Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6fddec5d8f...30.exe

windows7-x64

10

6fddec5d8f...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2024, 03:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fddec5d8fc66bcf441e99b2a3be8830.exe

  • Size

    65KB

  • MD5

    6fddec5d8fc66bcf441e99b2a3be8830

  • SHA1

    a23f13a250c72c7e033accffcad88c5e3bab5ab4

  • SHA256

    d0203818d3d8b32bf5a293d29cb4fef1ccfe0502ca8207977dd70430306f2121

  • SHA512

    f4fe79af6cf7836406f6243338ab0f949cfc8ab551a15adc685dd15fb288ce2a037a7c4daf56b80e19e4acbcfc64d1d4695df391c671a8037e1da52a636387ed

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Ouh:7WNqkOJWmo1HpM0MkTUmuh

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fddec5d8fc66bcf441e99b2a3be8830.exe
    "C:\Users\Admin\AppData\Local\Temp\6fddec5d8fc66bcf441e99b2a3be8830.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2760
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2828
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2776
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2520
          • C:\Windows\SysWOW64\at.exe
            at 03:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2088
            • C:\Windows\SysWOW64\at.exe
              at 03:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1556
              • C:\Windows\SysWOW64\at.exe
                at 03:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          f03926030f62591916770723b3c5c02d

          SHA1

          0120c997048d4be6386437cdb4252ba69b6772af

          SHA256

          49d8aafae155b6f95cbac9144454625ca8ff22dacfc95bd63c47de6632644f53

          SHA512

          22721da3dfeb852a513ebebab20c2fb3e91e631ed746c27d1bcba09f33adca536833204d018155efa958933448bfde727d75c7fdb565066300e0bdea94d74e32

          Download Submit

        • C:\Windows\system\svchost.exe
          Filesize

          65KB

          MD5

          8dcdad81d8b72dc6a7d2186532d9f26c

          SHA1

          05adbe8365cba4549f9f58b003336cac8173326c

          SHA256

          0c4e4a8254b22e83a686b30a5b4ddb68e5ac5a9059151dd575197805a276d34f

          SHA512

          cae9968fe3e05a2270cb0eed39ca75fabb40991be22cd00b49a77e2a7088296d054390aa2cb52d20e847f60a3626a74f7bb9740667b0ada9c0591625f385004c

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          65KB

          MD5

          638c14db6b673a28c28ef194a04273a6

          SHA1

          7bc8c5b59c1e3832b55c5f2cd1a2c9c6bedfa7e0

          SHA256

          67fa1c9930321378026856833007854bc78561d38f87dc1072a410e4144f455f

          SHA512

          505952bcb9d17ce344da5a4dca554618b8ac49ed55abe9f2f8c2c0df94913eadc2dd7d3846ca4d7e11d1914c42da3100e4fb3c6938a359493b44561b7325761e

          Download Submit

        • \Windows\system\spoolsv.exe
          Filesize

          65KB

          MD5

          6e87f3b24c28551a713daa3fb07e571d

          SHA1

          1ac7d839983f6675ba5357427b031ebc0db8bc7c

          SHA256

          a7bdd0f959cfe198c9aae36c06eca8b48daa583d2896ff7d5e743cb151483977

          SHA512

          afcab7d259837d7a957f7c0b0ac79936a94a4a30d96fbb37ca3fc84755da30dfa1aebbfac895a00878bb404f97f1b8374ebc04764852fda43d75e8853e3c63d5

          Download Submit

        • memory/1028-1-0x0000000000020000-0x0000000000024000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1028-17-0x0000000003140000-0x0000000003171000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1028-2-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1028-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1028-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1028-77-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1028-76-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1028-18-0x0000000003140000-0x0000000003171000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1028-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2520-71-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2520-65-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2760-20-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2760-24-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2760-79-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2760-90-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2760-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2760-31-0x0000000003140000-0x0000000003171000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2776-53-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2776-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2776-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2776-81-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2776-56-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-42-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-75-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2828-37-0x0000000072940000-0x0000000072A93000-memory.dmp

          Filesize

          1.3MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.