Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 01:54

General

  • Target

    bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe

  • Size

    373KB

  • MD5

    de5ca1c8ae8d17cdf1325a553a9ab49c

  • SHA1

    064e73d5bbe85f592aeb9b526c6784838c25583f

  • SHA256

    bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63

  • SHA512

    bbd421bd089c140d8a1b7bde2c1bbf11120e321f2a4e52382825890e198a1d0f9077a6aea0ae7ff9e2035a2adeb9433873453b57de569ca25cc09b705566ad59

  • SSDEEP

    6144:nvEN2U+T6i5LirrllHy4HUcMQY6nzGnEDdilYJOUYzGnEDdilYJOUd:vENN+T5xYrllrU7QY6zGnO8YJwGnO8YR

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe
    "C:\Users\Admin\AppData\Local\Temp\bed5b3fc5d66e195ac8439c9101cda240bae9037b073d8790b2bb1944fc20d63.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4480
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1648
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2484
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4112
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2204
          • C:\Windows\SysWOW64\at.exe
            at 01:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4488
            • C:\Windows\SysWOW64\at.exe
              at 01:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3436
              • C:\Windows\SysWOW64\at.exe
                at 01:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2916

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe

          Filesize

          373KB

          MD5

          4586a205925089ae2e25dbb59fad0119

          SHA1

          542e238fdf21ebb05b5dbfa723fd74cce7df3389

          SHA256

          6d1a1a01a71fa6a910556b9bdd6746988c0f76ca76c1aa50fc5052d38db8510a

          SHA512

          6f0b5d4bf32a35e39cb3999133192749ae862a80226df8ad2ef0c586adc5e7103e2e8bc98670e83173b288a63fb55ac4e2d683f9911e92a5d6e489ae7d870890

        • C:\Windows\System\explorer.exe

          Filesize

          373KB

          MD5

          fcdd470e697ed925cf6a79edf1734b4f

          SHA1

          3ba0ec883b9be065694653daa4f01aa8c82a1afa

          SHA256

          52f345f4f0858e452fa98a3ea41fd8847564551ebd0b15e1d2bcbc563727fcf9

          SHA512

          e00c0a2262024981ce9b3ad8e5f34ce2367ab91a4f4c49d3dbbe98d5966cb50ff787ed2210263856ceedcbc84b522f5d4316c998202cdb2d5e60ef9589c41732

        • C:\Windows\System\spoolsv.exe

          Filesize

          373KB

          MD5

          d6bb79165da6ebaa40db91e0f86c94a9

          SHA1

          00cb1a659a7560ec96330d7a7e69fbe1e90f483f

          SHA256

          28d4285eeebb25c575a6b5abe3dd36e6f64017b8f6f631ad3ff56b39b3e06f1f

          SHA512

          85ddbabe58c80ffb69f127a7bdb418ec71eb001b712bb80223ed0e5a4a357ebfdef3c2b8c3da8df3115e0f472a885375baa6f9639793b1e7d80f54d9c48b60d8

        • C:\Windows\System\svchost.exe

          Filesize

          373KB

          MD5

          7fc909130286a6eb4d878c75f3b2b90e

          SHA1

          051a6aedd2beb258cc5065e44aa2484d0ddb9ac7

          SHA256

          3730744eae10702e3518ab89abba44fe54df56b36e920a075df2392bbf114e63

          SHA512

          eb94a7edf2eb74d4d75ac7334c2d6c7459f747006fe57bd348b143d3bc7440a13d8f23575a8be719f4e9a1df54c0aa60d83fc0c245ca6c42b9b17c41987f78bf