Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2024, 04:35

General

  • Target

    e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe

  • Size

    135KB

  • MD5

    1d6017e309c94ec27a939844bb6e9c86

  • SHA1

    8816f39672c1da0d0fa2b76b9114c014ca6374e9

  • SHA256

    e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165

  • SHA512

    d077f682f57b44a58e2ed68f05769d002b27a6ac72b9de5c1c379760566593086044cdd23723e95960a65c57026d27414cf23a0d38e5d5c9e0ee96dc36536e47

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVNX:UVqoCl/YgjxEufVU0TbTyDDalTX

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe
    "C:\Users\Admin\AppData\Local\Temp\e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3848
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2432
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1880
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1440
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    f1f93ce591dbb610399a3f852a6facf4

    SHA1

    0d6a0e3111f3a51433eebb909e2426feb6b14d2b

    SHA256

    677ecbf356d3850318a07ae8bfc357bb5b15ed932488c3369f91117c46c165fb

    SHA512

    bf15880cfb1952ba1d911f89bc0ec7341f9857051e2cab34f57ea274bbdf0769458af1efdd859c0767aa9bdd5084e44fb482345091d2e79f134e303e9158b19a

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    6fb7cbe32b04c755e195b1eee1f3862f

    SHA1

    bd52b94adfd839f48e9a6ae3b67897d37685736d

    SHA256

    ddcb253ad073c70324262bafe98133da21fe8413d59b206a29029b551813e9c4

    SHA512

    0c562a9397d331290240ff8fa5a02b4b366f0aa25c8a255783c1447e91b266fc035270347041403820008bae60daee60fa22cdc30f9e11c5b0eb6319fdd940d9

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    16f655d69ea80c47484c4378495fcb68

    SHA1

    c82e8abe571b59e17d46d39ecc99beabc668d835

    SHA256

    fe7d6961fd1e8a140d2c534f45058854d13fa24ea23a6bf6d600d0268f6420b0

    SHA512

    2ac8a4431f1fb93d83aa52a32652870bc2484301f5bb85d5ee7dfa50c2b7070e85e2cce86d6703f8a3ee15cecf5c893f62892ada2824fabfb8536b0f46c858d1

  • memory/1600-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1880-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3848-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3848-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB