Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 06:47
Static task
static1
Behavioral task
behavioral1
Sample
e6c6100f9ee99a8d782b4b240ba20fa0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e6c6100f9ee99a8d782b4b240ba20fa0N.exe
Resource
win10v2004-20240802-en
General
-
Target
e6c6100f9ee99a8d782b4b240ba20fa0N.exe
-
Size
206KB
-
MD5
e6c6100f9ee99a8d782b4b240ba20fa0
-
SHA1
5ee1001e95ed35662c9caf7f9d9275fcf26efb23
-
SHA256
1975e84347e187b6dfecc3b35ae2a737036a71dbce2a3195a2bff2383f418e6d
-
SHA512
7aa54a8005d4d3ad8e5feace00fd412a2d54808538c924a365e390c6a2ff7b937e62ce7784743ccc046a8430c76a2f1dd125f995f2966c87ba1859ff20297f49
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdMssssssssssssg:/VqoCl/YgjxEufVU0TbTyDDalbR
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3584 explorer.exe 4296 spoolsv.exe 3364 svchost.exe 1172 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe e6c6100f9ee99a8d782b4b240ba20fa0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6c6100f9ee99a8d782b4b240ba20fa0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe 3584 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3584 explorer.exe 3364 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 3584 explorer.exe 3584 explorer.exe 4296 spoolsv.exe 4296 spoolsv.exe 3364 svchost.exe 3364 svchost.exe 1172 spoolsv.exe 1172 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 712 wrote to memory of 3584 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 84 PID 712 wrote to memory of 3584 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 84 PID 712 wrote to memory of 3584 712 e6c6100f9ee99a8d782b4b240ba20fa0N.exe 84 PID 3584 wrote to memory of 4296 3584 explorer.exe 86 PID 3584 wrote to memory of 4296 3584 explorer.exe 86 PID 3584 wrote to memory of 4296 3584 explorer.exe 86 PID 4296 wrote to memory of 3364 4296 spoolsv.exe 87 PID 4296 wrote to memory of 3364 4296 spoolsv.exe 87 PID 4296 wrote to memory of 3364 4296 spoolsv.exe 87 PID 3364 wrote to memory of 1172 3364 svchost.exe 88 PID 3364 wrote to memory of 1172 3364 svchost.exe 88 PID 3364 wrote to memory of 1172 3364 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe"C:\Users\Admin\AppData\Local\Temp\e6c6100f9ee99a8d782b4b240ba20fa0N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1172
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5d75144a89ddc44059bc9f15cc0a12c65
SHA143075f8a07efb433f5ec33a754cddcae723d7342
SHA2564bda52d897107ae2d65481a043ff9bd1d724113328fb4cb39db6ae9a7f4cc629
SHA51267ec1d0011a1390c0ae54815baa9f24edc180ab392b7740bbc73f495febd5952aaadd8e7c0cd27c719101c7a28739bfe1ea5f3c8ecd55db86bf37acdbb425f21
-
Filesize
206KB
MD5d4335f3812e70f7337cdcd86cd2e96f4
SHA116793e6424931f57762ccb86222be71e8e2b3336
SHA2560cf01efdd31603f9e7e19d380778409b43f5c0b289e22d056310f6488a9b5b63
SHA512f5054d6fb20495a3cd944cad4c016ca56a3907e22bb31f0e4588b984a2218ef147d4215dbb3687ce4ca5dbbcc2f376e1a96eec637acfb32d8eea326c489decc0
-
Filesize
206KB
MD58cb601dd54fac1dd7ec817e4159dcbb2
SHA1c2870f3053c6b803a84563b34ed9344ca26ca01f
SHA25616fb59ee4b6ce022f17b27e23fab7438ccfe7330315e7c6cc16ef1686f6b14ca
SHA512bee357e08e329dd823e7069ae55aff0ea267d91571ece05170cf3cc96b1aa505f9f5cfd0281b18561cfdfadca5f2702679856b7ca099615ef0ba9bf4ea6d99a8