Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 21:09

General

  • Target

    4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe

  • Size

    206KB

  • MD5

    9a1e5dd8c4198a78bfa202fe081634bd

  • SHA1

    509363381c10aae1eb77dd784052bf6f3e19c796

  • SHA256

    4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa

  • SHA512

    bfa82be9b7a9fb2de057c81616d08d3a4c76e5824dc1f2bcb7f13167b5f06330d47303878c51c2d85ec1275932a8f0b2c6e4eed4fb4dace10112cebb8cea51ed

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdVW:/VqoCl/YgjxEufVU0TbTyDDalbVW

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe
    "C:\Users\Admin\AppData\Local\Temp\4e25eb762b557abb1072eefa7b2f3f112b2aae75fbd7b2b4e34288783760e1fa.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1512
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3404
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3400
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5096
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    5d0efbafff81c09eb30069700f02bfb7

    SHA1

    917b14b656dca6efac6e091cb7782188a6098510

    SHA256

    51197041bc919ce09475a9558c9e1b75f51ccfe9f54c1226c4c1be2ceb181a07

    SHA512

    78b059b521ee290165f823a9be44e741f7d9e1139490d2d840922748e08b9d3650a85b0302469b775158a4bb6c8fee77715ea4ede9c433bcb9175e09ffa6c8a5

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    206KB

    MD5

    e02ec7b02e6bef04f2adf799415dca7c

    SHA1

    afc1ffa763adac63c95407fac1f799f37656813e

    SHA256

    fd62ee9a2880ea643997fb9b0d783564f3a12cf2e477d084ab2f07d38a47d26e

    SHA512

    c937a4321b4c4cd6cadf3755ea8d15b4a4a94260ae38870af904d9bfdb036b10ed7af67a72ce3dff0df75e2d9d5f314ecbe9bcf83be89e27f6764615d00d5bc0

  • C:\Windows\Resources\svchost.exe

    Filesize

    207KB

    MD5

    60e49ce3fe5156206116aba68b2cadbe

    SHA1

    8dc15766fa087cff3f24eadebb9e0c3bc25d9ce0

    SHA256

    ee9f192857f40f6aaa97bce60c1253b733833fe5bbec89810b400e39cc0d48d7

    SHA512

    f86cedb832fc351b09aa86d206deb22d170df74565c91ff0afbf52bec244c563303ef0ba630f1f8969de8be913570bb5b77385f39469d702ac50b1e7e79539cb

  • memory/1512-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1512-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3400-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4948-32-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB