Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

49c43f4b6b...c6.exe

windows7-x64

10

49c43f4b6b...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49c43f4b6b46642ef80ea0720fd4aa272ab33749bfc7b8e7449852fd3753afc6.exe

  • Size

    65KB

  • MD5

    94ab93ffcd0e6b2d04ffc12dcc71a7b6

  • SHA1

    2ea97e1684433771d31076576fbda8aa99feac20

  • SHA256

    49c43f4b6b46642ef80ea0720fd4aa272ab33749bfc7b8e7449852fd3753afc6

  • SHA512

    d455d755633abd0754dea452a093bc816eaa1f01cfb95e6de154d3ca1529f41cb905836a804a672c16b428933bebca7cc8baa5506e87a8dd806686ca9d05ad55

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuP:7WNqkOJWmo1HpM0MkTUmuP

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49c43f4b6b46642ef80ea0720fd4aa272ab33749bfc7b8e7449852fd3753afc6.exe
    "C:\Users\Admin\AppData\Local\Temp\49c43f4b6b46642ef80ea0720fd4aa272ab33749bfc7b8e7449852fd3753afc6.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4508
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3936
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3656
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2808
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3984
          • C:\Windows\SysWOW64\at.exe
            at 11:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:4556
            • C:\Windows\SysWOW64\at.exe
              at 11:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:3980
              • C:\Windows\SysWOW64\at.exe
                at 11:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:4368

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          2b531b41b3dc14237c2e0b1f1fe8cb5d

          SHA1

          037c7f9fb187b1ce427f86620f815e6adfab8ab8

          SHA256

          dca496b27bb6edac4c1a40fcbe400947976c0e3c510e907d4830d7e6593bd7b3

          SHA512

          5001a66a7633fc55c63963f45e64747dbaf2e3403746fc7782355c64461135c7ba91341ad0ffcd9ecae7e1d79cf6b41588ec0c78f075db62eed323ae42b5c9a4

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          65KB

          MD5

          f0851c0f215fd229e86b6b6adc6e327c

          SHA1

          93a4b5f421ed62ee7da3d36f6830c55c7c386ea8

          SHA256

          e3fef39e83dd6bdb0f372df00de309144da529669fb9efa7f91f00154376589b

          SHA512

          4446fbe8daf06213dc3e24b8c8281d58816e3a6c8057308a7c3c81b3b6976fe6fe9571c9518c8850a0931638b5f07ba389994a6696f2fb6fb4fd934122404972

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          09df32baacd1645e819117e7a31afd7a

          SHA1

          b7839039dfb5c23da4e27d7a52bf246d948a5d26

          SHA256

          e13cf053fe06fc9d8fb5fec81b2169bfa94aca2572c865f3e342730f732ce088

          SHA512

          99687decff9ac77c7df0993eecebf850282a30e7513ab1fd11a8ceb5c9cb394ffd9df9bed736d5c9db87d4b7f045edda50b8f462358d8489206dedd5ae8f7143

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          65KB

          MD5

          ab263e269d713875572debf3d7b88645

          SHA1

          48e1b665385189d6e5a24f34b42fb5123670bf06

          SHA256

          e24de185a7c107b8883ebd0fd7bf7cca7eae96fe5675aa5dd25d5aff380051d1

          SHA512

          895d66c21c5e114f1db122e29590726a388268a0f5ca577d007fc6385c182ec9848252f7334f142ebc555abf846005b410a99c4be802d4f4482e8f17dbbff41c

          Download Submit

        • memory/2808-62-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2808-37-0x0000000075240000-0x000000007539D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3656-26-0x0000000075240000-0x000000007539D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3656-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3656-33-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3936-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3936-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3936-15-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3936-14-0x0000000075240000-0x000000007539D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3936-18-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3936-71-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3984-44-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3984-45-0x0000000075240000-0x000000007539D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3984-51-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4508-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4508-58-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4508-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4508-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4508-2-0x0000000075240000-0x000000007539D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4508-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/4508-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download