Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

003dd6fec0...76.exe

windows7-x64

10

003dd6fec0...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/05/2024, 20:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe

  • Size

    69KB

  • MD5

    4b2749d64840214a4436e83243e44a37

  • SHA1

    a3c12a438c10a6918114ee780ff28d586d5e856e

  • SHA256

    003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76

  • SHA512

    15ff28f2fc3927679dfa71b3a347f4c06599616301679fe5220975c9530fdd2c2acbc92cd0d810d1f22dfefd67cbad38202a5c4e41696b40ecc1c472d1cc135d

  • SSDEEP

    1536:EJrFDMRyriCY/qXfatMp4Q2V6fIMxIpLw:0F8dCY85TE6fIMSRw

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe
    "C:\Users\Admin\AppData\Local\Temp\003dd6fec0a0beb289d7d5ab5db1a7be0e5d817e884949cc83e37070bd813b76.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:116
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:996
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1216
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4200
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1336
          • C:\Windows\SysWOW64\at.exe
            at 20:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4772
            • C:\Windows\SysWOW64\at.exe
              at 20:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:2536
              • C:\Windows\SysWOW64\at.exe
                at 20:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2208

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          69KB

          MD5

          e9cbf86f2483e7b002e4092fc9bf1da4

          SHA1

          e2d73bb6fa83a685582d651b6ee6bdf0e497ea85

          SHA256

          fc47e525e2fefdc299276b22e64e746dfcee52f363a36f760011900430c637bf

          SHA512

          e81b5d2c8e9b89c65ce8b94528c7f4c594d4cf1f74788e137792779c22b93d866d61b056a2d43a6d9cf8ad2580f1d3502fed733f953b8ca1a5a32275f5296cba

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          69KB

          MD5

          3313ce16f04ff2e1531deb7aeace31d0

          SHA1

          8686a45b35da384c2d10df9a82e38746356a5acd

          SHA256

          aaf0992f5d1e961f0fdd92f44582c24ec251e13f044e8fc1e71c02ba9a982e90

          SHA512

          fa13c634dbfcdad50e76b14a2b9ab3b6c8d9b1f56af94b3b09dded7d19bcf85ada118c316a2a460ed7937e6efb908140cf5e66d6bacdd72e0600b11f3a900811

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          69KB

          MD5

          2da3d97c3ec52f346fbcf3b9b2586779

          SHA1

          1a3a73e607f33eb74386d8bb3946f712575ad4d2

          SHA256

          9a8408e76f7ba7356515739140cf384144fd229e117756ec631e4a88ec361adc

          SHA512

          524bd041bc977ac2ee75cd9923f27b5ab2655370232b15f0cf927156aa164fabd6a2c1dd1d769bb9d7e43e317bc2c6df28111dd754507565b28c653191dd763d

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          70KB

          MD5

          7da7dde3b1bdf3c36f5c3a8cd2a5484a

          SHA1

          8801b763d4cc6c70e3e9766b4e12730150523b43

          SHA256

          4f4ec9aa9548763da1ac509e7cb4409fdb5597520c92d6761709f472b1734dcb

          SHA512

          b6258cc2393b7d7ad1f1d3d692b7b32169105ee804b7938416219010e095ed78ab821dfa4ee5c8327eca73cbedd3bfb3e854e5719e85a02dbbfd53a1a32d410f

          Download Submit

        • memory/116-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/116-40-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/996-42-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/996-52-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1216-38-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1336-36-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4200-25-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/4200-43-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download