Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
Resource
win10v2004-20240709-en
General
-
Target
b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe
-
Size
1.4MB
-
MD5
f2af0cf68dfd2a651cc66ad92ea4524a
-
SHA1
95ccb921e2f012b426ee89b1901b28ef661d93eb
-
SHA256
b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74
-
SHA512
4cade9d6e64030d5bfb1dffe451efbba70c8c1a7d77b945fdd364870773504c634efc3a662b1ae2b2ceb1c39939a47efbb545ba65a1c634330df181119fac198
-
SSDEEP
24576:T9cdOqX1uuMliQzd4mNy9Sh5hJgpiwVQLJaOSZ4LehoZza9gNWmAO5ehlM+:T9UX1uBx4mYo83vOSeyeaKrE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4024 explorer.exe 4624 spoolsv.exe 1684 svchost.exe 1080 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
pid Process 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 4024 explorer.exe 4624 spoolsv.exe 1684 svchost.exe 1080 spoolsv.exe 1080 spoolsv.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe 4024 explorer.exe 4024 explorer.exe 1684 svchost.exe 1684 svchost.exe 4024 explorer.exe 4024 explorer.exe 1684 svchost.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 4024 explorer.exe 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe 4024 explorer.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 4024 explorer.exe 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4024 explorer.exe 1684 svchost.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 4024 explorer.exe 4024 explorer.exe 4024 explorer.exe 4624 spoolsv.exe 4624 spoolsv.exe 4624 spoolsv.exe 1684 svchost.exe 1684 svchost.exe 1684 svchost.exe 1080 spoolsv.exe 1080 spoolsv.exe 1080 spoolsv.exe 4024 explorer.exe 4024 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2972 wrote to memory of 4024 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 84 PID 2972 wrote to memory of 4024 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 84 PID 2972 wrote to memory of 4024 2972 b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe 84 PID 4024 wrote to memory of 4624 4024 explorer.exe 85 PID 4024 wrote to memory of 4624 4024 explorer.exe 85 PID 4024 wrote to memory of 4624 4024 explorer.exe 85 PID 4624 wrote to memory of 1684 4624 spoolsv.exe 88 PID 4624 wrote to memory of 1684 4624 spoolsv.exe 88 PID 4624 wrote to memory of 1684 4624 spoolsv.exe 88 PID 1684 wrote to memory of 1080 1684 svchost.exe 89 PID 1684 wrote to memory of 1080 1684 svchost.exe 89 PID 1684 wrote to memory of 1080 1684 svchost.exe 89 PID 1684 wrote to memory of 1872 1684 svchost.exe 91 PID 1684 wrote to memory of 1872 1684 svchost.exe 91 PID 1684 wrote to memory of 1872 1684 svchost.exe 91 PID 1684 wrote to memory of 2304 1684 svchost.exe 109 PID 1684 wrote to memory of 2304 1684 svchost.exe 109 PID 1684 wrote to memory of 2304 1684 svchost.exe 109 PID 1684 wrote to memory of 3504 1684 svchost.exe 112 PID 1684 wrote to memory of 3504 1684 svchost.exe 112 PID 1684 wrote to memory of 3504 1684 svchost.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe"C:\Users\Admin\AppData\Local\Temp\b4041377281a95568381363ec6c3826d11948d1449bda36d6a0d6bb50e8c9a74.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
C:\Windows\SysWOW64\at.exeat 02:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:1872
-
-
C:\Windows\SysWOW64\at.exeat 02:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\SysWOW64\at.exeat 02:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:3504
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5f238b82aa092bb0f353c23234515092b
SHA10294931f380669353c7af3b6385a82be9e4cb321
SHA25680229ba49bddc9392880d925d6428c5eaf5c4fd3d296d9674d96c7651b95ac59
SHA512b686bad6751f13b53d4ab70b63891a087b5d76d80d4eed9298e7dc13beb8d290ece83023d9a1a65479d592318ec3fb4924bd1e572379b293c63f04ca3af61a4f
-
Filesize
1.4MB
MD577e003785e8e4745af380880aa10fcd5
SHA11edc9d29f296b58fbed042ac59f67d65a1b643e3
SHA25602e5ee986a18d224d3cefa93573c67154d4ab91570adfc721b4efed57d505b4b
SHA5122843b6a1d825a5d3f4c5b496f213421b62cd67069600772b7812409c2f299e6f37db8ee036352ac210a611f8e8a55dfe72ebfc8b98a8d94854a775a61b1c2acb
-
Filesize
1.4MB
MD5fb86ca49d2003753b28e30ff7635e79f
SHA1714b7380a6cddca58d26c763795a1638faef3ebc
SHA2568b579f66d2214a0f2072456793885f7a2177f9330326b3469bd5d852a7d5fde4
SHA5120fb7181648c112b8e230b74592a85c2bedfb268e1f69e057e71aa8f2f0c9e7feac514be7ebb5035c21547525a16df612aeffda2c939ee7db76a94d3643a41997
-
Filesize
1.4MB
MD5aa8aa97a1f076c4fe8f11fd39809c0e5
SHA1bdaf4939b1cd42c3e1e9342059b4bb1113111d49
SHA256478aebc3b17c6a2ab1aafcf8d252b686c361fea3680a22913456b50c74c04b5c
SHA5126ce3d1e7903c2652914a7aab95db1e045890298672d8d0256a3b0caa07c07d7a989e9fec34d61a217c7e3f5c37633734338846e8fa34c3d999adb99cce47e7f3