112 svchost.exe 105 PID 4112 wrote to memory of 2916 4112 svchost.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe"C:\Users\Admin\AppData\Local\Temp\bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Windows\SysWOW64\at.exeat 01:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4488
-
-
C:\Windows\SysWOW64\at.exeat 01:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3436
-
-
C:\Windows\SysWOW64\at.exeat 01:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2916
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373KB
MD54586a205925089ae2e25dbb59fad0119
SHA1542e238fdf21ebb05b5dbfa723fd74cce7df3389
SHA2566d1a1a01a71fa6a910556b9bdd6746988c0f76ca76c1aa50fc5052d38db8510a
SHA5126f0b5d4bf32a35e39cb3999133192749ae862a80226df8ad2ef0c586adc5e7103e2e8bc98670e83173b288a63fb55ac4e2d683f9911e92a5d6e489ae7d870890
-
Filesize
373KB
MD5fcdd470e697ed925cf6a79edf1734b4f
SHA13ba0ec883b9be065694653daa4f01aa8c82a1afa
SHA25652f345f4f0858e452fa98a3ea41fd8847564551ebd0b15e1d2bcbc563727fcf9
SHA512e00c0a2262024981ce9b3ad8e5f34ce2367ab91a4f4c49d3dbbe98d5966cb50ff787ed2210263856ceedcbc84b522f5d4316c998202cdb2d5e60ef9589c41732
-
Filesize
373KB
MD5d6bb79165da6ebaa40db91e0f86c94a9
SHA100cb1a659a7560ec96330d7a7e69fbe1e90f483f
SHA25628d4285eeebb25c575a6b5abe3dd36e6f64017b8f6f631ad3ff56b39b3e06f1f
SHA51285ddbabe58c80ffb69f127a7bdb418ec71eb001b712bb80223ed0e5a4a357ebfdef3c2b8c3da8df3115e0f472a885375baa6f9639793b1e7d80f54d9c48b60d8
-
Filesize
373KB
MD57fc909130286a6eb4d878c75f3b2b90e
SHA1051a6aedd2beb258cc5065e44aa2484d0ddb9ac7
SHA2563730744eae10702e3518ab89abba44fe54df56b36e920a075df2392bbf114e63
SHA512eb94a7edf2eb74d4d75ac7334c2d6c7459f747006fe57bd348b143d3bc7440a13d8f23575a8be719f4e9a1df54c0aa60d83fc0c245ca6c42b9b17c41987f78bf