Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 02:49
Behavioral task
behavioral1
Sample
b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe
Resource
win7-20240419-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe
-
Size
2.5MB
-
MD5
696cd93127a61b0aaa93d5c45d2ca6f5
-
SHA1
b5434473eed20cbd7611a4de443e6d724c63a3be
-
SHA256
b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6
-
SHA512
1609e0e835eae923416f491565e5e370cbe95a2de68df5ec4ace48010ae9766e2c53f1f8ffa3fcab2256abd4e25bb4e2150a1a1312bf964bce89c089d714cf75
-
SSDEEP
49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxn:Mxx9NUFkQx753uWuCyyxn
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects executables packed with Themida 18 IoCs
resource yara_rule behavioral2/memory/1340-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/files/0x0009000000023419-8.dat INDICATOR_EXE_Packed_Themida behavioral2/memory/4308-10-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/files/0x000800000002341d-15.dat INDICATOR_EXE_Packed_Themida behavioral2/memory/796-19-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/files/0x000800000002341e-26.dat INDICATOR_EXE_Packed_Themida behavioral2/memory/2688-28-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/696-33-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/696-37-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/796-39-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/1340-41-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4308-42-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4308-44-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2688-43-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/2688-48-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4308-53-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4308-61-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral2/memory/4308-63-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4308 explorer.exe 796 spoolsv.exe 2688 svchost.exe 696 spoolsv.exe -
resource yara_rule behavioral2/memory/1340-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x0009000000023419-8.dat themida behavioral2/memory/4308-10-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x000800000002341d-15.dat themida behavioral2/memory/796-19-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/files/0x000800000002341e-26.dat themida behavioral2/memory/2688-28-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/696-33-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/696-37-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/796-39-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/1340-41-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4308-42-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4308-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2688-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/2688-48-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4308-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4308-61-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral2/memory/4308-63-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 4308 explorer.exe 796 spoolsv.exe 2688 svchost.exe 696 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe 4308 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4308 explorer.exe 2688 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 4308 explorer.exe 4308 explorer.exe 796 spoolsv.exe 796 spoolsv.exe 2688 svchost.exe 2688 svchost.exe 696 spoolsv.exe 696 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1340 wrote to memory of 4308 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 82 PID 1340 wrote to memory of 4308 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 82 PID 1340 wrote to memory of 4308 1340 b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe 82 PID 4308 wrote to memory of 796 4308 explorer.exe 83 PID 4308 wrote to memory of 796 4308 explorer.exe 83 PID 4308 wrote to memory of 796 4308 explorer.exe 83 PID 796 wrote to memory of 2688 796 spoolsv.exe 84 PID 796 wrote to memory of 2688 796 spoolsv.exe 84 PID 796 wrote to memory of 2688 796 spoolsv.exe 84 PID 2688 wrote to memory of 696 2688 svchost.exe 85 PID 2688 wrote to memory of 696 2688 svchost.exe 85 PID 2688 wrote to memory of 696 2688 svchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe"C:\Users\Admin\AppData\Local\Temp\b1a55c281d7222c9254e5cfbb6db241bf1c38189a5fff10faa323f39518063a6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:696
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD54e89ee3b9837d2952cce13a817f49ea7
SHA136711ba996a06fb5b8a8478b7c1401f9828f1d47
SHA25684a4849ec7116e602734fdb983778fa487203bae18b3b47c0bbbcf835962796c
SHA5128c999002b6b1f308bdca12cc990080c781345c3849c31371798b92581e8f272b1d5ef98a8c8f4e2374a9c28c35960277a04dea9b520494bd4ec8d88e4c73ae87
-
Filesize
2.5MB
MD53b3b2a475df8a63d3bcf295a14c97277
SHA1c59d11eff430d3f7468ddfd0b55dcde56cb68ff7
SHA25630c56bc39d95bf8a0e3dc7d8af1f8f9fcd8c54cc23b08a2762a3bfc71717ee61
SHA5120a033d04986961f389f33b1dac72ed056b55255e25825db0c78bc1de4088a25331824792fffed3f8c5ee2d7cda5884ffd4af41658733fd684865e542cf3766b9
-
Filesize
2.5MB
MD54434e485c9ae8e8e1f92be609df63c2a
SHA1e1cf16bbc75283d4581100c8665418a287a29f4f
SHA256a25bceecfb46da109ea5ae05b449fe58e3b5d8ec65cc6221fc34202e04c57a63
SHA5127dd41bda94d0d7b7d9adeb0a6b41af6197f362673b4a0f393b3309253c8b77dc720ad641a615dcb394d948cac214a12c5a036b27442e0853fb55e3ccce44f1d2