Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 10:39 UTC

General

  • Target

    27ead79e625289762f6dfae5111ebaa0N.exe

  • Size

    5.4MB

  • MD5

    27ead79e625289762f6dfae5111ebaa0

  • SHA1

    15c2bc0152cf9c07eaa774d0269ed1d3bf884dd6

  • SHA256

    6edfb343ed43ddd5bd2d1131acc658ad72d3128b3c7d63ea933e51aae67a0cff

  • SHA512

    245f40383ac2af916063a94d230af4f318c59d9cf894d0061bc6743aeeda250c237ec743f123adf3834aee882ab7c3f135068187f808415008919950170222fa

  • SSDEEP

    98304:+TCx1ykMv3Aiju03ej9Qfqy/mfr1e2E2IojD4jpLik:m8yBAi6zvmY5e2cogJ

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27ead79e625289762f6dfae5111ebaa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\27ead79e625289762f6dfae5111ebaa0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4860
    • \??\c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
      c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\svchost.exe
        "C:\Windows\svchost.exe" "c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe "
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1208
        • \??\c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
          "c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe "
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4464
          • \??\c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
            c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3368
          • C:\Windows\Resources\Themes\icsys.icn.exe
            C:\Windows\Resources\Themes\icsys.icn.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3256
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3688
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1644
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1856
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4968
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4976
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:5072

Network

  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\27ead79e625289762f6dfae5111ebaa0n.exe 

    Filesize

    5.2MB

    MD5

    03ae2c0b80414638c9575189a1377c90

    SHA1

    8dad3039fd0dea101935ca78c300b6da50198eaa

    SHA256

    97f6f183b6d7737bb20ac4ed9cc56a0b1897b2389d9cdc329917ea8419eabdff

    SHA512

    5b5236184b6121c97f986d0be569fcb2cec70c14635782f88d2baab385dedfb7a957ae9b96db0566b9199286375b8d5a78293181fa68582bb238d78c751a3472

  • C:\Users\Admin\AppData\Local\Temp\27ead79e625289762f6dfae5111ebaa0n.exe 

    Filesize

    5.2MB

    MD5

    f6c40fa1a030b5bce648ac5ecce9dde7

    SHA1

    11926d6cfc0697cc6fe53cb0aafd12c79cfd3316

    SHA256

    2086d610c468529e59dd66cad78e6699fd6512c85eb0ae840b09db663b73dd73

    SHA512

    deacc2c60028c4316d2f5dbc0b4954247eaa0beea191bbd7cd038df4c0368017d8b99ef057ddcce99bd35a3bd246bc68a3242f8cffecdfa3d6e880b8cd733622

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    8a7acc8e8591f41b7d96858ebdbd4541

    SHA1

    5b876ed2b0aef03514f0f706c167f29b5d20666d

    SHA256

    0ba221a3cbbf0c5177083f2d8309f60aacc4b621c41ed5c8801bf505fb1223c4

    SHA512

    0c443b8d67788a1fe007379e817c43896a24d7a93248bfcda6e6471fc44fc893a849c20a51c433da196a86c749f4d65a2a921209a3edf315ef11db5e25dbc10d

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    81431e8c7a9cf24c1e41751bfba32ad9

    SHA1

    96d029ad4731cbbf137e3ecaf1000ff176e3589e

    SHA256

    896f497d5a1f5fcbfa0a4677704c8084f5882072391220bd1bda04abcd37310e

    SHA512

    d7c41cd7284fb4c311a6bb7876788e8c6bccd964355eb3c9309c1c83029ab013e73c7ad089eecdbe3c4a1e0eaef90b950fce4dc19c6811ed8d444f453a29b2f5

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    85a4e4e6f4ff58a26c8bc2e7e775724b

    SHA1

    f9848049717845c5b18b107cec58a492b8173bde

    SHA256

    c3d25abd9c8e1751352e73b89ba95e07327395b051853c083f217f38b2dc8575

    SHA512

    4786eb4e1683e1b59662bb70d036cbfc71368246b2d2fd2b115248a9a91866aab3286023b9eb67b8ea452d2a8d6c3aed664ce72de61421338fcf22710251a446

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    93b6f59205b2878e8cded0ac63366d3b

    SHA1

    7505b81c98c72f68a8f90962ea8768dc09df2536

    SHA256

    d31462f7bf91650358c4fcd4b72da8aa4be85ab8412499bf979701d90d826c6f

    SHA512

    6482999be940e009e4b5c9af0cdf35697d341634340c3f071efcfef655c6bc3dca76e4c77a5fb29698d5de129f8388f65a35d0b0814df347bbea490b7234ee6e

  • C:\Windows\svchost.exe

    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

  • memory/1208-28-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/1636-12-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/1644-84-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1644-38-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1856-74-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3256-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3368-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3688-76-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4464-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4464-21-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4860-75-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4860-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4968-86-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4976-73-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/5072-77-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/5072-81-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/5072-85-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.