Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8bc4d01bf4...a0.exe

windows7-x64

10

8bc4d01bf4...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe

  • Size

    65KB

  • MD5

    b737cc24c87f8c3668fa7790e294a298

  • SHA1

    c2602aad84e8de707bab357d7eef482bb5df66db

  • SHA256

    8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0

  • SHA512

    72c2f03013759a09dd37446d7cc185eefa70719cad213471e37e2feb86f2a43eaceefc7a58061d778d1c02fa3181cadb445b3d80f9ea5d71137b2976eaf9137d

  • SSDEEP

    1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuU:7WNqkOJWmo1HpM0MkTUmuU

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe
    "C:\Users\Admin\AppData\Local\Temp\8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1192
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4380
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4768
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4708
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4232
          • C:\Windows\SysWOW64\at.exe
            at 14:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:1768
            • C:\Windows\SysWOW64\at.exe
              at 14:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1740
              • C:\Windows\SysWOW64\at.exe
                at 14:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:3440

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          65KB

          MD5

          46e620a34f1f02586197c2240d257f6e

          SHA1

          540ab6ff1e7955de7639aa7a1c9cf486bd4150e2

          SHA256

          7be5b33adff3b05a778a64182486b19cdc0b3a033a6ce11df06ad166ba5df5f8

          SHA512

          63590800fccaf048cae9a376258ddef8a717980b145c1c4cc2d884828bbfe843ab7576997903e209a565f899adcf2ecccc0247095816c6c7a1aa48f2eb970998

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          65KB

          MD5

          193e398bbdb7865bfa39780ec1496799

          SHA1

          026e768b3dec624722c4dcac19fbbc096a2370a0

          SHA256

          d392dfbe43c866c09d59dc837851a5c1f20cc5c672d932ae771891770f81be2a

          SHA512

          d778eca6e91c6937846aa11f4f8a7d8c9a6c33e97961b7a083adc861638e301d518ff819c8635bc4bb66f7d04dd6c099c6b00b390edd14dddf70eeedaf8635f7

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          65KB

          MD5

          48e1b164ae74b2ffa29a1790fe623923

          SHA1

          d0d900c18e7e255e0ba78a3fc10474d7657ae64e

          SHA256

          0718e4203ac2335a689d7c7e0e16f8cc6262cc6117ec0fd6d605cb84623e0906

          SHA512

          717b3cd2cae7088a8012fe86f17f1fc6196d351e4af5f97f6f991f205bba4f9f2c0528d7743676d6385864b23c43a590caf79eeeafc0b281ecb9d72b5ff7fb4c

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          65KB

          MD5

          4f543ee48c1d4cf29d61de5b58f1b457

          SHA1

          6f0c78a3869a8af30191b9075a4886b55a59c108

          SHA256

          499beff15e42869d3bcdddce69c74d42fc0a6ce0d7227f16c340756ae4d0ccfc

          SHA512

          e3191f4db8e863a2d4b25eb7b452289fdff25c15a34cc5da1c2213b8f6d4d652b8e4f282046b0318fedf6258a41186e2985ec14399f2a32d80cb78982f741794

          Download Submit

        • memory/1192-6-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1192-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1192-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/1192-56-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/1192-55-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/1192-2-0x00000000754F0000-0x000000007564D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4232-50-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4232-44-0x00000000754F0000-0x000000007564D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4380-69-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4380-58-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4380-19-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4380-15-0x00000000754F0000-0x000000007564D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4380-14-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4380-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4708-37-0x00000000754F0000-0x000000007564D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4708-41-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4708-60-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4768-26-0x00000000754F0000-0x000000007564D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4768-54-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4768-28-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download