Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 08:37

General

  • Target

    d037518b72d14dbe71f18bb38e868190N.exe

  • Size

    135KB

  • MD5

    d037518b72d14dbe71f18bb38e868190

  • SHA1

    e2b297a82c978a3b18b0ce33239123fc14e354c6

  • SHA256

    6cfbc35636edc4b6f29c017d38c3861a64165c3a6d78e348c53cae22ee19db08

  • SHA512

    bae1850e51c8d40a7a5fab271327c3049e8fb724818f58e04d20d32b0b0eb00a18051e95c51260dceb736b5666af7489c8d5544795bf9ac6eac587197b6d734a

  • SSDEEP

    1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbV+nRRRRRRRRRRRRf:UVqoCl/YgjxEufVU0TbTyDDal0P

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d037518b72d14dbe71f18bb38e868190N.exe
    "C:\Users\Admin\AppData\Local\Temp\d037518b72d14dbe71f18bb38e868190N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4560
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3648
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3236
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4992
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    72cdad7697dc89b20153d2e9b1989048

    SHA1

    16a1ab9568fa5895a8c88340ae6d405e2d0b1a89

    SHA256

    c867792a0bd4608002dd4fd15e29fe4d22d17c133215153d30a08e691297f3cd

    SHA512

    77df99f6b0ae005cf758c77731367477e27ab7225a62f8b4949a684230998d309d74a4f673ae09537fb47226942dc2009c06f4fab365fa7a7c0efbd19a023cdb

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    9c268779fc41bbcacfdb92ee85a66c3e

    SHA1

    5439a39ba73a25542f2dac64809ddcdbc120c747

    SHA256

    1d66699f0822b6f066281b46b571ee5c161899d5905d4e191c914911843f8f86

    SHA512

    eecff807bbcaecf6d6b3c046a60697e0bfdd731bbc38761b10c0e93dc32b960a42085c210e4b9724cf546c090bb20ce2f01cc74877c0db542dc2f28a9b5246ca

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    7ee46c908fd246e85c5b8e97f82085a1

    SHA1

    db0d470a0eb458d79e09d2eab78b5b6fbdcad5a4

    SHA256

    09a1e2e6070411f89c84eab3a9156bbd77aed11a58596e00af31dd9da8480b1a

    SHA512

    22f9baf24951d42c9aa212a07ee8ce9c92a158f8fc86c8b76b68f41cc8ef26fb4a8643898fe677ba05d6fb5d08367673aa119db3449973241850f0c06d07a58d

  • memory/3236-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3648-35-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3932-32-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4560-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4560-34-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4992-36-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB