Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5a9ed0a196...68.exe

windows7-x64

10

5a9ed0a196...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe

  • Size

    211KB

  • MD5

    7e500640e10c71bea60fce063a52b151

  • SHA1

    9856d7b0f806109275fc4bc159fd8528254bfa5b

  • SHA256

    5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68

  • SHA512

    852036fee52d251bb13d96d57dfdbe94c830f1afcd86b5226124e93c94664896688597ebe536e3fc69bd51d84598e9c7d57f8f11820e04ce2c606e1e99a7924c

  • SSDEEP

    3072:JD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqO/:Jh8cBzHLRMpZ4d1Z/

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe
    "C:\Users\Admin\AppData\Local\Temp\5a9ed0a1961bb5d5919b06b32659a023fcfe5a4f08c5aecbd42f52a924d54d68.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1844
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5112
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3452
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4460
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3688
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\mrsys.exe
      Filesize

      211KB

      MD5

      29f12849eeaab3103d204a9ca6c3daf3

      SHA1

      a721ce5d20c0f38a3a414dd632249f6757ab3803

      SHA256

      c4e2fb202ff235307c0bdcf3ef923717ff3519adf50f7ea784e00222c05c81ee

      SHA512

      b4c29662b65fb69ee4a524b071950028620245bc9eb51b53b3e8d3f314569c552c940aa375fca1bf212cd76a18a3d431ba8c8ad41a876792edc118a635091879

      Download Submit

    • C:\Windows\spoolsw.exe
      Filesize

      211KB

      MD5

      33aee7e197e909a407deb94ad76639b5

      SHA1

      7d6738f8f48aca293c99aef7a3a375ecc39aea2b

      SHA256

      0824cee5935ed71e6eeaad8e475ee7fe8644ab55bcbc95324ab8169fb8601256

      SHA512

      8dd4b11864bbbda86e8fc3eecf6c5179750699b07adad89d80974d55ce3a097993af6f532ec102152f24397359347a2ce5445a1c84920939bc1789dc726215fd

      Download Submit

    • C:\Windows\swchost.exe
      Filesize

      211KB

      MD5

      af694ac3ff54630132715a00dc132c4a

      SHA1

      1b16c1a4c609eaa0732964b670561a116fd8155d

      SHA256

      09d52b871d8390bd90491e508f47a938ae4a57a0ba13157797b45e31285ef5ff

      SHA512

      30c3ee7e6198e959051c48dd22b750207042e50a6a85aa8ac36ea59ef7208b491db1cc2fc51edf494a3baf967e90a296935d3721c0669b14a868c89daedec185

      Download Submit

    • C:\Windows\userinit.exe
      Filesize

      211KB

      MD5

      d8f375e6506b3a250f2a2a130fc5462c

      SHA1

      cbc77031ae3f7b9cf59d61954ed4286b23e2615b

      SHA256

      3acb0b5bcbff0c80c4b1b490b2cc590b9d936de00a3d1b8f7f1caa59be779a60

      SHA512

      6251dce4fa6721d7c1e740aa273c07758f5337f9f41e0fc76a86d1d017f760399f08b4c7e4e1aff0b44494488ae451abfbe1cbe04604c10a7133d2cb4fba7357

      Download Submit