Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 19:42

General

  • Target

    7af6e87aae1bc84f65a5452f9c5f6270N.exe

  • Size

    206KB

  • MD5

    7af6e87aae1bc84f65a5452f9c5f6270

  • SHA1

    b86d0813931e37be32baddcf1e8e059bf3264694

  • SHA256

    b15f06fa931041555e97169ea70f8550f9f228326bc8ee9b2ee36b000922bada

  • SHA512

    74f916ded191d9c6a3f72fa31eca39727007d134f3ea25a279fe89de206f72d0209e0bacaa62423b49975b80c1beb4236b1d99fc140713755d94fbb116763e76

  • SSDEEP

    3072:5vEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unS:5vEN2U+T6i5LirrllHy4HUcMQY6t

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe
    "C:\Users\Admin\AppData\Local\Temp\7af6e87aae1bc84f65a5452f9c5f6270N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1836
    • \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4612
      • \??\c:\windows\system\spoolsv.exe
        c:\windows\system\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2688
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3452
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3752
          • C:\Windows\SysWOW64\at.exe
            at 19:44 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1320
          • C:\Windows\SysWOW64\at.exe
            at 19:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe

    Filesize

    206KB

    MD5

    d146409f819baeb8410fe16db937c2af

    SHA1

    a1b6aa8f223d74bcb382b684f549b5f4c11e3028

    SHA256

    cf9940bdf1cbe79f9fc0ab17082948248da0f7c6b31f0942fb40564997252acf

    SHA512

    b84a85ea30201ddec761185f3804e58a198a6f51e4e54aba11638d9b2e8767b86de0e377294b054157d9b9722913cfa1a5e1f9c84c44d1d9da1cf1f248eea040

  • C:\Windows\System\explorer.exe

    Filesize

    206KB

    MD5

    147bc225604cdde87f901568f5ace5ee

    SHA1

    002d4d78eecfdb99eb9cae71214d1d847f5b913e

    SHA256

    e904c0930278dd3efcdbf5b40ab3ded934d50fe07be1aa75967a5cf788ed0f3b

    SHA512

    c2255b73cb1424249ebaa73c437be8932ff4350e816bfe9850e1a36e20f5f25ce14ae3f34800b04a30fe0f25427237857b0ff45ab00723071415a1f9e1765d05

  • C:\Windows\System\spoolsv.exe

    Filesize

    206KB

    MD5

    446ea341965a712bf5a5b5fdce2cc6fa

    SHA1

    815ff8203c34a892cf6969e0795c69905def53b9

    SHA256

    25b3c1e94baa023abfdbdccdf7dc2b701f81fd9e8d8dfd6bc0d55771234ce909

    SHA512

    c89f4402ed4190ddfdfad3758e66d3ac14b0b923d1db13b59b5bcd2d17b5895f9d65a8ad3309843051743d43c76d33393127796b5e44a63de7c2d993e7bdc1a7

  • C:\Windows\System\svchost.exe

    Filesize

    206KB

    MD5

    0678084ea905cffc83749066b97f45b7

    SHA1

    e7868ada27c4f05ceafa49649008cddbbcf41647

    SHA256

    3a297c45ce807c1ee1bd0cfc04faba76e54034bbf33f42c724e1452fe9fd69ac

    SHA512

    3976ba33ce2f36353f0b948b329b4e78b37ba58a54f9ac45906c5052e2c4861852453c9afafaf22b01a861661776d2410d68baa4729a1aa46bd67a601db79593

  • memory/1836-0-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/1836-37-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2688-36-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/3452-39-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/3752-32-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/4612-38-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB