Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
89ee1a81ae7fa351c0a459c97d5e8680N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
89ee1a81ae7fa351c0a459c97d5e8680N.exe
Resource
win10v2004-20240802-en
General
-
Target
89ee1a81ae7fa351c0a459c97d5e8680N.exe
-
Size
3.6MB
-
MD5
89ee1a81ae7fa351c0a459c97d5e8680
-
SHA1
b33657444c36d3bd09d01758c92ffe4104756114
-
SHA256
76e24c3e4eea9c6c2ae3574f00318d6e90bfed25e9c0b0e536ddd76fd4ca6deb
-
SHA512
97028e2fd81dac5a798d42276f39b5f3d67abedcd198e10033ec270ac980a7f19c1b4814e284532cd054560bdde90ab5f74a8d0992def771a467591c9435d75d
-
SSDEEP
98304:ddByXcdnlLwOrI5Vfeg91hZOhkRpsinjP:ddien+OrFuBR6cP
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4860 explorer.exe 1900 spoolsv.exe 4560 svchost.exe 800 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs
pid Process 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 4860 explorer.exe 4860 explorer.exe 1900 spoolsv.exe 4560 svchost.exe 800 spoolsv.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe 4560 svchost.exe 4860 explorer.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe 89ee1a81ae7fa351c0a459c97d5e8680N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89ee1a81ae7fa351c0a459c97d5e8680N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4860 explorer.exe 4560 svchost.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 4860 explorer.exe 4860 explorer.exe 4860 explorer.exe 1900 spoolsv.exe 1900 spoolsv.exe 1900 spoolsv.exe 4560 svchost.exe 4560 svchost.exe 4560 svchost.exe 800 spoolsv.exe 800 spoolsv.exe 800 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 812 wrote to memory of 4860 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 93 PID 812 wrote to memory of 4860 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 93 PID 812 wrote to memory of 4860 812 89ee1a81ae7fa351c0a459c97d5e8680N.exe 93 PID 4860 wrote to memory of 1900 4860 explorer.exe 95 PID 4860 wrote to memory of 1900 4860 explorer.exe 95 PID 4860 wrote to memory of 1900 4860 explorer.exe 95 PID 1900 wrote to memory of 4560 1900 spoolsv.exe 96 PID 1900 wrote to memory of 4560 1900 spoolsv.exe 96 PID 1900 wrote to memory of 4560 1900 spoolsv.exe 96 PID 4560 wrote to memory of 800 4560 svchost.exe 97 PID 4560 wrote to memory of 800 4560 svchost.exe 97 PID 4560 wrote to memory of 800 4560 svchost.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\89ee1a81ae7fa351c0a459c97d5e8680N.exe"C:\Users\Admin\AppData\Local\Temp\89ee1a81ae7fa351c0a459c97d5e8680N.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:800
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3828,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:81⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f5b4058dcc803e4e6fba4dc410889f6c
SHA13cb95913483139627a60e0beb7d643630cdf9fb2
SHA256379ac1b4ca0e6a92faaf796a7cbdc51afe043b757565e70dfffeffed33a5b200
SHA51237563070b4d1c0baa7185edf867ab4775e9d5008f305e7a86617f749ac314f18f11ac4e451112663bd2ca5f259a6062c7895a2cac8b607c0f4b1d459bd4ac85f
-
Filesize
3.6MB
MD5e22f576d434787315a4e1cdb6dd9eafd
SHA1cc5ea6dd55dfb90e02eef21c5001149a22e267d2
SHA25659707b6575600cba00b2e480c81ad531e82a2c8b749ff2b531cd341fa4189b81
SHA512fa2b0839e48f4dd6da9f36aefb4335edded16236523ac8b7f2a91ab07aadc08feebbc21275172a63393147e928f87d37e8dd308730a2edf4699041e53010e1a2
-
Filesize
3.6MB
MD52d44a95d566fc6276079133acb5c772b
SHA10449cb7b8aaa8f99dedcbfee6411658a29a224e6
SHA25690d424e9e0ab2afd6dcc4ca8c597fa54e07867e792f51770584bf1cbb08a5145
SHA51212410242dab5fcc569c36e3e3ab12da8aa76eaa489757e74020083516d4e10dce3947da56d100f48e1eec99d5ebf42b67002db1cfe2cda88bfa2c16687583a03