Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 08:06

General

  • Target

    9bd6b24429fae827534170054d802790N.exe

  • Size

    206KB

  • MD5

    9bd6b24429fae827534170054d802790

  • SHA1

    8d46af9c989ec26e75a406609106f9b5716c34ae

  • SHA256

    6511321e2c89f197c6f039051d5abb69d306550fb41216c13958de126d66f48a

  • SHA512

    60a617716ab4971ae2081f87c1e746f4d04c41c126c5ead69e659b3eece1991bba97ab8ca12292d9ba2b0966cf836e6461c89eb314ed856820730e13cfb3edfb

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJd3:/VqoCl/YgjxEufVU0TbTyDDalb3

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bd6b24429fae827534170054d802790N.exe
    "C:\Users\Admin\AppData\Local\Temp\9bd6b24429fae827534170054d802790N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3836
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4140
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1256
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3120
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    a8e58b6ae875f1cf7993af3e8fd194ed

    SHA1

    e9fb617818fe66840b53a26be2c3f4d40b1ec046

    SHA256

    3edb5d5fa8599057fa7ecd9bb0eaff21a6fbbbbffae19e2462cf2fc25398435a

    SHA512

    65214058053529706714c36cff0e818009fe67c343ca0c2220c3f1f39442724452033f71e27951b0cd4a84aad2bd1ce79708cacf3d59b9a1d50097b0c8125b61

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    206KB

    MD5

    0febd61593d5cf40b7e18dd6e5fba201

    SHA1

    93ccde654add1a6553b8d7820c6f06fc00d65367

    SHA256

    fc132ce3eb72d260d2d5343109934ab83019c32ccd5bd8c5417e572236a8765c

    SHA512

    4e5992bd566d977aa48f4e352c286abcc74d04c85add3f2e016ca4686d53aefad10740184ef746130c796a0f7744f583bc43c09648de28e5cb37e4291035cbdc

  • C:\Windows\Resources\svchost.exe

    Filesize

    206KB

    MD5

    1cec75e4302c86e15bee576db9a648ec

    SHA1

    905c831495f4d597e004ec2e320f8e2fe4a3ec87

    SHA256

    b594034f06d1f2c27d67a94aea702dbd80220062bfe7344d3d93a987ca70d394

    SHA512

    bbf171ce8d34a7fef3784c066cc7700097f3a9549adf1c1dd506bbdca8df964985a4e265d596092416728a6145d7f65168388d5760c5a6db4f4af1f5a332aad1

  • memory/244-32-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1256-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3120-36-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3836-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3836-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4140-35-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB