Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 08:06
Static task
static1
Behavioral task
behavioral1
Sample
9bd6b24429fae827534170054d802790N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9bd6b24429fae827534170054d802790N.exe
Resource
win10v2004-20240802-en
General
-
Target
9bd6b24429fae827534170054d802790N.exe
-
Size
206KB
-
MD5
9bd6b24429fae827534170054d802790
-
SHA1
8d46af9c989ec26e75a406609106f9b5716c34ae
-
SHA256
6511321e2c89f197c6f039051d5abb69d306550fb41216c13958de126d66f48a
-
SHA512
60a617716ab4971ae2081f87c1e746f4d04c41c126c5ead69e659b3eece1991bba97ab8ca12292d9ba2b0966cf836e6461c89eb314ed856820730e13cfb3edfb
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJd3:/VqoCl/YgjxEufVU0TbTyDDalb3
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4140 explorer.exe 1256 spoolsv.exe 3120 svchost.exe 244 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 9bd6b24429fae827534170054d802790N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bd6b24429fae827534170054d802790N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe 4140 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4140 explorer.exe 3120 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 3836 9bd6b24429fae827534170054d802790N.exe 3836 9bd6b24429fae827534170054d802790N.exe 4140 explorer.exe 4140 explorer.exe 1256 spoolsv.exe 1256 spoolsv.exe 3120 svchost.exe 3120 svchost.exe 244 spoolsv.exe 244 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3836 wrote to memory of 4140 3836 9bd6b24429fae827534170054d802790N.exe 85 PID 3836 wrote to memory of 4140 3836 9bd6b24429fae827534170054d802790N.exe 85 PID 3836 wrote to memory of 4140 3836 9bd6b24429fae827534170054d802790N.exe 85 PID 4140 wrote to memory of 1256 4140 explorer.exe 86 PID 4140 wrote to memory of 1256 4140 explorer.exe 86 PID 4140 wrote to memory of 1256 4140 explorer.exe 86 PID 1256 wrote to memory of 3120 1256 spoolsv.exe 87 PID 1256 wrote to memory of 3120 1256 spoolsv.exe 87 PID 1256 wrote to memory of 3120 1256 spoolsv.exe 87 PID 3120 wrote to memory of 244 3120 svchost.exe 88 PID 3120 wrote to memory of 244 3120 svchost.exe 88 PID 3120 wrote to memory of 244 3120 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bd6b24429fae827534170054d802790N.exe"C:\Users\Admin\AppData\Local\Temp\9bd6b24429fae827534170054d802790N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:244
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5a8e58b6ae875f1cf7993af3e8fd194ed
SHA1e9fb617818fe66840b53a26be2c3f4d40b1ec046
SHA2563edb5d5fa8599057fa7ecd9bb0eaff21a6fbbbbffae19e2462cf2fc25398435a
SHA51265214058053529706714c36cff0e818009fe67c343ca0c2220c3f1f39442724452033f71e27951b0cd4a84aad2bd1ce79708cacf3d59b9a1d50097b0c8125b61
-
Filesize
206KB
MD50febd61593d5cf40b7e18dd6e5fba201
SHA193ccde654add1a6553b8d7820c6f06fc00d65367
SHA256fc132ce3eb72d260d2d5343109934ab83019c32ccd5bd8c5417e572236a8765c
SHA5124e5992bd566d977aa48f4e352c286abcc74d04c85add3f2e016ca4686d53aefad10740184ef746130c796a0f7744f583bc43c09648de28e5cb37e4291035cbdc
-
Filesize
206KB
MD51cec75e4302c86e15bee576db9a648ec
SHA1905c831495f4d597e004ec2e320f8e2fe4a3ec87
SHA256b594034f06d1f2c27d67a94aea702dbd80220062bfe7344d3d93a987ca70d394
SHA512bbf171ce8d34a7fef3784c066cc7700097f3a9549adf1c1dd506bbdca8df964985a4e265d596092416728a6145d7f65168388d5760c5a6db4f4af1f5a332aad1