Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a8cb4ee765...54.exe

windows7-x64

10

a8cb4ee765...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe

  • Size

    211KB

  • MD5

    0622dbb63e1ea9a865dcc2862318646d

  • SHA1

    c9bf1ea146228550404dc0f41aa51f64f0ec02ae

  • SHA256

    a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054

  • SHA512

    4468708bd56b9e1966a809525eab9cdc56a94cafc28ab47c7f8c89650ee17beec37de32c4f6117ec5be87c8d38b46e102d7b0f71a877e8953aaa606c33a3ac59

  • SSDEEP

    3072:vDEPeJlYW1ea8HKHSRUN3jjXs9Y+MiMVB/w68PEAjAfIrAvGPZz6sPJBIiFe/GcX:vSAl1IK1aY+MiMVBSeh

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe
    "C:\Users\Admin\AppData\Local\Temp\a8cb4ee765bf0466dd9a02dd22fc5d9a65e7250a1f924de417ab283d2a0a1054.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3164
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1636
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1664
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3956
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe
    Filesize

    211KB

    MD5

    01e55f43a33b41eb966e11ca95af6a0e

    SHA1

    6890abe1d5321678435ba0cd2dd35b92e55e0a62

    SHA256

    7fccfca1b2423fc00c5046a28da288990896cb4ba2e177f1b6c378fef188c54b

    SHA512

    6442ac465eb74733de69349747a8ab465d47ee6d6a3fbd49a779335c01e1549e93aeaf9e03b67648c7a5a9d3de8d6b4f13c9afbc2a103f78ac7a16cf17133e37

    Download Submit

  • C:\Windows\spoolsw.exe
    Filesize

    211KB

    MD5

    a9c11bdac519e366d39bd7e6ae17375d

    SHA1

    77f2ffa6304299567b1a5e21830542d6a3dc98dc

    SHA256

    1ec50782711a147b88bc2f69bcc803ea5d579d412d71a17caae9f8ad47333a9b

    SHA512

    79e08f214d31ee3e583a6c770a3dd6d5c2123b5e5e454230bb90ed767e755eb9ce23aa280ae84c7cc558fcf97a8f633cca7f71e019188d75e54ed0d7d4fb21de

    Download Submit

  • C:\Windows\swchost.exe
    Filesize

    211KB

    MD5

    a0bc360106533a19c5fc3823c10a9a61

    SHA1

    b43ee839ebc06d45bd617809fed8a9dbbec9618a

    SHA256

    f923f238240f21bc80da9753eacec216a5c505cef9a09f5550bc22e15e913d36

    SHA512

    267d44c68f9ef72ab17e37e03fa270ada863cedaa4407119134aaf22651f31cadd18c74589c0dedaab45f6813300b180dce0daa4ca331e1d9bf353b01073f79d

    Download Submit

  • C:\Windows\userinit.exe
    Filesize

    211KB

    MD5

    42e7e78aadcca1a0f87c30aa46675c39

    SHA1

    58e204aeecd1376ad49a70c63a37e7d545068eb6

    SHA256

    c86986c6bd2d8364543a7cb9cdeabfa938edd6980098aa17e589ad5bd047bbe7

    SHA512

    20e93b5b356666fb9fc57f32f6c72469e204735ee5a983da2ef17dc9ff9fa41ab7539aaa6dca62ca8494b18b7f0b0763b15b641ce9c7512c782a456b28fd3593

    Download Submit