Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2024, 08:37
Static task
static1
Behavioral task
behavioral1
Sample
d037518b72d14dbe71f18bb38e868190N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d037518b72d14dbe71f18bb38e868190N.exe
Resource
win10v2004-20240802-en
General
-
Target
d037518b72d14dbe71f18bb38e868190N.exe
-
Size
135KB
-
MD5
d037518b72d14dbe71f18bb38e868190
-
SHA1
e2b297a82c978a3b18b0ce33239123fc14e354c6
-
SHA256
6cfbc35636edc4b6f29c017d38c3861a64165c3a6d78e348c53cae22ee19db08
-
SHA512
bae1850e51c8d40a7a5fab271327c3049e8fb724818f58e04d20d32b0b0eb00a18051e95c51260dceb736b5666af7489c8d5544795bf9ac6eac587197b6d734a
-
SSDEEP
1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV+nRRRRRRRRRRRRf:UVqoCl/YgjxEufVU0TbTyDDal0P
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3648 explorer.exe 3236 spoolsv.exe 4992 svchost.exe 3932 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe d037518b72d14dbe71f18bb38e868190N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d037518b72d14dbe71f18bb38e868190N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe 3648 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3648 explorer.exe 4992 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4560 d037518b72d14dbe71f18bb38e868190N.exe 4560 d037518b72d14dbe71f18bb38e868190N.exe 3648 explorer.exe 3648 explorer.exe 3236 spoolsv.exe 3236 spoolsv.exe 4992 svchost.exe 4992 svchost.exe 3932 spoolsv.exe 3932 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4560 wrote to memory of 3648 4560 d037518b72d14dbe71f18bb38e868190N.exe 84 PID 4560 wrote to memory of 3648 4560 d037518b72d14dbe71f18bb38e868190N.exe 84 PID 4560 wrote to memory of 3648 4560 d037518b72d14dbe71f18bb38e868190N.exe 84 PID 3648 wrote to memory of 3236 3648 explorer.exe 86 PID 3648 wrote to memory of 3236 3648 explorer.exe 86 PID 3648 wrote to memory of 3236 3648 explorer.exe 86 PID 3236 wrote to memory of 4992 3236 spoolsv.exe 87 PID 3236 wrote to memory of 4992 3236 spoolsv.exe 87 PID 3236 wrote to memory of 4992 3236 spoolsv.exe 87 PID 4992 wrote to memory of 3932 4992 svchost.exe 89 PID 4992 wrote to memory of 3932 4992 svchost.exe 89 PID 4992 wrote to memory of 3932 4992 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\d037518b72d14dbe71f18bb38e868190N.exe"C:\Users\Admin\AppData\Local\Temp\d037518b72d14dbe71f18bb38e868190N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3932
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD572cdad7697dc89b20153d2e9b1989048
SHA116a1ab9568fa5895a8c88340ae6d405e2d0b1a89
SHA256c867792a0bd4608002dd4fd15e29fe4d22d17c133215153d30a08e691297f3cd
SHA51277df99f6b0ae005cf758c77731367477e27ab7225a62f8b4949a684230998d309d74a4f673ae09537fb47226942dc2009c06f4fab365fa7a7c0efbd19a023cdb
-
Filesize
135KB
MD59c268779fc41bbcacfdb92ee85a66c3e
SHA15439a39ba73a25542f2dac64809ddcdbc120c747
SHA2561d66699f0822b6f066281b46b571ee5c161899d5905d4e191c914911843f8f86
SHA512eecff807bbcaecf6d6b3c046a60697e0bfdd731bbc38761b10c0e93dc32b960a42085c210e4b9724cf546c090bb20ce2f01cc74877c0db542dc2f28a9b5246ca
-
Filesize
135KB
MD57ee46c908fd246e85c5b8e97f82085a1
SHA1db0d470a0eb458d79e09d2eab78b5b6fbdcad5a4
SHA25609a1e2e6070411f89c84eab3a9156bbd77aed11a58596e00af31dd9da8480b1a
SHA51222f9baf24951d42c9aa212a07ee8ce9c92a158f8fc86c8b76b68f41cc8ef26fb4a8643898fe677ba05d6fb5d08367673aa119db3449973241850f0c06d07a58d