Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

dd4abed8ac...fa.exe

windows7-x64

10

dd4abed8ac...fa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 04:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd4abed8aceb1a0d51995261cab8e68d0ac832c6872db6a098d0c38d7a1ff4fa.exe

  • Size

    66KB

  • MD5

    7af92f5c044483ff6391b30c319d67cf

  • SHA1

    0a7f034acd5e866a66f48f5e0e714a8f49df8dcb

  • SHA256

    dd4abed8aceb1a0d51995261cab8e68d0ac832c6872db6a098d0c38d7a1ff4fa

  • SHA512

    a2d6ae83bcb42fe0f037a0e89c48449766210227667b047cde66fbda78bced21a17b0ce3a83fe82d0b90a1eb18d920575deae40a7b4a335717be04ea6f6d03e4

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi7:IeklMMYJhqezw/pXzH9i7

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd4abed8aceb1a0d51995261cab8e68d0ac832c6872db6a098d0c38d7a1ff4fa.exe
    "C:\Users\Admin\AppData\Local\Temp\dd4abed8aceb1a0d51995261cab8e68d0ac832c6872db6a098d0c38d7a1ff4fa.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4712
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5132
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5632
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4984
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2564
          • C:\Windows\SysWOW64\at.exe
            at 04:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1304
            • C:\Windows\SysWOW64\at.exe
              at 04:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4988
              • C:\Windows\SysWOW64\at.exe
                at 04:39 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4724

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          f2eb0d01d52d396195df508764cb2977

          SHA1

          73d4d0bb392f682af090408196f3c1d2d8d3b772

          SHA256

          e2f6827b8d407d565efba8e379857f97fc2c8301eb616a8bce416e6629a7d4c8

          SHA512

          bc585e4bc517c3bff4be4e30edf53ee9aa1374f9c8ad374704a0eadd13a97bf3ca0eafaad3decadfca8edd0ebb769e4cc5e5b1fd9f6226cd60c381afd215e6bb

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          ead9516033a3af1225247d762addd598

          SHA1

          a85fa2a4ab1af117ec768cf82a593aefffed8bd2

          SHA256

          7f4a1524c0a4fdce4ab4e33e1b5a181aa0e13ae97b6312510d837e3906fad966

          SHA512

          f87fb914acea73290d179781d30789e02e4ee98423904cfb0ed958902db224dcba3e899920ce7cfd282bdadab7c3434594d6be198ce50f6e1023c47526b19ddc

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          acafa2d9096da750b82d43fa19f8d88b

          SHA1

          6d6ebc84d6a725f4f3a684a14a6ce2b5f908b12d

          SHA256

          b3ffe57c03c8b45fe9adbbe762af1aefa92a22efcd565abddf58df083acf4125

          SHA512

          e3e228f9e4847f1719d0b0ed8775f5b93513a3e53dc724c9f7df07568fbd4fc84c3ff1fdd5a860fad8724bd2305f53ca5cf20d75e026dd818bdd7013ad150812

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          66KB

          MD5

          0390c76b775315248c627dc1ac6bb876

          SHA1

          8ff066316612b2dbb405661ef0a63428d5447aa8

          SHA256

          cec5bd4d03629702387c2e433da759bd1f26bf277f0a05ab4631f88f471677ec

          SHA512

          d3a3399990bcf0bfa76c180043fc48f9956c9f3e9bb8038c3e60674e15f478506f99ae879c073de33c3b5630c422ca024197a81524df7e5b4fa52222481ab8aa

          Download Submit

        • memory/2564-50-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2564-44-0x00000000756E0000-0x000000007583D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4712-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4712-2-0x00000000756E0000-0x000000007583D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4712-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/4712-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4712-57-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4712-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4712-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4984-61-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4984-36-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4984-37-0x00000000756E0000-0x000000007583D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4984-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5132-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5132-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5132-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5132-14-0x00000000756E0000-0x000000007583D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5132-70-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5632-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5632-26-0x00000000756E0000-0x000000007583D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5632-25-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download