Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 19:42
Static task
static1
Behavioral task
behavioral1
Sample
7af6e87aae1bc84f65a5452f9c5f6270N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7af6e87aae1bc84f65a5452f9c5f6270N.exe
Resource
win10v2004-20240802-en
General
-
Target
7af6e87aae1bc84f65a5452f9c5f6270N.exe
-
Size
206KB
-
MD5
7af6e87aae1bc84f65a5452f9c5f6270
-
SHA1
b86d0813931e37be32baddcf1e8e059bf3264694
-
SHA256
b15f06fa931041555e97169ea70f8550f9f228326bc8ee9b2ee36b000922bada
-
SHA512
74f916ded191d9c6a3f72fa31eca39727007d134f3ea25a279fe89de206f72d0209e0bacaa62423b49975b80c1beb4236b1d99fc140713755d94fbb116763e76
-
SSDEEP
3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unS:5vEN2U+T6i5LirrllHy4HUcMQY6t
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 4 IoCs
pid Process 4612 explorer.exe 2688 spoolsv.exe 3452 svchost.exe 3752 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe 7af6e87aae1bc84f65a5452f9c5f6270N.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7af6e87aae1bc84f65a5452f9c5f6270N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1836 7af6e87aae1bc84f65a5452f9c5f6270N.exe 1836 7af6e87aae1bc84f65a5452f9c5f6270N.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 3452 svchost.exe 3452 svchost.exe 3452 svchost.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 3452 svchost.exe 4612 explorer.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 3452 svchost.exe 4612 explorer.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 4612 explorer.exe 4612 explorer.exe 3452 svchost.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 3452 svchost.exe 4612 explorer.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 4612 explorer.exe 3452 svchost.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe 4612 explorer.exe 3452 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4612 explorer.exe 3452 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1836 7af6e87aae1bc84f65a5452f9c5f6270N.exe 1836 7af6e87aae1bc84f65a5452f9c5f6270N.exe 4612 explorer.exe 4612 explorer.exe 2688 spoolsv.exe 2688 spoolsv.exe 3452 svchost.exe 3452 svchost.exe 3752 spoolsv.exe 3752 spoolsv.exe 4612 explorer.exe 4612 explorer.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1836 wrote to memory of 4612 1836 7af6e87aae1bc84f65a5452f9c5f6270N.exe 84 PID 1836 wrote to memory of 4612 1836 7af6e87aae1bc84f65a5452f9c5f6270N.exe 84 PID 1836 wrote to memory of 4612 1836 7af6e87aae1bc84f65a5452f9c5f6270N.exe 84 PID 4612 wrote to memory of 2688 4612 explorer.exe 85 PID 4612 wrote to memory of 2688 4612 explorer.exe 85 PID 4612 wrote to memory of 2688 4612 explorer.exe 85 PID 2688 wrote to memory of 3452 2688 spoolsv.exe 86 PID 2688 wrote to memory of 3452 2688 spoolsv.exe 86 PID 2688 wrote to memory of 3452 2688 spoolsv.exe 86 PID 3452 wrote to memory of 3752 3452 svchost.exe 87 PID 3452 wrote to memory of 3752 3452 svchost.exe 87 PID 3452 wrote to memory of 3752 3452 svchost.exe 87 PID 3452 wrote to memory of 1320 3452 svchost.exe 88 PID 3452 wrote to memory of 1320 3452 svchost.exe 88 PID 3452 wrote to memory of 1320 3452 svchost.exe 88 PID 3452 wrote to memory of 4984 3452 svchost.exe 104 PID 3452 wrote to memory of 4984 3452 svchost.exe 104 PID 3452 wrote to memory of 4984 3452 svchost.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe"C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3752
-
-
C:\Windows\SysWOW64\at.exeat 19:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:1320
-
-
C:\Windows\SysWOW64\at.exeat 19:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe5⤵
- System Location Discovery: System Language Discovery
PID:4984
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5d146409f819baeb8410fe16db937c2af
SHA1a1b6aa8f223d74bcb382b684f549b5f4c11e3028
SHA256cf9940bdf1cbe79f9fc0ab17082948248da0f7c6b31f0942fb40564997252acf
SHA512b84a85ea30201ddec761185f3804e58a198a6f51e4e54aba11638d9b2e8767b86de0e377294b054157d9b9722913cfa1a5e1f9c84c44d1d9da1cf1f248eea040
-
Filesize
206KB
MD5147bc225604cdde87f901568f5ace5ee
SHA1002d4d78eecfdb99eb9cae71214d1d847f5b913e
SHA256e904c0930278dd3efcdbf5b40ab3ded934d50fe07be1aa75967a5cf788ed0f3b
SHA512c2255b73cb1424249ebaa73c437be8932ff4350e816bfe9850e1a36e20f5f25ce14ae3f34800b04a30fe0f25427237857b0ff45ab00723071415a1f9e1765d05
-
Filesize
206KB
MD5446ea341965a712bf5a5b5fdce2cc6fa
SHA1815ff8203c34a892cf6969e0795c69905def53b9
SHA25625b3c1e94baa023abfdbdccdf7dc2b701f81fd9e8d8dfd6bc0d55771234ce909
SHA512c89f4402ed4190ddfdfad3758e66d3ac14b0b923d1db13b59b5bcd2d17b5895f9d65a8ad3309843051743d43c76d33393127796b5e44a63de7c2d993e7bdc1a7
-
Filesize
206KB
MD50678084ea905cffc83749066b97f45b7
SHA1e7868ada27c4f05ceafa49649008cddbbcf41647
SHA2563a297c45ce807c1ee1bd0cfc04faba76e54034bbf33f42c724e1452fe9fd69ac
SHA5123976ba33ce2f36353f0b948b329b4e78b37ba58a54f9ac45906c5052e2c4861852453c9afafaf22b01a861661776d2410d68baa4729a1aa46bd67a601db79593