Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe
Resource
win10v2004-20240508-en
General
-
Target
8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe
-
Size
65KB
-
MD5
b737cc24c87f8c3668fa7790e294a298
-
SHA1
c2602aad84e8de707bab357d7eef482bb5df66db
-
SHA256
8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0
-
SHA512
72c2f03013759a09dd37446d7cc185eefa70719cad213471e37e2feb86f2a43eaceefc7a58061d778d1c02fa3181cadb445b3d80f9ea5d71137b2976eaf9137d
-
SSDEEP
1536:ECq3yRuqrI01eArdW/O7JnI2e13XiLij40MkTUVqa/OuU:7WNqkOJWmo1HpM0MkTUmuU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4380 explorer.exe 4768 spoolsv.exe 4708 svchost.exe 4232 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1192 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 1192 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 4380 explorer.exe 4380 explorer.exe 4380 explorer.exe 4380 explorer.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe 4380 explorer.exe 4380 explorer.exe 4708 svchost.exe 4708 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4380 explorer.exe 4708 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1192 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 1192 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 4380 explorer.exe 4380 explorer.exe 4768 spoolsv.exe 4768 spoolsv.exe 4708 svchost.exe 4708 svchost.exe 4232 spoolsv.exe 4232 spoolsv.exe 4380 explorer.exe 4380 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1192 wrote to memory of 4380 1192 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 81 PID 1192 wrote to memory of 4380 1192 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 81 PID 1192 wrote to memory of 4380 1192 8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe 81 PID 4380 wrote to memory of 4768 4380 explorer.exe 82 PID 4380 wrote to memory of 4768 4380 explorer.exe 82 PID 4380 wrote to memory of 4768 4380 explorer.exe 82 PID 4768 wrote to memory of 4708 4768 spoolsv.exe 84 PID 4768 wrote to memory of 4708 4768 spoolsv.exe 84 PID 4768 wrote to memory of 4708 4768 spoolsv.exe 84 PID 4708 wrote to memory of 4232 4708 svchost.exe 85 PID 4708 wrote to memory of 4232 4708 svchost.exe 85 PID 4708 wrote to memory of 4232 4708 svchost.exe 85 PID 4708 wrote to memory of 1768 4708 svchost.exe 87 PID 4708 wrote to memory of 1768 4708 svchost.exe 87 PID 4708 wrote to memory of 1768 4708 svchost.exe 87 PID 4708 wrote to memory of 1740 4708 svchost.exe 97 PID 4708 wrote to memory of 1740 4708 svchost.exe 97 PID 4708 wrote to memory of 1740 4708 svchost.exe 97 PID 4708 wrote to memory of 3440 4708 svchost.exe 99 PID 4708 wrote to memory of 3440 4708 svchost.exe 99 PID 4708 wrote to memory of 3440 4708 svchost.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe"C:\Users\Admin\AppData\Local\Temp\8bc4d01bf47a0e222d92548ec35a7adfae3c1a093fc81658e0046f2913c027a0.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4232
-
-
C:\Windows\SysWOW64\at.exeat 14:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1768
-
-
C:\Windows\SysWOW64\at.exeat 14:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:1740
-
-
C:\Windows\SysWOW64\at.exeat 14:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3440
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD546e620a34f1f02586197c2240d257f6e
SHA1540ab6ff1e7955de7639aa7a1c9cf486bd4150e2
SHA2567be5b33adff3b05a778a64182486b19cdc0b3a033a6ce11df06ad166ba5df5f8
SHA51263590800fccaf048cae9a376258ddef8a717980b145c1c4cc2d884828bbfe843ab7576997903e209a565f899adcf2ecccc0247095816c6c7a1aa48f2eb970998
-
Filesize
65KB
MD5193e398bbdb7865bfa39780ec1496799
SHA1026e768b3dec624722c4dcac19fbbc096a2370a0
SHA256d392dfbe43c866c09d59dc837851a5c1f20cc5c672d932ae771891770f81be2a
SHA512d778eca6e91c6937846aa11f4f8a7d8c9a6c33e97961b7a083adc861638e301d518ff819c8635bc4bb66f7d04dd6c099c6b00b390edd14dddf70eeedaf8635f7
-
Filesize
65KB
MD548e1b164ae74b2ffa29a1790fe623923
SHA1d0d900c18e7e255e0ba78a3fc10474d7657ae64e
SHA2560718e4203ac2335a689d7c7e0e16f8cc6262cc6117ec0fd6d605cb84623e0906
SHA512717b3cd2cae7088a8012fe86f17f1fc6196d351e4af5f97f6f991f205bba4f9f2c0528d7743676d6385864b23c43a590caf79eeeafc0b281ecb9d72b5ff7fb4c
-
Filesize
65KB
MD54f543ee48c1d4cf29d61de5b58f1b457
SHA16f0c78a3869a8af30191b9075a4886b55a59c108
SHA256499beff15e42869d3bcdddce69c74d42fc0a6ce0d7227f16c340756ae4d0ccfc
SHA512e3191f4db8e863a2d4b25eb7b452289fdff25c15a34cc5da1c2213b8f6d4d652b8e4f282046b0318fedf6258a41186e2985ec14399f2a32d80cb78982f741794