Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/09/2024, 06:47

General

  • Target

    e6c6100f9ee99a8d782b4b240ba20fa0N.exe

  • Size

    206KB

  • MD5

    e6c6100f9ee99a8d782b4b240ba20fa0

  • SHA1

    5ee1001e95ed35662c9caf7f9d9275fcf26efb23

  • SHA256

    1975e84347e187b6dfecc3b35ae2a737036a71dbce2a3195a2bff2383f418e6d

  • SHA512

    7aa54a8005d4d3ad8e5feace00fd412a2d54808538c924a365e390c6a2ff7b937e62ce7784743ccc046a8430c76a2f1dd125f995f2966c87ba1859ff20297f49

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdMssssssssssssg:/VqoCl/YgjxEufVU0TbTyDDalbR

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:712
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3584
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4296
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3364
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    d75144a89ddc44059bc9f15cc0a12c65

    SHA1

    43075f8a07efb433f5ec33a754cddcae723d7342

    SHA256

    4bda52d897107ae2d65481a043ff9bd1d724113328fb4cb39db6ae9a7f4cc629

    SHA512

    67ec1d0011a1390c0ae54815baa9f24edc180ab392b7740bbc73f495febd5952aaadd8e7c0cd27c719101c7a28739bfe1ea5f3c8ecd55db86bf37acdbb425f21

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    206KB

    MD5

    d4335f3812e70f7337cdcd86cd2e96f4

    SHA1

    16793e6424931f57762ccb86222be71e8e2b3336

    SHA256

    0cf01efdd31603f9e7e19d380778409b43f5c0b289e22d056310f6488a9b5b63

    SHA512

    f5054d6fb20495a3cd944cad4c016ca56a3907e22bb31f0e4588b984a2218ef147d4215dbb3687ce4ca5dbbcc2f376e1a96eec637acfb32d8eea326c489decc0

  • C:\Windows\Resources\svchost.exe

    Filesize

    206KB

    MD5

    8cb601dd54fac1dd7ec817e4159dcbb2

    SHA1

    c2870f3053c6b803a84563b34ed9344ca26ca01f

    SHA256

    16fb59ee4b6ce022f17b27e23fab7438ccfe7330315e7c6cc16ef1686f6b14ca

    SHA512

    bee357e08e329dd823e7069ae55aff0ea267d91571ece05170cf3cc96b1aa505f9f5cfd0281b18561cfdfadca5f2702679856b7ca099615ef0ba9bf4ea6d99a8

  • memory/712-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/712-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1172-32-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3364-36-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3584-35-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4296-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB