Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 09:29
Static task
static1
Behavioral task
behavioral1
Sample
c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe
Resource
win10v2004-20240426-en
General
-
Target
c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe
-
Size
65KB
-
MD5
aa531d6157cc02a3909d85d3f38a12c8
-
SHA1
08cb365b3c3143eaae2236841f6f2aa0d33e8565
-
SHA256
c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083
-
SHA512
64b0b10c7ab71e0084614d9967b2e80bbd45a8794adb2ad13f0449c12d0ef73c49e17f68408d035f9b773f690a3b1ba48290d642a32c9bf0b4391e218ee3fc28
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/Oun:7WNqkOJWmo1HpM0MkTUmun
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3260 explorer.exe 3168 spoolsv.exe 1576 svchost.exe 3524 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4804 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 4804 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 3260 explorer.exe 3260 explorer.exe 3260 explorer.exe 3260 explorer.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe 3260 explorer.exe 3260 explorer.exe 1576 svchost.exe 1576 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3260 explorer.exe 1576 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4804 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 4804 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 3260 explorer.exe 3260 explorer.exe 3168 spoolsv.exe 3168 spoolsv.exe 1576 svchost.exe 1576 svchost.exe 3524 spoolsv.exe 3524 spoolsv.exe 3260 explorer.exe 3260 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4804 wrote to memory of 3260 4804 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 82 PID 4804 wrote to memory of 3260 4804 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 82 PID 4804 wrote to memory of 3260 4804 c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe 82 PID 3260 wrote to memory of 3168 3260 explorer.exe 85 PID 3260 wrote to memory of 3168 3260 explorer.exe 85 PID 3260 wrote to memory of 3168 3260 explorer.exe 85 PID 3168 wrote to memory of 1576 3168 spoolsv.exe 86 PID 3168 wrote to memory of 1576 3168 spoolsv.exe 86 PID 3168 wrote to memory of 1576 3168 spoolsv.exe 86 PID 1576 wrote to memory of 3524 1576 svchost.exe 87 PID 1576 wrote to memory of 3524 1576 svchost.exe 87 PID 1576 wrote to memory of 3524 1576 svchost.exe 87 PID 1576 wrote to memory of 3056 1576 svchost.exe 89 PID 1576 wrote to memory of 3056 1576 svchost.exe 89 PID 1576 wrote to memory of 3056 1576 svchost.exe 89 PID 1576 wrote to memory of 1728 1576 svchost.exe 99 PID 1576 wrote to memory of 1728 1576 svchost.exe 99 PID 1576 wrote to memory of 1728 1576 svchost.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe"C:\Users\Admin\AppData\Local\Temp\c9b924e833a8196e85215a4de2b2dac97a615050e1542a483703011a3bcf7083.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3524
-
-
C:\Windows\SysWOW64\at.exeat 09:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3056
-
-
C:\Windows\SysWOW64\at.exeat 09:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1728
-
-
C:\Windows\SysWOW64\at.exeat 09:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:4644
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD52f2f8ae0aa27fef459a8193ac7ab01f5
SHA17a83962abab631fa39dc434e63ec5e819a15ad39
SHA2560e9f37ac42878893e5e78ba208eb3eb6eab34b4fe9dbf5e44200a03b63c57ce8
SHA512a39615dd81c5fb4d7b3a5905dc3819023aa71fec4ee26fb86ee9ce5a5bc7fe1dd9990f3955bcba49b6a758a228b709294eaec65a49ea23f1da88bac84a837ba3
-
Filesize
65KB
MD521878ce9b4690ab11fd7d732650ff766
SHA19936f20264c918879cf85b968d70c91f3b8e30a6
SHA256dd2611fa5fb15baead7464c327bf8cd270f2965f7ad1dc450b3c1d1cc01bc113
SHA51221db66653368e359a11df8df63355b7e03a8641fb515aceae18d98a70b9388e15f743a513493e8202da70b37b67dc2cac8288a2237812d47b57b2d94998d5284
-
Filesize
65KB
MD5769604a79e740532be13b35585c96a2c
SHA1ba1e37c56ff6dfe174acda44b923df0a9510cbf5
SHA2566609185409281e0bcdfb827f7d1ffa4c1eea7cefff1e9b9cad25d8c7b5d550c1
SHA512cbf2adb59fe4fabfb4859082735530eca9777b555acb232e38eca2a0df99b53235324086699f105755171ad7caffedb402d557a1683e5b6f44d5693128a02bc6
-
Filesize
65KB
MD574998be5045e10a737e34f16c620b805
SHA197f91592e1365a8e6acbb88c443c2813805f1da9
SHA256a25c39ee857cafb305ed0a294c58abc2430e7e85a1259972ecae065c9aa03f05
SHA5127f9b354efcc080dbede3b58e9a79d35c1b706830e3e4e3a47628dde142054f1538340d89758609083b8c45b06c4c72d7c5013e9b5b38fd4ef8c58ab2a86d893c