Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10/06/2024, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe
Resource
win10v2004-20240426-en
General
-
Target
04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe
-
Size
66KB
-
MD5
3e2428db2164bb359d7c6f4d6245bd85
-
SHA1
5f0f3bfdd00b08e98011597e179b9f58fd510b81
-
SHA256
04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d
-
SHA512
0a88545e7755eac6be3ef832b2bd6f76c12e9a97e01bd57729618fb0ce519c9d163b1c277d8809dbfc4dbb46dde433b61dcc0992c5a887e77539a18adbe73c13
-
SSDEEP
1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXih:IeklMMYJhqezw/pXzH9ih
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4668 explorer.exe 5088 spoolsv.exe 3504 svchost.exe 3780 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe 04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1320 04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe 1320 04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 3504 svchost.exe 4668 explorer.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe 3504 svchost.exe 3504 svchost.exe 4668 explorer.exe 4668 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4668 explorer.exe 3504 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1320 04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe 1320 04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe 4668 explorer.exe 4668 explorer.exe 5088 spoolsv.exe 5088 spoolsv.exe 3504 svchost.exe 3504 svchost.exe 3780 spoolsv.exe 3780 spoolsv.exe 4668 explorer.exe 4668 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1320 wrote to memory of 4668 1320 04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe 80 PID 1320 wrote to memory of 4668 1320 04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe 80 PID 1320 wrote to memory of 4668 1320 04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe 80 PID 4668 wrote to memory of 5088 4668 explorer.exe 81 PID 4668 wrote to memory of 5088 4668 explorer.exe 81 PID 4668 wrote to memory of 5088 4668 explorer.exe 81 PID 5088 wrote to memory of 3504 5088 spoolsv.exe 82 PID 5088 wrote to memory of 3504 5088 spoolsv.exe 82 PID 5088 wrote to memory of 3504 5088 spoolsv.exe 82 PID 3504 wrote to memory of 3780 3504 svchost.exe 83 PID 3504 wrote to memory of 3780 3504 svchost.exe 83 PID 3504 wrote to memory of 3780 3504 svchost.exe 83 PID 3504 wrote to memory of 220 3504 svchost.exe 84 PID 3504 wrote to memory of 220 3504 svchost.exe 84 PID 3504 wrote to memory of 220 3504 svchost.exe 84 PID 3504 wrote to memory of 2360 3504 svchost.exe 94 PID 3504 wrote to memory of 2360 3504 svchost.exe 94 PID 3504 wrote to memory of 2360 3504 svchost.exe 94 PID 3504 wrote to memory of 3688 3504 svchost.exe 96 PID 3504 wrote to memory of 3688 3504 svchost.exe 96 PID 3504 wrote to memory of 3688 3504 svchost.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe"C:\Users\Admin\AppData\Local\Temp\04d389168ddfda234692dc180bc23228fc87302c6efdfe68dfe921dd32df787d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3780
-
-
C:\Windows\SysWOW64\at.exeat 18:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:220
-
-
C:\Windows\SysWOW64\at.exeat 18:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:2360
-
-
C:\Windows\SysWOW64\at.exeat 18:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵PID:3688
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5e4bd8d1593601caf3455d2b551cc5edf
SHA1e01684ff472ddd220ffcd528913ea55db36b9e03
SHA2566eb241d40f3111f2aca31036e38067264c6cb2ee8bf636ab11d3145213bfd9df
SHA512080b980f8ae7270f8dbab9e8510292a6e3e7fe0bfca1ae743522319195360ca088a91fa0bdbae95fec6b012fd5e55fa2e591bd18d8af1f934d924426d4e8501c
-
Filesize
66KB
MD5cb2ccf25a43c16cdbc26c248656dba83
SHA1eca8c07ac2b4b1000d6a9bf7ac88792fbe5a70fb
SHA2561e45e6e3d35dee1facecf9e722b132d98eda97476b1eb1f028044f53a8d9463a
SHA51276e98d9b6996743e13657b659b17b4ff6e01b32b1dbaedfe77223e7e5da27e942edd042a459ca1d4a66cb9549a629d96f08b5abbe161c930fe4ba3fa4f5fd8e7
-
Filesize
66KB
MD5605c02b38466ab742684dc859dc65cfa
SHA1cace3e72eea2cebe22b0fe341c2bbdee40c2ac28
SHA2569c412c1c3a37076e5a04a22722c002908895c9511a3f2a9495ddffd2fdd4003d
SHA5126d9d6aac2dd057210a3a4102e1347101ed7f64718c5d62f3f6be454ce1e88824e433476104301c41a4242a8ec2a9af127dbb2f09daafb5311f0260f01cf0962a
-
Filesize
66KB
MD588e86a9dd6295f3d361207d481be7673
SHA1021583a3fd82b1daea11062ca4af039665316ec0
SHA256da558d94cdbdd89a8432a0da3e31d8869f667e24c7bd07224268a36f99fa4e92
SHA5124ac2d57bf145e8b1765b5de74dfbc313cb11112e7f94de560f2220812c0b3540491f4a2af7f33fbeb85851a1a5da710628e9f4019b94f37caec60b54c70858d9