Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27/07/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
0a3166cfc6d771412517fd2ae96f29f0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0a3166cfc6d771412517fd2ae96f29f0N.exe
Resource
win10v2004-20240709-en
General
-
Target
0a3166cfc6d771412517fd2ae96f29f0N.exe
-
Size
4.7MB
-
MD5
0a3166cfc6d771412517fd2ae96f29f0
-
SHA1
63b37bb26ac2272966c1c9b82debf93ea8be0574
-
SHA256
b97a8f7f8d94ab544501f35597711b50cf3274a76f75fc27f9fe92edc07a510c
-
SHA512
1994634bef6761e7885433a9a1bb4191eb678404d8068a7129f8b64bf8426ecb65700ea08003bd53c029b8612bc0f9ee89b55a87b929b6afb01a9225260966c1
-
SSDEEP
49152:tYtAAX6FcShtPyqSLhSFULhMYYKqFWsMhUY71l8bX:q8yqEUFYhMYYKqFWsMhf16
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 4488 0a3166cfc6d771412517fd2ae96f29f0n.exe 1364 icsys.icn.exe 4380 explorer.exe 1356 spoolsv.exe 388 svchost.exe 4528 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 0a3166cfc6d771412517fd2ae96f29f0N.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4688 4488 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a3166cfc6d771412517fd2ae96f29f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a3166cfc6d771412517fd2ae96f29f0n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\CID\{A3358E75-826A3-31A5-2C1E-14A484D53571}\242DD93D 0a3166cfc6d771412517fd2ae96f29f0n.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\CID 0a3166cfc6d771412517fd2ae96f29f0n.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\CID\{A3358E75-826A3-31A5-2C1E-14A484D53571} 0a3166cfc6d771412517fd2ae96f29f0n.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\CID\{A3358E75-826A3-31A5-2C1E-14A484D53571}\242DD93D\2 = "118105046078008009198080245028157129229105021171" 0a3166cfc6d771412517fd2ae96f29f0n.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 1364 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4380 explorer.exe 388 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4488 0a3166cfc6d771412517fd2ae96f29f0n.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 1364 icsys.icn.exe 1364 icsys.icn.exe 4380 explorer.exe 4380 explorer.exe 1356 spoolsv.exe 1356 spoolsv.exe 388 svchost.exe 388 svchost.exe 4528 spoolsv.exe 4528 spoolsv.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 412 wrote to memory of 4488 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 85 PID 412 wrote to memory of 4488 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 85 PID 412 wrote to memory of 4488 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 85 PID 412 wrote to memory of 1364 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 88 PID 412 wrote to memory of 1364 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 88 PID 412 wrote to memory of 1364 412 0a3166cfc6d771412517fd2ae96f29f0N.exe 88 PID 1364 wrote to memory of 4380 1364 icsys.icn.exe 89 PID 1364 wrote to memory of 4380 1364 icsys.icn.exe 89 PID 1364 wrote to memory of 4380 1364 icsys.icn.exe 89 PID 4380 wrote to memory of 1356 4380 explorer.exe 90 PID 4380 wrote to memory of 1356 4380 explorer.exe 90 PID 4380 wrote to memory of 1356 4380 explorer.exe 90 PID 1356 wrote to memory of 388 1356 spoolsv.exe 91 PID 1356 wrote to memory of 388 1356 spoolsv.exe 91 PID 1356 wrote to memory of 388 1356 spoolsv.exe 91 PID 388 wrote to memory of 4528 388 svchost.exe 92 PID 388 wrote to memory of 4528 388 svchost.exe 92 PID 388 wrote to memory of 4528 388 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a3166cfc6d771412517fd2ae96f29f0N.exe"C:\Users\Admin\AppData\Local\Temp\0a3166cfc6d771412517fd2ae96f29f0N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\users\admin\appdata\local\temp\0a3166cfc6d771412517fd2ae96f29f0n.exec:\users\admin\appdata\local\temp\0a3166cfc6d771412517fd2ae96f29f0n.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4488 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 17763⤵
- Program crash
PID:4688
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4528
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 44881⤵PID:3392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
MD5e4d6bc579bb1784abe102df50b454415
SHA1fdebff4c0fd98b33c44e0b2c8cd372fedbd8ede1
SHA256f7edb4846e02a8ae90e6020ab69431825d27d9924835a70066f8449635baab50
SHA512d8a2775a17eb8b4bfa4f92bba2f5a7b187a8b7d8b1dab53bded056c4d071a2d5e47a45acb4c3c12b5bcdde34876f95b0ae04e3db554093d79f7ab740fe7907ce
-
Filesize
135KB
MD5d85133534ced162c057bb894f4b19de5
SHA16b7622e5013d9f402276c345d1e489c7ed821b00
SHA256c69b2fcd96115515effb568d74934f896939cecdc100ab70615dbe8838d15cdb
SHA51291408324d1a5afa6e701e6587218c28ecb980c27d882103bb6e4fa63f0fa327e24c7f2b6714bb150bf5c994f616b8d972c7645270462af449996089e97b75ebf
-
Filesize
135KB
MD5b7b44d1c1561f42030e32f2c38664a0f
SHA138592dcd976e46d26dae56419f239bd5fbf487b5
SHA256ebe48be77ba73d1f901dd793f4607dfbcad3e4618b83610edc512eabc2ea4761
SHA512f85ad941df34f17a6fc4de49aaa3598b70cf78236783a495aa58bba15337cc6d5ff557ede82619bce4eb3fd6de728773ba36a0e4742de3b70f6226206d5e19fb
-
Filesize
135KB
MD5ffb3538e8d5b2660646001bec6873457
SHA1bfbebcc0953f1b91599f84e78f5aed0a0c0239b0
SHA256d6c81c29a7ce96575441a891c170a75ea6dfd4bd8399cd8f0c3033961dad51aa
SHA51238e6b533410e00c78e1fb04ddf86a898c8fa52f534b0ba1d02cb08e3ae215aa837ad36326cb25b2c8595b4774a60ef157e8a410b1b000a10602d8bbe7625390d
-
Filesize
135KB
MD5b83d50823eaa3421f41e32e92246f67b
SHA1764c1730d3b9e4718bad2d124905ab54be577f28
SHA256fab256d3d9406a521d0c2d503fb9254cda3c3d205063d1c259f9649eee25dc83
SHA51299dbab013659d71bc508c101c9f6f988a5ff7ca5fc526834e79a9bfd4ada72c8aab11afc20d263379c7fc9d994861f6bd611b54c035e2328ecbb1e2c144dfe3f