Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

aa86ac9b16...54.exe

windows7-x64

10

aa86ac9b16...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa86ac9b16f68b14add9690ac2fe63426bdc3649dfbbd3be0b43c22be246ad54.exe

  • Size

    66KB

  • MD5

    9556cd0936956a7c89dd986f2a67cba2

  • SHA1

    a56fdfa018015497791bd666508b2c897ca384d6

  • SHA256

    aa86ac9b16f68b14add9690ac2fe63426bdc3649dfbbd3be0b43c22be246ad54

  • SHA512

    d28ef7f05190417c4b9c85d9e107c9ddca7a8559ebcfca88d1a26c23a97f813facf8245517ad4a24e5f1688c13c09237d16e4d2f2c65596ea33938e552d35211

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXip55555555555555555555b:IeklMMYJhqezw/pXzH9iR

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa86ac9b16f68b14add9690ac2fe63426bdc3649dfbbd3be0b43c22be246ad54.exe
    "C:\Users\Admin\AppData\Local\Temp\aa86ac9b16f68b14add9690ac2fe63426bdc3649dfbbd3be0b43c22be246ad54.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1284
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4012
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:644
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5008
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4124
          • C:\Windows\SysWOW64\at.exe
            at 01:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3584
            • C:\Windows\SysWOW64\at.exe
              at 01:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:4756
              • C:\Windows\SysWOW64\at.exe
                at 01:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4516

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          541915795f44ee05842cebea1b6c8368

          SHA1

          3cefb210949eb8c6f76725064c23089e0736bff9

          SHA256

          23571d69b2159987f007e30304d3994c4b00ad275e1f6533b56f3612bbb3d798

          SHA512

          f556540440d587540d4b41b8e4ca31db68a630b6dfb645c04f8164098b2b32e7a5d93b3608e65943235913208e95300ee3614acfe38b259b39befe46018e388e

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          e47741943aa5b858bdf35c2e640b1c1e

          SHA1

          6d7f1170e30c1a938b7585c79893233713e4e737

          SHA256

          bd0be4226a32ea0db3b125deb79fef123349dfb99ec75da2a06259895010b894

          SHA512

          940d7c864b89fac773329536bdfdd905d932d91b9d289ca8d18e6a8698c0631c35812509b891c998a7e14e8869272c7340f232683b35ac73b7e601a59879dbca

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          3ad155278f75a3fc35c9cacae31304fd

          SHA1

          21456e374e93861cf101ef7f66d3592f8c221d12

          SHA256

          4f85e63b3f89b727e953561636a1d1551fa8f651cff48a43da7bf721cbd38ac4

          SHA512

          c0f9e152b71973b203041850d6c459e0ec24a84b08a2ccc059b9cdb1b77b78a4a7d9b6716978328be8bacb5512491b6975ac633e69418e67248399aaa7e397d4

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          294946f8ae6193ef8d3cdff76bf0434b

          SHA1

          7d95d2410dfbc678db6b71399707c8e132f82965

          SHA256

          52055bbaa8a08e9b8175cf96c63dfef7c60e6c3dac7b2884edcfba497c19b5d8

          SHA512

          0dbd4459498da346ef85672b98082203acddcd74f56946aed2a252449e2ec44540634ec75a2e4802ef61b3d62fbb45fbd6dbed766f8542d365b6d1258ceb6e73

          Download Submit

        • memory/644-51-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/644-29-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/644-25-0x0000000074EE0000-0x000000007503D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1284-55-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1284-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1284-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1284-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1284-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1284-2-0x0000000074EE0000-0x000000007503D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1284-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-17-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-14-0x0000000074EE0000-0x000000007503D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4012-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4012-68-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4124-43-0x0000000074EE0000-0x000000007503D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4124-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5008-37-0x0000000074EE0000-0x000000007503D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/5008-36-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5008-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download