Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 01:45
Static task
static1
Behavioral task
behavioral1
Sample
b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Resource
win10v2004-20240508-en
General
-
Target
b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
-
Size
3.4MB
-
MD5
0f51ec7c96b3aea6bc92fccf6d35d33a
-
SHA1
23fbc7da031821c92a3b10d27af83659e2732bef
-
SHA256
b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0
-
SHA512
8093fabed75e1932a83d9ee6b26ac2d63d26ebc447cb4334727585a4b0c70689634317acb92ee9a090175cc56079b1babef5aa5969077d27e5ada5bf127b7f3f
-
SSDEEP
49152:t7Zi5hu7I/BzfK/ZHg1pHtOUYqP3CFOrtG/RR9sXafgkDFMVR9C1UhPJXMK701hi:NI5ht/BzfKW1t0xOouBiCV2Hw
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 1440 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 1624 icsys.icn.exe 4536 explorer.exe 2224 spoolsv.exe 3908 svchost.exe 4620 spoolsv.exe -
Loads dropped DLL 3 IoCs
pid Process 1440 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 1440 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 1440 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 1624 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4536 explorer.exe 3908 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1440 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe Token: SeShutdownPrivilege 1440 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe Token: SeCreatePagefilePrivilege 1440 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 1624 icsys.icn.exe 1624 icsys.icn.exe 4536 explorer.exe 4536 explorer.exe 2224 spoolsv.exe 2224 spoolsv.exe 3908 svchost.exe 3908 svchost.exe 4620 spoolsv.exe 4620 spoolsv.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 224 wrote to memory of 1440 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 83 PID 224 wrote to memory of 1440 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 83 PID 224 wrote to memory of 1440 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 83 PID 224 wrote to memory of 1624 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 84 PID 224 wrote to memory of 1624 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 84 PID 224 wrote to memory of 1624 224 b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe 84 PID 1624 wrote to memory of 4536 1624 icsys.icn.exe 86 PID 1624 wrote to memory of 4536 1624 icsys.icn.exe 86 PID 1624 wrote to memory of 4536 1624 icsys.icn.exe 86 PID 4536 wrote to memory of 2224 4536 explorer.exe 88 PID 4536 wrote to memory of 2224 4536 explorer.exe 88 PID 4536 wrote to memory of 2224 4536 explorer.exe 88 PID 2224 wrote to memory of 3908 2224 spoolsv.exe 89 PID 2224 wrote to memory of 3908 2224 spoolsv.exe 89 PID 2224 wrote to memory of 3908 2224 spoolsv.exe 89 PID 3908 wrote to memory of 4620 3908 svchost.exe 90 PID 3908 wrote to memory of 4620 3908 svchost.exe 90 PID 3908 wrote to memory of 4620 3908 svchost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe"C:\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\users\admin\appdata\local\temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exec:\users\admin\appdata\local\temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3908 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4620
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57d5d3e2fcfa5ff53f5ae075ed4327b18
SHA13905104d8f7ba88b3b34f4997f3948b3183953f6
SHA256e1fb95609f2757ce74cb531a5cf59674e411ea0a262b758371d7236c191910c4
SHA512e67683331bb32ea4b2c38405be7f516db6935f883a1e4ae02a1700f5f36462c31b593e07c6fe06d8c0cb1c20c9f40a507c9eae245667c89f989e32765a89f589
-
C:\Users\Admin\AppData\Local\Temp\b3bcd4e5c084150f37c03f8a4cc9ce9693d246314bfb2d58f279a910cdaa46a0.exe
Filesize3.3MB
MD57c2e5ef59e9589422bcd5bf3726fbcb1
SHA1c4dac6966ac4cd3500d6a7fe44138a0db639d507
SHA2566870e8dbcfaf543500add1d303de528c34e3b1f4d4424b0097c4ffb408a44fcd
SHA51228870d9cb07f964ba0ecedfb25762cb4530bda869cc717dd4fffcd176085f03c05fd129b23e826dd6ac33ae6af8132bf9dc317ebffb52448b83236ad2349ca45
-
Filesize
135KB
MD5a24ed172be22109145a691a811244db9
SHA177df5a4892b2e31d5e06c99f206dd65042866b22
SHA2566ad8d49632a52c43c667189447f17f9a81c19cad63c4cbfa76499709eecd31d1
SHA5126c629b403d23eea6867dfc166015c01ba69422cc399c3d8b254a354e9e09d691420910eeb022cebe73661c4c8c829a4c55460c39a3311c99e1c07d1f01bfb49a
-
Filesize
135KB
MD5166f4152bd7ae24054f26a7c6f42bc55
SHA14853a1ffe4b68226038eefb0da4194553baa7a32
SHA2568218bac4715775aacd67b699950e516ec7067cd2cba4f248572802639109f6eb
SHA512cf73e62db1a4613fc58a401fc4d5c2fa98a193ccb2e1e788d839d5cee8cfda8c150bfd6f8c3a93f221dfee24c5a08962bf7b2b12796da7942db1223fb7cf7dbe
-
Filesize
135KB
MD5d6b710bd9cf858ebc3f6870e334b2d3b
SHA1531a8a2de7c8f03eca7678799c4b6c52f47dac20
SHA256fc5f99eb790883d70ddade3b73c20b01b62ff5ece5484de470d7892db16f0c68
SHA512c3104dffbfa6e3d4fd12bc802d723cbd1d3d2651a4e901b53bea67dc3fccb84ab12e0db680210b11be2655925d52ba89d2b300ebe975e8c731f44f74563996be
-
Filesize
135KB
MD53338de1eb0ae5227018ff9fcdf339c5c
SHA1f9135be2608f904e28a0f81791f3919907b6791c
SHA256479f8c2f8dc1b41bf644f29473a4bd098eaa8be922f01a6c86368e868cec7873
SHA512afd1007bb8671e0e6d7e6cd034aaa632130e3f6ff8cf239259766e74f2537180815bb2fdf716523f4a00c854a796977cc2545ba41a90c78a0592b7289d43c71f