Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 03:31

General

  • Target

    a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe

  • Size

    211KB

  • MD5

    e5dc0d2edb9217f61b178e4fb33c1e56

  • SHA1

    b2c26b273efa8eef307e73b3ded8e28e1b4f388e

  • SHA256

    a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c

  • SHA512

    9f82a43d302cf35cfd1392bc8f3acdbae7b12d4506ecac1158324c77e5bdc334e1b151b8e3749990fa3f93aa8d4451066a21a552ac11e1ae6d6cffc91767faaf

  • SSDEEP

    3072:bDpM9Nvih5c9DE1pvAPXIHLfMgw7ySBL8PEAjAfIbAYGPJz6sPJBINFZ1FqnC:b1iNKQxENHLfMgw7y9Zr/

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe
    "C:\Users\Admin\AppData\Local\Temp\a7fcbe6261616e23f66c510443213e64c5ae650f6afa94cd90e8dfcfea31aa7c.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4948
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4524
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2120
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2180
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\mrsys.exe

    Filesize

    211KB

    MD5

    8889e96c0b48b5bb0bb7700f71e7e1d6

    SHA1

    e73b9db0a96248ae3a9df612f403ed6583a8a462

    SHA256

    c105403f143d885f51824a90041f27d863066f8f332cc1b93a5786870af1bd83

    SHA512

    4906b9f75fb17633d29a650c9bb1d5dc0d8ae2682c11843af7fa1331543a1f343989941144c2d8ddb287c88c1db20229f53aeb02e6938efb0ab5dc2c3e31fedd

  • C:\Windows\spoolsw.exe

    Filesize

    211KB

    MD5

    cc637169fa787e73c6749f5de76a8c5e

    SHA1

    13ce00f1ff9b22777150e74365463656c246a422

    SHA256

    cb3da288a7e5674a332a5635f6b35a97abb4534ed9187f061e69ca2b36702b0b

    SHA512

    0e9686b23a0b5236be9f72f80de5d87fd5bc2e2271e07b24a6379a413b971f4b26b549764a4c647a9f3ab4e952eef8ea9c0b2c4556895cfa9b84d5093b59c4ef

  • C:\Windows\swchost.exe

    Filesize

    211KB

    MD5

    ab598f21ffd5378a226e3bdfb042ed6b

    SHA1

    759dee52399f47abeacf50c5beb6b84484fbc62e

    SHA256

    8fc0e7cafa560da95915d4b3760a6bf198a47df1bd3681122c1492fc626ccb75

    SHA512

    f066ac602ce845fcfe3c7e47b34c5d1b2b7ba5dd8d95b9e70abc13c39c56d85f33a7291947f0fbe29236a78e5ad1ef7f06cf6156905ef916ddb673af71539827

  • C:\Windows\userinit.exe

    Filesize

    211KB

    MD5

    cd2df10cf30e39eaa424c91422bd0281

    SHA1

    7f8a3b67de23b90b86bc54ba32082a38dc336a93

    SHA256

    b772058dbf0d290666258ef7a85d5a2707e235f9c82c7604cbe6163dbcc0e519

    SHA512

    8a8a1964243749bdfbf6bc637b35343709e181140bcc3527981f146b6c00afe00aa3c3cdfe5932a23dbca075ab1d5790bc1f813c383195c61dd4a12c356e1877