Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2024, 23:29

General

  • Target

    2b5a6fe14376cbb5dc3ccc73aec34110N.exe

  • Size

    135KB

  • MD5

    2b5a6fe14376cbb5dc3ccc73aec34110

  • SHA1

    e6df196f3a11432091fd329d8a0f7b2cc9abf9c4

  • SHA256

    e5dfed3f665d93160eb7ed7c3abaa39ca23c6768e44a23d6cf60804530c4742a

  • SHA512

    14eb250c9a7df54f531fd6fc1dd88f6de40795aa227af67bb5f5e23db20b450a3cced267af0ce17279920ea9601cacf8102712739338c1723f5d06a6181e46b0

  • SSDEEP

    1536:4fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVgEhu:4VqoCl/YgjxEufVU0TbTyDDalquu

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b5a6fe14376cbb5dc3ccc73aec34110N.exe
    "C:\Users\Admin\AppData\Local\Temp\2b5a6fe14376cbb5dc3ccc73aec34110N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2012
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2916
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2852
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2776
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:31 /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2612
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:32 /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2384
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      c88ffcc7c2f8f6c41203e3998dfe647b

      SHA1

      40aee9e36c7e977911a001cee019c2ce9fe13995

      SHA256

      426033ccec0b4de5f6b4c4a39fb2553ccd9f20415fb1e6db6596a5ca7f7eb7b5

      SHA512

      5b08569fd9e086b478059715c567b60cebd0c120aaeb196eccd835e4d808a76508459cce940ba8db6a7d7505d8407a310c5b929e4338f3f1dd53cc59d37ca172

    • \Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      dbb3a6db6ff23d551e14f354ef03d32c

      SHA1

      8bb96dbe3bf538a2e6909e4a79c7b8d4be0ea42c

      SHA256

      176cdbe764738718769bdfe3eda7067d2dfa05a640e4296893147678e5aaccf7

      SHA512

      d619be1c9cf4f679ab86e475ae94696605220c338ce3b769dc47ba3ff72519fc3437bd2b057c50b6f8c2f66d6c2a005c36f34608d47e1fc7724f7578a366368e

    • \Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      154821bccb874818567f71684883435c

      SHA1

      84d1e8773ca496b7e4c5cd9f1de8ec8042940826

      SHA256

      1505f25356fcc15e19d2b78e0691e712b1d19108a6ea71ef70eccba004946a8e

      SHA512

      67c9dea3e7c09b8354372b0b23c20d9884a681dbba53dd2ca416a5ad79c16a260293939ddfb6fa8dac7ca829a7c5c85e9c8287082c36c78443a149e8009b3ff6

    • memory/2012-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2012-41-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2776-40-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2852-35-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB