Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 05:50
Behavioral task
behavioral1
Sample
c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe
Resource
win7-20240508-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe
-
Size
2.5MB
-
MD5
f908e496fd10a760b9fbdd64b2101c21
-
SHA1
aa32263197cfe9ce4d043d762547f45f2d8026b0
-
SHA256
c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0
-
SHA512
1a3407d52d319972f6fb780f1dce978feab9ef206ee12c0248c83d994ac027e5b9186971a3234e5983e7ac78e6fd0fe3d6c5fba3b79ef7dbb6435846d9fc7db7
-
SSDEEP
49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxy:Mxx9NUFkQx753uWuCyyxy
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects executables packed with Themida 15 IoCs
resource yara_rule behavioral2/memory/4436-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/files/0x0009000000023264-8.dat INDICATOR_EXE_Packed_Themida behavioral2/memory/3352-10-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/files/0x0008000000023268-15.dat INDICATOR_EXE_Packed_Themida behavioral2/memory/544-19-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/files/0x000800000002326b-26.dat INDICATOR_EXE_Packed_Themida behavioral2/memory/3732-28-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/3760-36-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/544-38-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4436-40-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/3352-41-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/3732-42-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/3732-45-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/3352-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/3352-66-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
pid Process 3352 explorer.exe 544 spoolsv.exe 3732 svchost.exe 3760 spoolsv.exe -
resource yara_rule behavioral2/memory/4436-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x0009000000023264-8.dat themida behavioral2/memory/3352-10-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x0008000000023268-15.dat themida behavioral2/memory/544-19-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x000800000002326b-26.dat themida behavioral2/memory/3732-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3760-36-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/544-38-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4436-40-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3352-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3732-42-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3732-45-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3352-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3352-66-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 3352 explorer.exe 544 spoolsv.exe 3732 svchost.exe 3760 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe 3352 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3352 explorer.exe 3732 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 3352 explorer.exe 3352 explorer.exe 544 spoolsv.exe 544 spoolsv.exe 3732 svchost.exe 3732 svchost.exe 3760 spoolsv.exe 3760 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4436 wrote to memory of 3352 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 92 PID 4436 wrote to memory of 3352 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 92 PID 4436 wrote to memory of 3352 4436 c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe 92 PID 3352 wrote to memory of 544 3352 explorer.exe 93 PID 3352 wrote to memory of 544 3352 explorer.exe 93 PID 3352 wrote to memory of 544 3352 explorer.exe 93 PID 544 wrote to memory of 3732 544 spoolsv.exe 94 PID 544 wrote to memory of 3732 544 spoolsv.exe 94 PID 544 wrote to memory of 3732 544 spoolsv.exe 94 PID 3732 wrote to memory of 3760 3732 svchost.exe 95 PID 3732 wrote to memory of 3760 3732 svchost.exe 95 PID 3732 wrote to memory of 3760 3732 svchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe"C:\Users\Admin\AppData\Local\Temp\c337a60974844bbe579fc933b065989fdb5a66350acfaa7952465c0e73a28ec0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3760
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:4512
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5ca50f940df512babfc1fdb75059d631a
SHA14f9b7725ab921fa64ec607b4ed69b5f299f3d79f
SHA256732aea2a725e9c4d0edaffe5031772dcd2fc4d2d3e0cafa526d76a9618895c3d
SHA51220a4fe597aabe39dadaca2458ee41f623b97b73ff3b8651dae67d0eaaf6987aa13dc3bb1895dcb1bac6bd19b4c7ef764c072de3cee9a2f60a9536a0bff4644e2
-
Filesize
2.5MB
MD5df45c05cb6d43ae480cdc38c91757ee5
SHA13b6c528304a57517846f7a34bee94d157fe3c6c9
SHA25681a8bc67a7d85c07b1f2becc7f4f7d460ef78249323b99caf9f3e9ced8fd20ef
SHA512c0057f4e072ac8a58bd7a17a7f39b40512a2226907b0db7af70ff7a1803ce4cfa32575d3da87fa911a0ac7966c5da5f38efcb341552a080e3f14666299a28d83
-
Filesize
2.5MB
MD5105973d481ac7ce3296d22a5b51d8d2b
SHA1eb30a7fe7ec223e74ffd2e01cab323f62b6ca425
SHA2565a038d8f40bc13a4e9413392389af3160e220d86f311c7c857cba113d647a045
SHA5128b399e490e200bb06a26efd4e65d20a03d9f5a6d13f97fb87d8ad7c195a0f745defce726759a436a527418287be1264154f9ff7fb5809c833faf2cdfc06051c1