Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2024, 20:31

General

  • Target

    314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe

  • Size

    76KB

  • MD5

    6624244fb473d9c3a55a38c139dc49fb

  • SHA1

    b232cacb27d7ccb00697d0c55733066205674b72

  • SHA256

    314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685

  • SHA512

    d782f2f737a7cc738763c6985a325a9d75c7ebbda63d13075ac92656428efa28e8fa5ac8b74fb19608b2a493340b2ea1a51da49926119868a447db60b58c603c

  • SSDEEP

    1536:va3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoIW:S8dfX7y9DZ+N7eB+IIW

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe
    "C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4736
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1968
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2964
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:988
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:996
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1004
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3752
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2840
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5104
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3240
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3268
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4532
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1528
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1684
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\314e0bce021ff61784829efbc3c5e3fc6d32a948feeb7c78190098fdf26aa685.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3476
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4220,i,13421008738336098502,1902686380018635081,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
    1⤵
      PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SPOOLSV.EXE

      Filesize

      76KB

      MD5

      73ef51af155a388c3a80ea66e2fbbc84

      SHA1

      1390af4beae141ae83235cb502b2178f73974dbc

      SHA256

      58e99c84546b375aa8d9336173a140ea39d79dfe765a868d053f8345c47f0414

      SHA512

      0dcc7605508fa4bb6fe425c1d98c03599e2a805be7297d2f9541318ba7e5bd9e33f6f32926880ef856b37fa4d40c90afe264ddc01975eea627d413b2214e2229

    • C:\Recycled\SVCHOST.EXE

      Filesize

      76KB

      MD5

      2ce1c7c03e600b6b05afb71d943a0636

      SHA1

      a74d7b51f693891d37a1c94e3da5d88931db73a6

      SHA256

      b42343f8060671d524c92e42f191fb0d1a730211c488d3ee79182b1fa3dad2cf

      SHA512

      6b93fd336155e833c0e57af5181ef75b04b52583c008b4cde2b157d94c7760a431b517a987ebd49c38022fcdf80ca710e4c0989370624d0edb9cc24da076b8ac

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851223[[fn=iso690]].xsl

      Filesize

      263KB

      MD5

      ff0e07eff1333cdf9fc2523d323dd654

      SHA1

      77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

      SHA256

      3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

      SHA512

      b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      16B

      MD5

      d29962abc88624befc0135579ae485ec

      SHA1

      e40a6458296ec6a2427bcb280572d023a9862b31

      SHA256

      a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

      SHA512

      4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

    • C:\Windows\Fonts\ Explorer.exe

      Filesize

      76KB

      MD5

      d51be706bc178f5c71d7ccaf8c73dff9

      SHA1

      8990d45e1ec689650617bb00a514af334d52edd6

      SHA256

      84db22d513a99488d0eee1b5c1cb7440abad226460493a94b1e1ecc8baccb912

      SHA512

      16756b82a092a8e149cb529e73dd397059f3a0188b2b0e2f673a6649869e590b76b18cedfc7c477a4747f651740c1bc52e14b52858f200c40982f5f522584290

    • C:\Windows\Fonts\ Explorer.exe

      Filesize

      76KB

      MD5

      d3aa57cd07bab60ae94cba3ec0def833

      SHA1

      be92485221fab872b0729e300913d377edc7d32b

      SHA256

      a6786b972cd98fb1214b05afa92cede342fd0c33f926159239b2c89e58ad9921

      SHA512

      7ad8bd2dea8c971ef32b457db96ce290d8c0a1a72d176fbc4b87a4b8efd92c365bbf6cad2f3ffcc4be4ae177650e574f7da3487c782af05153710942f3542638

    • C:\Windows\Fonts\ Explorer.exe

      Filesize

      76KB

      MD5

      3e54fed93304b30d43f80c39e900be21

      SHA1

      e7fa0df82dd96c95b6b8b511aaa4ca78f714f3dc

      SHA256

      459e215b2cf8ed689f5088a6af7e035770b1820351adcd708b772e658b95283e

      SHA512

      451bba10006b769f85ccd8145731addce36e1afa788a199b2e4660bf254073874e0f14e4f2107b3796b2aadbcdb7bc246c975194e031b96e072f5c7838b5ba50

    • C:\begolu.txt

      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    • F:\Recycled\SVCHOST.EXE

      Filesize

      76KB

      MD5

      eae47a0db2132ee263837a1459a4ec01

      SHA1

      b2b22eec57bd5dc251ad443ebc85845407db739a

      SHA256

      4061cbdd36cbda90745ef6355b1f3c764f4b113ef996e2f3a5112a4c28af3a86

      SHA512

      84c4582b547cbc0e9891a8eb40f719f38ae40f94db2326a566a4a1e72d5e513cad03e9c3e3f11124972260338e3f19f61e1f713bc4ba3e1f46bba8bf9b01fe57

    • memory/864-100-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/864-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/988-44-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/988-48-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/996-50-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/1004-61-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/1528-94-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/1684-97-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/1968-31-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/2244-18-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/2840-69-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/2964-42-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3240-81-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3268-85-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3476-103-0x00007FFE61FB0000-0x00007FFE61FC0000-memory.dmp

      Filesize

      64KB

    • memory/3476-101-0x00007FFE61FB0000-0x00007FFE61FC0000-memory.dmp

      Filesize

      64KB

    • memory/3476-102-0x00007FFE61FB0000-0x00007FFE61FC0000-memory.dmp

      Filesize

      64KB

    • memory/3476-104-0x00007FFE61FB0000-0x00007FFE61FC0000-memory.dmp

      Filesize

      64KB

    • memory/3476-105-0x00007FFE61FB0000-0x00007FFE61FC0000-memory.dmp

      Filesize

      64KB

    • memory/3476-106-0x00007FFE619D0000-0x00007FFE619E0000-memory.dmp

      Filesize

      64KB

    • memory/3476-107-0x00007FFE619D0000-0x00007FFE619E0000-memory.dmp

      Filesize

      64KB

    • memory/3752-66-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4532-89-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4736-32-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/5104-75-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/5104-72-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB