Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

65b938e7fa...af.exe

windows7-x64

10

65b938e7fa...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65b938e7fa958188eb05272c548b5849f71826c882eacbf334e476324562cbaf.exe

  • Size

    66KB

  • MD5

    64e0703fdb2060ad9a9b51a956395a2f

  • SHA1

    fb6fbc8a78f093c28325577d8a2fa59a94d44985

  • SHA256

    65b938e7fa958188eb05272c548b5849f71826c882eacbf334e476324562cbaf

  • SHA512

    0786af8d971904a1942b7cbe055235d899d455e1f1e3950a03b9d0f56fb8f6065667b36a819ebedab128e2ff0dcda6e72b0762351c8b0279d661ce2d857073dc

  • SSDEEP

    1536:EHfetdklPp+07gDSrB8Xru2zGeJxgawTzpXzrDJrXiF:IeklMMYJhqezw/pXzH9iF

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b938e7fa958188eb05272c548b5849f71826c882eacbf334e476324562cbaf.exe
    "C:\Users\Admin\AppData\Local\Temp\65b938e7fa958188eb05272c548b5849f71826c882eacbf334e476324562cbaf.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:352
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2628
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2232
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4048
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4948
          • C:\Windows\SysWOW64\at.exe
            at 22:53 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
              PID:2948
            • C:\Windows\SysWOW64\at.exe
              at 22:54 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              5⤵
                PID:1004
              • C:\Windows\SysWOW64\at.exe
                at 22:55 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                5⤵
                  PID:2472

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          66KB

          MD5

          2af89d9fe1ec0c792e63ba0a1226493b

          SHA1

          d69cf511f4c8be5094c071c24f300a96c465df46

          SHA256

          ccc8f2d00c3ef79e08691de1375cc1fbc19bc50fba35672fc56d90a9791d760d

          SHA512

          157e18ec7892d10aca80906ff460bf04b8b7d049824dc2fb13cca3a2749892ff6a8c3a7a5df6eedf645abb6f0dab765ca9e9eae18ef6b763d7cd7208cc632b1c

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          66KB

          MD5

          06b6c222949d8613afd7f1b667c438a8

          SHA1

          1d4f1ffd0bcfa7470162154e5e3c7dbf266cc722

          SHA256

          cde7fd72580c00ae35e8d597ff6b2fbff3a2501f61d1b9240d3eb2c2414da664

          SHA512

          0ec3819f30ab51e1df21c36fb6bc8bf7865ae6e0efe15f91ae6aeee38992b6f0107936ad4cd51237b86701c7fca7f5d8b1ca03bf0009c0142261483c1e18e6b1

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          66KB

          MD5

          e344e8a6ccc5d88fc066b57fc5a2873d

          SHA1

          fbbad25eadfce4cba12f77f6d435e5c0485ff280

          SHA256

          bff2d1c580791e100e75a99e39a58d307e9a4b6b7d0e7f1e5d80ac3b3ff78526

          SHA512

          476a354aa5f9f1ec9f8a6ce74b6ff5dcfc136eeb57c92b434a1ebc2bc3b4678234834d5c8f8933edb24abc3109e70e73c6058f14ac7459c71493635f192ff3df

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          66KB

          MD5

          a31c448cbc3f0679fcfb4773a219089e

          SHA1

          1ae828fe4261c88619c87dc0edb933e3925cf2ae

          SHA256

          07c07e5b12e9c5f21515e60e744541193c8f457281412efd0355d10b118f5816

          SHA512

          40c6765f2bf27c1ff731df2d83c72f79673c1246d0bc02ffef10b979dd6a552365b47d80e5cde65de1c860466601a36b7f759067fbadb5b222a0525e76084cc2

          Download Submit

        • memory/352-4-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/352-2-0x0000000075B10000-0x0000000075C6D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/352-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/352-54-0x00000000001C0000-0x00000000001C4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/352-55-0x0000000000401000-0x000000000042E000-memory.dmp

          Filesize

          180KB

          Download

        • memory/352-3-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/352-0-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/352-53-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2232-52-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2232-25-0x0000000075B10000-0x0000000075C6D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2628-13-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2628-14-0x0000000075B10000-0x0000000075C6D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2628-16-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2628-57-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/2628-68-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4048-39-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4048-35-0x0000000075B10000-0x0000000075C6D000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4048-59-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4948-50-0x0000000000400000-0x0000000000431000-memory.dmp

          Filesize

          196KB

          Download

        • memory/4948-42-0x0000000075B10000-0x0000000075C6D000-memory.dmp

          Filesize

          1.4MB

          Download