Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 21:36
Static task
static1
Behavioral task
behavioral1
Sample
109015d4b83faedd67d948a633094240N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
109015d4b83faedd67d948a633094240N.exe
Resource
win10v2004-20240709-en
General
-
Target
109015d4b83faedd67d948a633094240N.exe
-
Size
2.3MB
-
MD5
109015d4b83faedd67d948a633094240
-
SHA1
08756d3aee790ebd76a716722274b7e73a8e4434
-
SHA256
4df4e0d574fffdc2a01c8586ecd229f57fb6473180c19f41b40f5dccc42e61a2
-
SHA512
c7212e87f16ad3c6c365da72c866cd240a137e212201df9dc7e260a6b138128f344609f61af9be5eb3a37157eea65ff9973c362ac5c2436a2d7adab723d9f7ee
-
SSDEEP
24576:PFOa7wf1O8JPPdc9o5KIc8x88eJfeJB4SbE9HppkDw9Bmpwy855sM40YtQ2qlBP0:tAU8ARQ6SCppkDw9BmpZ3aTPIsY9
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 772 109015d4b83faedd67d948a633094240n.exe 1304 icsys.icn.exe 3244 explorer.exe 4612 spoolsv.exe 5100 svchost.exe 3552 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 109015d4b83faedd67d948a633094240N.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 109015d4b83faedd67d948a633094240N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 109015d4b83faedd67d948a633094240n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 1304 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3244 explorer.exe 5100 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3296 109015d4b83faedd67d948a633094240N.exe 3296 109015d4b83faedd67d948a633094240N.exe 1304 icsys.icn.exe 1304 icsys.icn.exe 3244 explorer.exe 3244 explorer.exe 4612 spoolsv.exe 4612 spoolsv.exe 5100 svchost.exe 5100 svchost.exe 3552 spoolsv.exe 3552 spoolsv.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3296 wrote to memory of 772 3296 109015d4b83faedd67d948a633094240N.exe 84 PID 3296 wrote to memory of 772 3296 109015d4b83faedd67d948a633094240N.exe 84 PID 3296 wrote to memory of 772 3296 109015d4b83faedd67d948a633094240N.exe 84 PID 3296 wrote to memory of 1304 3296 109015d4b83faedd67d948a633094240N.exe 85 PID 3296 wrote to memory of 1304 3296 109015d4b83faedd67d948a633094240N.exe 85 PID 3296 wrote to memory of 1304 3296 109015d4b83faedd67d948a633094240N.exe 85 PID 1304 wrote to memory of 3244 1304 icsys.icn.exe 87 PID 1304 wrote to memory of 3244 1304 icsys.icn.exe 87 PID 1304 wrote to memory of 3244 1304 icsys.icn.exe 87 PID 3244 wrote to memory of 4612 3244 explorer.exe 89 PID 3244 wrote to memory of 4612 3244 explorer.exe 89 PID 3244 wrote to memory of 4612 3244 explorer.exe 89 PID 4612 wrote to memory of 5100 4612 spoolsv.exe 91 PID 4612 wrote to memory of 5100 4612 spoolsv.exe 91 PID 4612 wrote to memory of 5100 4612 spoolsv.exe 91 PID 5100 wrote to memory of 3552 5100 svchost.exe 92 PID 5100 wrote to memory of 3552 5100 svchost.exe 92 PID 5100 wrote to memory of 3552 5100 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240N.exe"C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\users\admin\appdata\local\temp\109015d4b83faedd67d948a633094240n.exec:\users\admin\appdata\local\temp\109015d4b83faedd67d948a633094240n.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3552
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD565b954468b068ebdf457c67c452c18e6
SHA1644391b8f2741603a6942bd456f23c46c8b9df7a
SHA256485006f4264d3835374c99820acbad6e9e409fda3aa78bcff98adfc9f62e8598
SHA5120327461d01b7bce4a6275ca4a5d0eca2fbcfcedf8b1620856f707def22ea89136e98a7bc3f7d74190ace47949a46617221777b1a5f8a6501adbb25d0fc8df373
-
Filesize
135KB
MD5e84a1ae9d8cc8955bd8dc5bdd48c1bbd
SHA1cef552e3075dbafba6b82e2c533626d87657fe76
SHA256f3e4a04e6694d064d4c04fbe496ca10d15a731b1971f64c20c73b4478c0f174a
SHA5126c5d8fbe1508104665e24ed10e5f107713e857636473e6f95d5305ccac253ade7907df94e85baa77eaf5b1e05f4d90879db2e44b85865a6892b31476e30f9dd2
-
Filesize
135KB
MD56708ad26c1e3b978054f905b140c6f1c
SHA1104b00286aab9f93390af03d344da4fee5064ecc
SHA2560f90b1ceed4aa000d4049696c2673f6c98685e5b6184b894bf5c4ddd9948a415
SHA512408fbae7f92eea3d38045ce89da02b6c1cba3feb0e0700cdfd87e0b4ea7a63470dca6a03d6dd04152c02b90d98dcb8813742bf883b1dd7f31fbd2883755183ed
-
Filesize
135KB
MD5f856a83d22258cc80d072264ab61138e
SHA15aef3c538816702317a495498f5bf0ba90cbb588
SHA256e78f63e2241e21e11aeb929bbce0b29113e4b600391900752c83c428860a936e
SHA51215c243aeaecba87206ec58579d90bc4ae3a96685b4e9e77cd75f021f1b2058c8681d40f4ca29057a84ea742fa3d3d29683d3a36da127860c0f10921e5531c162
-
Filesize
135KB
MD54e2e4dc1fca40470ac5dab00e50aa8c5
SHA1c3091b2def0c3b1f2cad798ed326f426fec8fcff
SHA2566c4a00dfd610fdcdf5418e33042fa04ce42e798491514aaf59a1e4966fc8b38e
SHA512981a85f842f47f143f8d86d594ca94ae5572503a2f64486571dee2bdbc13c836aa6e02b63b4ccc621a51b42fc80be68022e3ff9c800ad4f68d71912c9f23f0b8