Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

933ab605c5...71.exe

windows7-x64

10

933ab605c5...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe

  • Size

    66KB

  • MD5

    766daa59bb63db8c6743ea35e10ee3bf

  • SHA1

    73e4b640c09ea9a74604422b6524f9cada87465d

  • SHA256

    933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071

  • SHA512

    86952fe8682bec94f5db178c4a5ebf294ac14ae4da28f54b7fcb4b73bbd4d159a7943237776fa616b0da4d5cee9647e1f6f4ab847f0112f029e9ecdcb32cb659

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXis:IeklMMYJhqezw/pXzH9is

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe
    "C:\Users\Admin\AppData\Local\Temp\933ab605c5393352301c1033a4b88613b0c47b833b8deea695a1e750f336f071.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2604
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3400
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4232
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2844
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4376
          • C:\Windows\SysWOW64\at.exe
            at 14:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:3512
            • C:\Windows\SysWOW64\at.exe
              at 14:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1628
              • C:\Windows\SysWOW64\at.exe
                at 14:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:992

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          f3f56fb4f0cc96ef75bd49cc1a79d936

          SHA1

          9cd7df0c3a9527781c77e1651add94b09f422e6a

          SHA256

          b37d8235161cef62b3e3eacd2c480db51485cec330619b713331256d4f1e580a

          SHA512

          c5452ad59197984fb68667be7c17d2eca625d09953783816a002cfad700d23444b7113823ebedcd1e74b67d132de9327acaa8c881be4155953fb0c1aa3e63f46

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          66KB

          MD5

          f0559233ea8912ac0edd36040b9e4b2b

          SHA1

          23b0d585c0636db4bff00a1cc52a76f36ba10943

          SHA256

          e509b113127a505456f6a9209cf7a32bf8fa7be925b5747ac16c8c911e53be2e

          SHA512

          f9dde8059c25c0d41d18a702423c06faa0627a85cea8edacb460b46373fc26deede033480c01a05abf9fdcc5ed22f4134b6c2a9ca78ad461a8fbaa38c0cb98e2

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          5f756fb5207dbff8952cbafbf3986695

          SHA1

          3993d451311ee498a8caa58cda7ac15498b2448b

          SHA256

          c7b53c2d3c8cd76583452be771d7df91a4850070d30e05d2b69e62d3028765dd

          SHA512

          ee8282afdd9f01c541dec3d8c99da7f29a62e9afd804f5224a3c5087658e133ed9411c9b6a9a05787bd56a154b3201f630f1eb9071c43c54bd38639d22c2355d

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          11f47980450f187e30b8818f62f8d59a

          SHA1

          6a585f7718d3d2f854233d4bcea738043bd6c789

          SHA256

          53af2d32384c3391ac627bb843fc81ff60d8aac0f3e22c050023f5d991d9e531

          SHA512

          6fadc4ab7835124880745ca9aba7fe0f18406fd8ea586f9a2d5084af2353197f0d41fe33ad1758cb6d846875c5beec3807e5340bd045dce3f6e53c58284482b9

          Download Submit

        • memory/2604-5-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2604-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2604-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2604-2-0x0000000075810000-0x000000007596D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2604-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2604-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/2604-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2844-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2844-36-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2844-37-0x0000000075810000-0x000000007596D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2844-42-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3400-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3400-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3400-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3400-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/3400-14-0x0000000075810000-0x000000007596D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4232-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4232-30-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4232-25-0x0000000075810000-0x000000007596D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4376-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4376-44-0x0000000075810000-0x000000007596D000-memory.dmp

          Filesize

          1.4MB

          Download