Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2024, 21:36

General

  • Target

    109015d4b83faedd67d948a633094240N.exe

  • Size

    2.3MB

  • MD5

    109015d4b83faedd67d948a633094240

  • SHA1

    08756d3aee790ebd76a716722274b7e73a8e4434

  • SHA256

    4df4e0d574fffdc2a01c8586ecd229f57fb6473180c19f41b40f5dccc42e61a2

  • SHA512

    c7212e87f16ad3c6c365da72c866cd240a137e212201df9dc7e260a6b138128f344609f61af9be5eb3a37157eea65ff9973c362ac5c2436a2d7adab723d9f7ee

  • SSDEEP

    24576:PFOa7wf1O8JPPdc9o5KIc8x88eJfeJB4SbE9HppkDw9Bmpwy855sM40YtQ2qlBP0:tAU8ARQ6SCppkDw9BmpZ3aTPIsY9

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240N.exe
    "C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3296
    • \??\c:\users\admin\appdata\local\temp\109015d4b83faedd67d948a633094240n.exe 
      c:\users\admin\appdata\local\temp\109015d4b83faedd67d948a633094240n.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:772
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1304
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3244
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4612
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5100
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\109015d4b83faedd67d948a633094240n.exe 

    Filesize

    2.2MB

    MD5

    65b954468b068ebdf457c67c452c18e6

    SHA1

    644391b8f2741603a6942bd456f23c46c8b9df7a

    SHA256

    485006f4264d3835374c99820acbad6e9e409fda3aa78bcff98adfc9f62e8598

    SHA512

    0327461d01b7bce4a6275ca4a5d0eca2fbcfcedf8b1620856f707def22ea89136e98a7bc3f7d74190ace47949a46617221777b1a5f8a6501adbb25d0fc8df373

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    e84a1ae9d8cc8955bd8dc5bdd48c1bbd

    SHA1

    cef552e3075dbafba6b82e2c533626d87657fe76

    SHA256

    f3e4a04e6694d064d4c04fbe496ca10d15a731b1971f64c20c73b4478c0f174a

    SHA512

    6c5d8fbe1508104665e24ed10e5f107713e857636473e6f95d5305ccac253ade7907df94e85baa77eaf5b1e05f4d90879db2e44b85865a6892b31476e30f9dd2

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    6708ad26c1e3b978054f905b140c6f1c

    SHA1

    104b00286aab9f93390af03d344da4fee5064ecc

    SHA256

    0f90b1ceed4aa000d4049696c2673f6c98685e5b6184b894bf5c4ddd9948a415

    SHA512

    408fbae7f92eea3d38045ce89da02b6c1cba3feb0e0700cdfd87e0b4ea7a63470dca6a03d6dd04152c02b90d98dcb8813742bf883b1dd7f31fbd2883755183ed

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    f856a83d22258cc80d072264ab61138e

    SHA1

    5aef3c538816702317a495498f5bf0ba90cbb588

    SHA256

    e78f63e2241e21e11aeb929bbce0b29113e4b600391900752c83c428860a936e

    SHA512

    15c243aeaecba87206ec58579d90bc4ae3a96685b4e9e77cd75f021f1b2058c8681d40f4ca29057a84ea742fa3d3d29683d3a36da127860c0f10921e5531c162

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    4e2e4dc1fca40470ac5dab00e50aa8c5

    SHA1

    c3091b2def0c3b1f2cad798ed326f426fec8fcff

    SHA256

    6c4a00dfd610fdcdf5418e33042fa04ce42e798491514aaf59a1e4966fc8b38e

    SHA512

    981a85f842f47f143f8d86d594ca94ae5572503a2f64486571dee2bdbc13c836aa6e02b63b4ccc621a51b42fc80be68022e3ff9c800ad4f68d71912c9f23f0b8

  • memory/772-52-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/772-54-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/772-58-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/772-57-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/772-9-0x0000000000830000-0x0000000000831000-memory.dmp

    Filesize

    4KB

  • memory/772-56-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/772-48-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/772-49-0x0000000000830000-0x0000000000831000-memory.dmp

    Filesize

    4KB

  • memory/772-50-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/772-51-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/772-55-0x0000000000400000-0x00000000005D7000-memory.dmp

    Filesize

    1.8MB

  • memory/1304-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3296-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3296-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3552-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4612-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB