Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

234affae1e...0f.exe

windows7-x64

10

234affae1e...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/08/2024, 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe

  • Size

    206KB

  • MD5

    9876b3c6c6fcf53bdf065d81ec051072

  • SHA1

    a6c41ea3dc0420870363aa2cb4f96006f831e54e

  • SHA256

    234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f

  • SHA512

    abcf53fa1bb3e5866230517516876100bbf7ca38f72e0de1f48922aa64c153f7cc22e533af9a8ecda22b8d087f854dabd22e4de8b705ebf98b5485bd385becff

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdV:/VqoCl/YgjxEufVU0TbTyDDalbV

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe
    "C:\Users\Admin\AppData\Local\Temp\234affae1e0c38c977b55959972e627e6df25af817d65b35eb2a0304a26f690f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1956
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2500
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2388
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2908
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2724
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:24 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2856
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:25 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2812
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:26 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:580
      • C:\Windows\Explorer.exe
        C:\Windows\Explorer.exe
        3⤵
          PID:2736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      206KB

      MD5

      d739417ee850eca3384c502aa2d9591d

      SHA1

      a429891394828719b3661d5ca11086ab79d90f9b

      SHA256

      456e0284db699610ab49d81a7113a6af9b208ae7cb3f87f565dd2314723ff6fd

      SHA512

      4357fa6889b060d6757f75b488135d13a1eb0a59314608e090f17e45cd24d2c915d0c2400c5b6112c3299cc92801b9c71faf5073de41dd38de80c8f0eae4947b

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      206KB

      MD5

      8255f40feec017695a9262a3c9775a15

      SHA1

      2e027f62b6290e136846623f6518cf94d679deb6

      SHA256

      034d0044fdd872ba8097798c702473232e8fee28a5878ad600301c120257cdd9

      SHA512

      9348c60de58192e8f1753048900215904f3b061721eeb2bb31961d0b3ae05e0b6c11659a619313a1ac7f156fefe9641f3c5e542a1c63d4142420781008c0ca2a

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      206KB

      MD5

      b17d5b7217db225cc671b77610329be6

      SHA1

      ed083bc1bc5e8d7622ba39442058235cf9ea7faa

      SHA256

      280329eb200b8984c4bfd3b97b086e3a05a1d0a7b57127419d6a31c116e972d8

      SHA512

      14ac5296e1eebfbd91764a4d18da874ac9d4b7f3d92280cfc331771db4b0ea7ec9f8dbeaba5256df4b60be46d2cf420981aa619508b4b6ad03dccb2023fc6f1f

      Download Submit

    • memory/1956-13-0x00000000003A0000-0x00000000003CF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1956-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1956-12-0x00000000003A0000-0x00000000003CF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1956-56-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2388-41-0x00000000005D0000-0x00000000005FF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2388-55-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2500-27-0x0000000000430000-0x000000000045F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2500-57-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2724-54-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2908-50-0x00000000023C0000-0x00000000023EF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2908-58-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download