Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

efa66175cf...0N.exe

windows7-x64

10

efa66175cf...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2024, 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efa66175cf3367c181ac59a698149890N.exe

  • Size

    3.2MB

  • MD5

    efa66175cf3367c181ac59a698149890

  • SHA1

    a0a62773b39dc7ea26a19663b1f98e2f8df76969

  • SHA256

    dbc410a3ed9c9392f81e2f4d2b68de11b7ac79841a2ebf559c34aa538b6db8c3

  • SHA512

    13f7c6f47d49ea362c4b7689bb42014edf7f2068b0eca1f02a1637cd1aaa47a9af0d65e585994de364c31553f70ffc4b244727599aff584f0c766da3dbb9ba02

  • SSDEEP

    49152:tWdx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjT333TYe:9HDYsqiPRhINnq95FoHVBT333T1

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efa66175cf3367c181ac59a698149890N.exe
    "C:\Users\Admin\AppData\Local\Temp\efa66175cf3367c181ac59a698149890N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4236
    • \??\c:\users\admin\appdata\local\temp\efa66175cf3367c181ac59a698149890n.exe 
      c:\users\admin\appdata\local\temp\efa66175cf3367c181ac59a698149890n.exe 
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1040
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2044
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2504
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2640
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1216
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\efa66175cf3367c181ac59a698149890n.exe 
    Filesize

    3.1MB

    MD5

    39c41ec190c34c174c78d9f4db91ff98

    SHA1

    33da26a7b9325109d1438cef20836c6cf4029710

    SHA256

    6027859fd47b7d875cb59fc26fa9bcf08b9e72cec9a00b49ebdd9dc2b7b889fe

    SHA512

    e31284baafce81a67a6e989bb4d2c459b1ffa3312591d03fd8674ad954bf8c7d7e5963d557447af4ed11e10389aba148251f809ba9963fccfad6ac62bc9b3b87

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    116e23a6b9e06ea16d80b481ca6f5a2b

    SHA1

    f9f01491d97fe3431a8e1d30dc4f5204c86bb602

    SHA256

    e46170a85db61e32c6aadf8c66fb9add8c1863fa1e22b063256e4d079e40d25f

    SHA512

    02b89317383c71e8697ef669c113fb76057d3ba0b1070a4956af34bfaf5a124d7e1167e81bfb32312d36cc27621e37e3341e976c7cfe0bc0d939438099acf2c2

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    b84ed00fa629ac9dbe86463809581b52

    SHA1

    88726da9890a73b0dfb72e81b4919e365191b94d

    SHA256

    c52308aa1759d285db060c679b0bfc3b1e6096ba588319ea6707ea7b245672d3

    SHA512

    8878fd85722bc4e65556915c1c06817571b86b41d1846e651c77904e992d6dfb41b22ea30f438189c2cec6c70d2a1ababe06379329f3d93a4ef29eac383d4b0c

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    79a0ddb83524795bedc15854432ae5a5

    SHA1

    73a6e48bd9ba8ca1d706502c71f694a13c9772fe

    SHA256

    d7e8da7f815a0f06967f5548bb455229cccc27e8b16b4b7b23378fbb542d30bc

    SHA512

    330751055313699075ec27a06cc87c57401b2fde46eafd4abea2c0fc8a6fcd285589644edff5704f04e3ed8e0826592f6b620b35e959a82135ca683a9875138d

    Download Submit

  • \??\c:\windows\resources\svchost.exe
    Filesize

    135KB

    MD5

    1968dec6bbf58cdb5ba39ae508da596c

    SHA1

    9c7623a41a1e3074d792cb93323f2afb0019a61e

    SHA256

    2d28e47e34a59ea0a2bad93425b1af479cc49411c83a8d377ad3f9a78903c87a

    SHA512

    826c39632b53fcc051608181e2a88063d62e1996f34c3cb804f56852f382085f098abc9ba4e5071944ca04e5485e441adf6ad5d204f63f1e1997fb7e4f988ba9

    Download Submit

  • memory/1040-8-0x0000000000900000-0x0000000000901000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1040-48-0x0000000000900000-0x0000000000901000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1040-49-0x0000000000400000-0x000000000071B000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1216-51-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1900-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2044-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2504-50-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2640-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4236-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4236-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download