Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 04:35
Static task
static1
Behavioral task
behavioral1
Sample
e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe
Resource
win10v2004-20240508-en
General
-
Target
e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe
-
Size
135KB
-
MD5
1d6017e309c94ec27a939844bb6e9c86
-
SHA1
8816f39672c1da0d0fa2b76b9114c014ca6374e9
-
SHA256
e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165
-
SHA512
d077f682f57b44a58e2ed68f05769d002b27a6ac72b9de5c1c379760566593086044cdd23723e95960a65c57026d27414cf23a0d38e5d5c9e0ee96dc36536e47
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVNX:UVqoCl/YgjxEufVU0TbTyDDalTX
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 2432 explorer.exe 1880 spoolsv.exe 1440 svchost.exe 1600 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe 2432 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2432 explorer.exe 1440 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 2432 explorer.exe 2432 explorer.exe 1880 spoolsv.exe 1880 spoolsv.exe 1440 svchost.exe 1440 svchost.exe 1600 spoolsv.exe 1600 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3848 wrote to memory of 2432 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 83 PID 3848 wrote to memory of 2432 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 83 PID 3848 wrote to memory of 2432 3848 e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe 83 PID 2432 wrote to memory of 1880 2432 explorer.exe 84 PID 2432 wrote to memory of 1880 2432 explorer.exe 84 PID 2432 wrote to memory of 1880 2432 explorer.exe 84 PID 1880 wrote to memory of 1440 1880 spoolsv.exe 85 PID 1880 wrote to memory of 1440 1880 spoolsv.exe 85 PID 1880 wrote to memory of 1440 1880 spoolsv.exe 85 PID 1440 wrote to memory of 1600 1440 svchost.exe 86 PID 1440 wrote to memory of 1600 1440 svchost.exe 86 PID 1440 wrote to memory of 1600 1440 svchost.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe"C:\Users\Admin\AppData\Local\Temp\e38fe3d6ac7b8e0cfe73d0544404f12df5879a070fa50a3bcd32b58d1d6f3165.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5f1f93ce591dbb610399a3f852a6facf4
SHA10d6a0e3111f3a51433eebb909e2426feb6b14d2b
SHA256677ecbf356d3850318a07ae8bfc357bb5b15ed932488c3369f91117c46c165fb
SHA512bf15880cfb1952ba1d911f89bc0ec7341f9857051e2cab34f57ea274bbdf0769458af1efdd859c0767aa9bdd5084e44fb482345091d2e79f134e303e9158b19a
-
Filesize
135KB
MD56fb7cbe32b04c755e195b1eee1f3862f
SHA1bd52b94adfd839f48e9a6ae3b67897d37685736d
SHA256ddcb253ad073c70324262bafe98133da21fe8413d59b206a29029b551813e9c4
SHA5120c562a9397d331290240ff8fa5a02b4b366f0aa25c8a255783c1447e91b266fc035270347041403820008bae60daee60fa22cdc30f9e11c5b0eb6319fdd940d9
-
Filesize
135KB
MD516f655d69ea80c47484c4378495fcb68
SHA1c82e8abe571b59e17d46d39ecc99beabc668d835
SHA256fe7d6961fd1e8a140d2c534f45058854d13fa24ea23a6bf6d600d0268f6420b0
SHA5122ac8a4431f1fb93d83aa52a32652870bc2484301f5bb85d5ee7dfa50c2b7070e85e2cce86d6703f8a3ee15cecf5c893f62892ada2824fabfb8536b0f46c858d1