Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15/04/2024, 21:09
Static task
static1
Behavioral task
behavioral1
Sample
4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
Resource
win10v2004-20240412-en
General
-
Target
4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
-
Size
206KB
-
MD5
9a1e5dd8c4198a78bfa202fe081634bd
-
SHA1
509363381c10aae1eb77dd784052bf6f3e19c796
-
SHA256
4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa
-
SHA512
bfa82be9b7a9fb2de057c81616d08d3a4c76e5824dc1f2bcb7f13167b5f06330d47303878c51c2d85ec1275932a8f0b2c6e4eed4fb4dace10112cebb8cea51ed
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdVW:/VqoCl/YgjxEufVU0TbTyDDalbVW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3404 explorer.exe 3400 spoolsv.exe 5096 svchost.exe 4948 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe 3404 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3404 explorer.exe 5096 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 3404 explorer.exe 3404 explorer.exe 3400 spoolsv.exe 3400 spoolsv.exe 5096 svchost.exe 5096 svchost.exe 4948 spoolsv.exe 4948 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1512 wrote to memory of 3404 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 85 PID 1512 wrote to memory of 3404 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 85 PID 1512 wrote to memory of 3404 1512 4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe 85 PID 3404 wrote to memory of 3400 3404 explorer.exe 87 PID 3404 wrote to memory of 3400 3404 explorer.exe 87 PID 3404 wrote to memory of 3400 3404 explorer.exe 87 PID 3400 wrote to memory of 5096 3400 spoolsv.exe 88 PID 3400 wrote to memory of 5096 3400 spoolsv.exe 88 PID 3400 wrote to memory of 5096 3400 spoolsv.exe 88 PID 5096 wrote to memory of 4948 5096 svchost.exe 89 PID 5096 wrote to memory of 4948 5096 svchost.exe 89 PID 5096 wrote to memory of 4948 5096 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe"C:\Users\Admin\AppData\Local\Temp\4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD55d0efbafff81c09eb30069700f02bfb7
SHA1917b14b656dca6efac6e091cb7782188a6098510
SHA25651197041bc919ce09475a9558c9e1b75f51ccfe9f54c1226c4c1be2ceb181a07
SHA51278b059b521ee290165f823a9be44e741f7d9e1139490d2d840922748e08b9d3650a85b0302469b775158a4bb6c8fee77715ea4ede9c433bcb9175e09ffa6c8a5
-
Filesize
206KB
MD5e02ec7b02e6bef04f2adf799415dca7c
SHA1afc1ffa763adac63c95407fac1f799f37656813e
SHA256fd62ee9a2880ea643997fb9b0d783564f3a12cf2e477d084ab2f07d38a47d26e
SHA512c937a4321b4c4cd6cadf3755ea8d15b4a4a94260ae38870af904d9bfdb036b10ed7af67a72ce3dff0df75e2d9d5f314ecbe9bcf83be89e27f6764615d00d5bc0
-
Filesize
207KB
MD560e49ce3fe5156206116aba68b2cadbe
SHA18dc15766fa087cff3f24eadebb9e0c3bc25d9ce0
SHA256ee9f192857f40f6aaa97bce60c1253b733833fe5bbec89810b400e39cc0d48d7
SHA512f86cedb832fc351b09aa86d206deb22d170df74565c91ff0afbf52bec244c563303ef0ba630f1f8969de8be913570bb5b77385f39469d702ac50b1e7e79539cb