Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

314e0bce02...85.exe

windows7-x64

10

314e0bce02...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2024, 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe

  • Size

    76KB

  • MD5

    6624244fb473d9c3a55a38c139dc49fb

  • SHA1

    b232cacb27d7ccb00697d0c55733066205674b72

  • SHA256

    314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685

  • SHA512

    d782f2f737a7cc738763c6985a325a9d75c7ebbda63d13075ac92656428efa28e8fa5ac8b74fb19608b2a493340b2ea1a51da49926119868a447db60b58c603c

  • SSDEEP

    1536:va3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoIW:S8dfX7y9DZ+N7eB+IIW

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 18 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 28 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe
    "C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2188
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2800
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2628
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2112
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:896
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2200
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2372
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:316
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3036
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2916
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.doc"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      76KB

      MD5

      8585301dde5961a212a167d615db605e

      SHA1

      a7bf5176c7a8e159d1ba49c133f9f95831be3328

      SHA256

      e187367d4441939fe374e1e416b3bd65e1b277c4baa53dea2fae67eb7c6f7daa

      SHA512

      57c2d403aef2dcf1e4ac720b3fc7f378ce43fbaa8d46f0260b169f6745ab7fee4003361bace99b3a8303cb83384e07e545b6bc778201294e4ceb2945478830f5

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      76KB

      MD5

      852d1b37394b3537379a73352ccd1649

      SHA1

      426582d0b0f49e1366dfb30e6be837fca311c573

      SHA256

      46be060ba6821cf5a2beff25684efb8cd5b36aa7bbcb4ad9cc784919c8e8159f

      SHA512

      998d5f5052b57839618dce354201dbdfffdf8a4aed857e7aee085127e43ec004158ea7a67183e9e51673a5fa16f79fea51af719ce2ac05f8b79eb60927c39222

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      76KB

      MD5

      92830b2137455befb3a6f349af4cdbda

      SHA1

      a77ba8a09e8345f63a3a113ea1d089a36ba5344c

      SHA256

      08bec05cd64b064f35c05e1acb7838a4c19319923e22b917dc0ed6315b62f008

      SHA512

      74718284da2875035520a80e033998618a3db1198ff63cf8ed1b126479ba7173d594310eb44384cf4c8eacd53448f067eba519a3cdfc15f1fa633c8dd7edf461

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • C:\recycled\SPOOLSV.EXE
      Filesize

      76KB

      MD5

      24f47b8cf27623b8573530fed9189eb9

      SHA1

      423d36c79d22b45d107f7274f62ea288e4187405

      SHA256

      089bb0edfb5cdfa726284763cf1eb452c9ad0b827d99bf0bba29debeec26e877

      SHA512

      ef5f0be638eb2c6a0792acd1f13ba933f3c2f6a08788383c508808d370256882cc571680f5555ff731be3bf3edeb407e1a94f71565af9279726229c1f5b763d0

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      76KB

      MD5

      9135377787526ee68c5d794a62989afa

      SHA1

      30ab291bf619a4065620b30b01c4b1cda2814934

      SHA256

      52a0cb5ac7f1f20a2c0108a92f86397598d1518ff0eadecd12365b217f3312b8

      SHA512

      f70331df0b76fd401e3de6a3df42e7b933c355501cc23877d10dc8b03a1eab7df433c079a5362d73107de8340f4bb77ba73153824ac7cf4e3243443ea01b7f7e

      Download Submit

    • \Recycled\SVCHOST.EXE
      Filesize

      76KB

      MD5

      f6e15afba59f88a50101a253f7d8355a

      SHA1

      6fcbfa06cbe8a0dcf1a87f58222fb1e75470be1d

      SHA256

      1da2548ee3f31d76548b24c79830bd84fc5a50843a0065a1dcbf72c36464c69a

      SHA512

      1d8ba43247c625dc774efc3e1c94b10790f3d60ed748fdb16c3c7eead6e3cc047008bd31e68f11c3aa0f24c706dfaecae6557c06cb4e1377bb663738fe3663f7

      Download Submit

    • memory/316-98-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2112-82-0x0000000001D90000-0x0000000001DAA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2112-77-0x0000000001D90000-0x0000000001DAA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2188-37-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2200-87-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2372-91-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2372-88-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2452-111-0x00000000041F0000-0x0000000004200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2452-112-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2452-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2452-106-0x0000000000850000-0x000000000086A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2452-23-0x0000000000850000-0x000000000086A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2452-24-0x0000000000850000-0x000000000086A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2628-65-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2756-42-0x0000000000740000-0x000000000075A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2756-25-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2756-143-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2800-58-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2808-59-0x00000000003D0000-0x00000000003EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2808-43-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2808-66-0x00000000003D0000-0x00000000003EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2808-51-0x00000000003D0000-0x00000000003EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2808-53-0x00000000003D0000-0x00000000003EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2916-109-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3036-103-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3056-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download