Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e94963b6aa...c0.exe

windows7-x64

10

e94963b6aa...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2024, 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0.exe

  • Size

    77KB

  • MD5

    fb134b3fe401d18185680cbc63ff4a57

  • SHA1

    f9b9c5deb18ff0de87fd8d275299d1f89b0a389c

  • SHA256

    e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0

  • SHA512

    e55158ff21776f7234b36976c7f9d7823f5699d201b9fa01c8776d531ecaa634a6906d6b6e9c50f0cc0fddc42e6806262d1c23f60e08b3ae5a1deca8181f7e8e

  • SSDEEP

    1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoK3:FD40Dmx7y9DZ/Z2hGVkK3

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 28 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0.exe
    "C:\Users\Admin\AppData\Local\Temp\e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2784
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2736
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2660
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2816
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2676
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2512
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2588
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2188
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer.exe "C:\recycled\SVCHOST.exe"
          4⤵
            PID:2308
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2940
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1268
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e94963b6aaade5d2d4238f763be8a843573dcb1f537522403bb13902576e2fc0.doc"
        2⤵
        • Drops file in Windows directory
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1696
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
          PID:752

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Recycled\SPOOLSV.EXE
          Filesize

          77KB

          MD5

          cb37067dd19860be14438a715794e4f3

          SHA1

          528a5c3bc280611078a30b6c925d681836dfb896

          SHA256

          57200db11ea0d3063e1faf80ee7facf8ab96cbd488a6d33c943b27d45ca56e0c

          SHA512

          b967acf9f874c9083ab37db4f018ba73ab4bc8f6d3e49793a5c35dfae19590943f24bf065f1800e35470ae80457840ceb9fb9087e1244ecf7a3fb199a4a11f87

          Download Submit

        • C:\Recycled\desktop.ini
          Filesize

          65B

          MD5

          ad0b0b4416f06af436328a3c12dc491b

          SHA1

          743c7ad130780de78ccbf75aa6f84298720ad3fa

          SHA256

          23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

          SHA512

          884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
          Filesize

          1KB

          MD5

          0269b6347e473980c5378044ac67aa1f

          SHA1

          c3334de50e320ad8bce8398acff95c363d039245

          SHA256

          68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

          SHA512

          e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

          Download Submit

        • C:\begolu.txt
          Filesize

          2B

          MD5

          2b9d4fa85c8e82132bde46b143040142

          SHA1

          a02431cf7c501a5b368c91e41283419d8fa9fb03

          SHA256

          4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

          SHA512

          c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

          Download Submit

        • F:\Recycled\SVCHOST.EXE
          Filesize

          77KB

          MD5

          b5b9693b5b0064b38b9ba5e000c2b4d4

          SHA1

          d222ac5b1b6649dd0e69dace1a000dc883522a28

          SHA256

          b6635142995db85f8b6ab21be0c49efb288975060ddd9708260147d4dd08a78e

          SHA512

          18cc5136d13a00e78f1443644e94811a0fda789ce00ced2b6526a063d73642bafd6b37b3f3da98f4ba13f97aee0172009157346cfc7a807757620ad239c1d680

          Download Submit

        • \Recycled\SVCHOST.EXE
          Filesize

          77KB

          MD5

          c491a0d41a6c8e300b264ddd610c267b

          SHA1

          e451254aa297ac0dedfdb72d7f41bca5636592eb

          SHA256

          3485b14bbdde4977cee2fa2981b742aabc3c3045fb51b78ea7f4842fd98b1f2e

          SHA512

          5ed53b1dc7534679fe3a75aeb0157b1098d7f3ce11cd847752ee670c20412970021975a37f1c7973a2bf5ce900fe98f1857042e2ba3ae785c6dc600ea054b6e0

          Download Submit

        • memory/1268-110-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1632-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2204-101-0x0000000000430000-0x000000000044A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2204-100-0x0000000000430000-0x000000000044A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2204-111-0x00000000049B0000-0x00000000049C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2204-112-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2204-23-0x0000000000430000-0x000000000044A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2204-0-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2204-21-0x0000000000430000-0x000000000044A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2512-87-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2512-86-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2588-93-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2588-96-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2660-55-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2676-81-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2736-51-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2748-69-0x0000000000760000-0x000000000077A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2748-76-0x0000000000760000-0x000000000077A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2748-82-0x0000000000760000-0x000000000077A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2748-63-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2780-89-0x00000000003D0000-0x00000000003EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2780-36-0x00000000003D0000-0x00000000003EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2780-92-0x00000000003D0000-0x00000000003EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2780-143-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2780-145-0x00000000003D0000-0x00000000003EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2784-33-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2816-74-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2816-70-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2940-105-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2992-47-0x0000000001E40000-0x0000000001E5A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2992-39-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2992-62-0x0000000001E40000-0x0000000001E5A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2992-146-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download