Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 01:01
Behavioral task
behavioral1
Sample
00fe05de6b1f112a3e17659ec0bb2dd0.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
00fe05de6b1f112a3e17659ec0bb2dd0.exe
Resource
win10v2004-20240226-en
General
-
Target
00fe05de6b1f112a3e17659ec0bb2dd0.exe
-
Size
2.5MB
-
MD5
00fe05de6b1f112a3e17659ec0bb2dd0
-
SHA1
47d3f75cc6abe09abff2b2e7b342608aed1e9d3a
-
SHA256
70b3b5426fea00573d7e5f93cd050357c1fcc3fa3ecfa5e41c5ffe71854ff2ce
-
SHA512
c36f588f83e9b830de82c99506f1fe02f23c1d1e33828d93c68449ce3166c991acbf68e7a509c32f020520928df9a61a36793f8e2ad6712b261633646a5d761f
-
SSDEEP
49152:hxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxJ:hxx9NUFkQx753uWuCyyxJ
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 00fe05de6b1f112a3e17659ec0bb2dd0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 00fe05de6b1f112a3e17659ec0bb2dd0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 00fe05de6b1f112a3e17659ec0bb2dd0.exe -
Executes dropped EXE 4 IoCs
pid Process 4688 explorer.exe 5116 spoolsv.exe 3468 svchost.exe 4132 spoolsv.exe -
resource yara_rule behavioral2/memory/4836-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4836-1-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x000900000002323c-9.dat themida behavioral2/memory/4688-11-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x000800000002323f-16.dat themida behavioral2/memory/5116-20-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x0008000000023242-27.dat themida behavioral2/memory/4836-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3468-29-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4132-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/5116-40-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4132-39-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4836-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4688-42-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3468-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/3468-46-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4688-55-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 00fe05de6b1f112a3e17659ec0bb2dd0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4688 explorer.exe 5116 spoolsv.exe 3468 svchost.exe 4132 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 00fe05de6b1f112a3e17659ec0bb2dd0.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe 4688 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4688 explorer.exe 3468 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 4688 explorer.exe 4688 explorer.exe 5116 spoolsv.exe 5116 spoolsv.exe 3468 svchost.exe 3468 svchost.exe 4132 spoolsv.exe 4132 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4836 wrote to memory of 4688 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 90 PID 4836 wrote to memory of 4688 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 90 PID 4836 wrote to memory of 4688 4836 00fe05de6b1f112a3e17659ec0bb2dd0.exe 90 PID 4688 wrote to memory of 5116 4688 explorer.exe 91 PID 4688 wrote to memory of 5116 4688 explorer.exe 91 PID 4688 wrote to memory of 5116 4688 explorer.exe 91 PID 5116 wrote to memory of 3468 5116 spoolsv.exe 92 PID 5116 wrote to memory of 3468 5116 spoolsv.exe 92 PID 5116 wrote to memory of 3468 5116 spoolsv.exe 92 PID 3468 wrote to memory of 4132 3468 svchost.exe 93 PID 3468 wrote to memory of 4132 3468 svchost.exe 93 PID 3468 wrote to memory of 4132 3468 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe"C:\Users\Admin\AppData\Local\Temp\00fe05de6b1f112a3e17659ec0bb2dd0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4132
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:496
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5eb955aaa6cadf28fa48df342acc48cda
SHA1c14311d104288475c593ac5583655b33a08a132e
SHA256083174c1440459cc75e3c654ddb71b931f740fd2842ad26a11896279d6b6ed5a
SHA512703ce72afa2a22514fb19b690bfb90344e9433aa68b7d0bc5b4701571d9b67e8746076fc03750c76a8593a25e619cd1059b93e0c5ce86112e5eff6dcb52f8f41
-
Filesize
2.5MB
MD56b05dea24879662bc67c23f4eb4b9a4a
SHA15327d2454a44686e1b669858eb586cafbe57978d
SHA2560e12ec24e72b65fefdef85b4cf0e96f39783c030f08c15005959650a0feb84fa
SHA51272facb106932eccdb12fd2734b573f21610a80c583fe27b9fedde84e036fff1ce4444b5bef20a24d7e63c2739fba21db36bbaff5a5087f49c69c3851f1338fa2
-
Filesize
2.5MB
MD5af37679e3f3f3b8917d1ddff46db0d5e
SHA128f1610cb6bb95a333108507f5ebcd0bf4fed0b6
SHA256c51f9d2816cd805c4b293bae5993a78dfc0248543fc05a5db23ceb598bd23285
SHA51245fa30345be513ba42fe4a19093bff57e392cfa76300a27361603615d357c07d73df72ae172ca030ba6e2d8e705a2ffbc6d09bca7c0776c6e0212671417d9026