Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 02:58

General

  • Target

    e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe

  • Size

    206KB

  • MD5

    23b8389fd7dac23be82bc5943fd1093a

  • SHA1

    b58b4eb52b3781814d75efe07c3a940a36beab5c

  • SHA256

    e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3

  • SHA512

    791ce1a30dfa36c1b5ecb3b7f1df3bccaff675b240fc8bdaa42925fb46f9023932611323e4916a88511264b45b07cf8e8ff31c7954e5a49f61aaee8a3f2ba978

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdVx:/VqoCl/YgjxEufVU0TbTyDDalbVx

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe
    "C:\Users\Admin\AppData\Local\Temp\e530feb69c9a3fb9ad68ba3a9da6a4bbdb6e530e95b6a50b87cd6ca39ec61fb3.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3936
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4924
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4548
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3084
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    f87945abca215f35adb59ea93d5ebd1a

    SHA1

    40fc51183da678c6246bd75a41ae8d93aa70549d

    SHA256

    4e5ed638f48ce13d679b072f8936d22c1c14bc16ddd5d0eb5224dd7a890ff95d

    SHA512

    32c7b64092f99567248d792bff0f04e2f25c1e09129b830d9ef8bbdc6a0b08f68e5ca1e09d3c4bef2e551ce1f9e00f8e8b3022302922f244b73160896d2abb28

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    206KB

    MD5

    6e864cbf42bfd1a8bb26e8348bb88e74

    SHA1

    96928a70321458fe119dd1295bc0946903aea339

    SHA256

    c61a6328845a3cb15e8c64f53fd3ec9b5506e3c0b73620b417b9241d17e87b1c

    SHA512

    288351f45009bd9e91ebe2f8a7111a28b55662be1f7023e7f5e10e1601157833cdfecd2b62a6821ff456bf5e1bf165462987c19bc28f0375786e2021c16afe44

  • C:\Windows\Resources\svchost.exe

    Filesize

    206KB

    MD5

    f9a2d60a2cbb942b5d73b10df4237c8b

    SHA1

    624867df084d3d140ab989e6bdb3a74014b75a80

    SHA256

    d73be8e902dae653419776af18e8e45f322cf12eb30ca3d6e9c5f654f8da5368

    SHA512

    7c1535b11c82cc83a4cbd9c7e33bf7229b9ff05d69e37e7416818abb909bcb81765c6e0d6da0c01bb4da2bf9eb752794561b8f942d860e1af042e8a1229ea76d

  • memory/3884-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3936-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3936-35-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4548-18-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4548-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB