Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0a3166cfc6...0N.exe

windows7-x64

10

0a3166cfc6...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a3166cfc6d771412517fd2ae96f29f0N.exe

  • Size

    4.7MB

  • MD5

    0a3166cfc6d771412517fd2ae96f29f0

  • SHA1

    63b37bb26ac2272966c1c9b82debf93ea8be0574

  • SHA256

    b97a8f7f8d94ab544501f35597711b50cf3274a76f75fc27f9fe92edc07a510c

  • SHA512

    1994634bef6761e7885433a9a1bb4191eb678404d8068a7129f8b64bf8426ecb65700ea08003bd53c029b8612bc0f9ee89b55a87b929b6afb01a9225260966c1

  • SSDEEP

    49152:tYtAAX6FcShtPyqSLhSFULhMYYKqFWsMhUY71l8bX:q8yqEUFYhMYYKqFWsMhf16

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a3166cfc6d771412517fd2ae96f29f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\0a3166cfc6d771412517fd2ae96f29f0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:412
    • \??\c:\users\admin\appdata\local\temp\0a3166cfc6d771412517fd2ae96f29f0n.exe 
      c:\users\admin\appdata\local\temp\0a3166cfc6d771412517fd2ae96f29f0n.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1776
        3⤵
        • Program crash
        PID:4688
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1364
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4380
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1356
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:388
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4528
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
    1⤵
      PID:3392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0a3166cfc6d771412517fd2ae96f29f0n.exe 
      Filesize

      4.6MB

      MD5

      e4d6bc579bb1784abe102df50b454415

      SHA1

      fdebff4c0fd98b33c44e0b2c8cd372fedbd8ede1

      SHA256

      f7edb4846e02a8ae90e6020ab69431825d27d9924835a70066f8449635baab50

      SHA512

      d8a2775a17eb8b4bfa4f92bba2f5a7b187a8b7d8b1dab53bded056c4d071a2d5e47a45acb4c3c12b5bcdde34876f95b0ae04e3db554093d79f7ab740fe7907ce

      Download Submit

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      d85133534ced162c057bb894f4b19de5

      SHA1

      6b7622e5013d9f402276c345d1e489c7ed821b00

      SHA256

      c69b2fcd96115515effb568d74934f896939cecdc100ab70615dbe8838d15cdb

      SHA512

      91408324d1a5afa6e701e6587218c28ecb980c27d882103bb6e4fa63f0fa327e24c7f2b6714bb150bf5c994f616b8d972c7645270462af449996089e97b75ebf

      Download Submit

    • C:\Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      b7b44d1c1561f42030e32f2c38664a0f

      SHA1

      38592dcd976e46d26dae56419f239bd5fbf487b5

      SHA256

      ebe48be77ba73d1f901dd793f4607dfbcad3e4618b83610edc512eabc2ea4761

      SHA512

      f85ad941df34f17a6fc4de49aaa3598b70cf78236783a495aa58bba15337cc6d5ff557ede82619bce4eb3fd6de728773ba36a0e4742de3b70f6226206d5e19fb

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      ffb3538e8d5b2660646001bec6873457

      SHA1

      bfbebcc0953f1b91599f84e78f5aed0a0c0239b0

      SHA256

      d6c81c29a7ce96575441a891c170a75ea6dfd4bd8399cd8f0c3033961dad51aa

      SHA512

      38e6b533410e00c78e1fb04ddf86a898c8fa52f534b0ba1d02cb08e3ae215aa837ad36326cb25b2c8595b4774a60ef157e8a410b1b000a10602d8bbe7625390d

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      b83d50823eaa3421f41e32e92246f67b

      SHA1

      764c1730d3b9e4718bad2d124905ab54be577f28

      SHA256

      fab256d3d9406a521d0c2d503fb9254cda3c3d205063d1c259f9649eee25dc83

      SHA512

      99dbab013659d71bc508c101c9f6f988a5ff7ca5fc526834e79a9bfd4ada72c8aab11afc20d263379c7fc9d994861f6bd611b54c035e2328ecbb1e2c144dfe3f

      Download Submit

    • memory/412-57-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/412-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1356-55-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1364-20-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1364-56-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4488-12-0x0000000005B60000-0x0000000006104000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4488-15-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4488-14-0x0000000005740000-0x000000000574A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4488-13-0x00000000055B0000-0x0000000005642000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4488-46-0x0000000006D00000-0x0000000006D66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4488-11-0x0000000005510000-0x00000000055AC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4488-10-0x0000000000630000-0x0000000000AC8000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4488-9-0x00000000746DE000-0x00000000746DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4488-58-0x0000000006940000-0x0000000006996000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4488-59-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4528-52-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4528-54-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download