Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fbff7ade99...49.exe

windows7-x64

10

fbff7ade99...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    22/04/2024, 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe

  • Size

    211KB

  • MD5

    123595dbb144cdf5b16c0ca6fd605a8e

  • SHA1

    a0fbaefdc45c4998df189ff1ed8a1275dcf9340a

  • SHA256

    fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49

  • SHA512

    fb28bc28928222771919925e9549e4f7f92deda86ee9bb185cd6f6afe3576f7d9cd013bebc0b4dca7307e4414981dabc9abb8d4ed1328ed3eec5246a023d6f3c

  • SSDEEP

    3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOQ:Wh8cBzHLRMpZ4d1ZQ

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe
    "C:\Users\Admin\AppData\Local\Temp\fbff7ade992382218f027c524eadcc08c0c2f9d1540e1104bfc52df7ef777e49.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2872
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2620
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2468
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    a6a670dc18cd7213f5ead6bdc3949c03

    SHA1

    90246d7250ad4d9e1d2baf8c19163a204a27e97d

    SHA256

    4c012330b4a9174ee19b8afe7e76ce699123a60328e540a76628b9a536ec88d8

    SHA512

    cd75445efa9b8107a9b8013d43bf13b099914b9069a3b5fb0da989ba1982fe566d495707625b6e96a56a514ccc18353ebb2748420165c65cc17fa99e71630ad2

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    86670e4945274046a8d87c31df9be783

    SHA1

    7f44b4460d0b9acbe405ff199108c1809f633830

    SHA256

    cd1299a5b6bcb84d9a86d953818f508fb9612f29a60f152db8cf298dd27b9ed1

    SHA512

    224b1ea821f217f71e631e7df9497712f83cd3dcce1953a5dd5714365318f8926fe4dc9d5ed92d8dea05c79e9ea7b9891067bff9cd6599ea44f4f0d5ed21818e

    Download Submit

  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    479532a7cd023aeefd57319658e517e7

    SHA1

    bad0d6a61473688c350f39aadbbb990f653985d8

    SHA256

    b850f43736939418b2aa04ecdc8a2652f3f3aae56b20c89bf214022f9410338f

    SHA512

    890d65bf8b349f35c51690f7bdd157b48a03261e447ed5b9dd53a75ea6475206db8a1075d46a1cb26f773632127e954428c48cb14418d2b897337780fcf4687d

    Download Submit

  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    75bbf0c5144a034bbd7e3c0be2347236

    SHA1

    1f3de10ee8794cf1765d60b5537f5a3ae3703471

    SHA256

    749a20ad4b3017b3fc007b6878277ef1bacc300f88a903878867d78156cbffca

    SHA512

    574442b8322a0f8c36e9e160a697d4c0a7b143732a289c9d5dd205045241f8d0ecb646fc52bc16fdb9dd09889e29582e02d2b61e7add0c557db4dadedb6ba6e0

    Download Submit

  • memory/2464-41-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2464-47-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2620-34-0x0000000001E60000-0x0000000001E90000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2620-48-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2756-23-0x0000000000760000-0x0000000000790000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2872-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2872-11-0x00000000026A0000-0x00000000026D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2872-49-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download