Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0742b44b24...ff.exe

windows7-x64

10

0742b44b24...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0742b44b245affa4d76e5b90e8b647f72be79c8cbbc9b419f29509606bfa03ff.exe

  • Size

    66KB

  • MD5

    a4b05dbb75c8eec38f583b931c430a20

  • SHA1

    7d0636576d3dbb1a27bcd897d41e9e949a493552

  • SHA256

    0742b44b245affa4d76e5b90e8b647f72be79c8cbbc9b419f29509606bfa03ff

  • SHA512

    765f0a10bf8aae54e2e18b777ccdf5727c3f69029289baa635c6526dab15c75c0cb2ee65a4dac062edf7d724e7ae7c6b558e70fa7aab5740083350627ba01fd3

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXi7CCCCCCCCCCCCCCCCCCCC7:IeklMMYJhqezw/pXzH9iP

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0742b44b245affa4d76e5b90e8b647f72be79c8cbbc9b419f29509606bfa03ff.exe
    "C:\Users\Admin\AppData\Local\Temp\0742b44b245affa4d76e5b90e8b647f72be79c8cbbc9b419f29509606bfa03ff.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2996
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1592
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3124
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:6040
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:5612
          • C:\Windows\SysWOW64\at.exe
            at 18:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4104
            • C:\Windows\SysWOW64\at.exe
              at 18:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:5700
              • C:\Windows\SysWOW64\at.exe
                at 18:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:1920

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          8be9ae60bcb978511f9a0a5fba91086a

          SHA1

          f076f238fa3929cb3c83699c78c22f89dde5047a

          SHA256

          1d5a3c58f252b579ebf424f31a8be3047613519f9812a192dd567386e35fa67b

          SHA512

          3c8a215456d987bad5a1df830793da49699979239c2b9424f7bd1e7ff297bc4af588c6cc36e5b424d928ab80c325f7f5daeea33c0bf49dd7f843ecbc61da64c5

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          cfcc804cc2a61fa1e9f2724a4c2435b1

          SHA1

          20d43da8e400598c06ad0db0fcdd6e19e989350a

          SHA256

          5b42bea9c56fa3c433e1b36f832968cabddaaffef5e9a49646d70707692857f6

          SHA512

          f9e4b13940b10f5b077bfedc12478406342daf8988e1b9d5c1b0e490ca568342b320e5200459c0c209ad106ab5baa609fb2309166321797d55d935c25d06adcb

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          37935e88377734403c84fbc82d9eab14

          SHA1

          ec7c972d620cd18a59a1f6cd076636cccb0c6889

          SHA256

          f4b6cbb1e1144239ae59370ae6350b68ff346704cf8c65d488f58e4d575d6621

          SHA512

          063399344ad729197e51bb7f932b2535fe3c45cbd3ab857a22bad55f44d9f2c69a0dac8fcbd213e6395d857c86b6d66a4a539daacb73102499da15a66b5b3826

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          82abe62c272e643cb43fdc8e2e1b4a0e

          SHA1

          58aadd4383b9f9fb14e9a780b38616663a4d26f3

          SHA256

          2c05c98efd9aaf4078059427a7c71c42d401a146e2634034304326de181f58b5

          SHA512

          98fc3c177c6845bb625bbc80582f1c1d4f71f86d24413897f64c355d9c82bb7d78a5580abb9036320d46a6974ddc40fcbe76a4961ef10ce0b7f96b6198c653de

          Download Submit

        • memory/1592-68-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1592-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1592-12-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1592-14-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1592-15-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1592-18-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2996-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2996-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2996-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2996-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2996-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2996-2-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2996-55-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3124-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3124-26-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3124-30-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5612-49-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/5612-43-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/6040-37-0x0000000074FC0000-0x000000007511D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/6040-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download