Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

27ead79e62...0N.exe

windows7-x64

10

27ead79e62...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27ead79e625289762f6dfae5111ebaa0N.exe

  • Size

    5.4MB

  • MD5

    27ead79e625289762f6dfae5111ebaa0

  • SHA1

    15c2bc0152cf9c07eaa774d0269ed1d3bf884dd6

  • SHA256

    6edfb343ed43ddd5bd2d1131acc658ad72d3128b3c7d63ea933e51aae67a0cff

  • SHA512

    245f40383ac2af916063a94d230af4f318c59d9cf894d0061bc6743aeeda250c237ec743f123adf3834aee882ab7c3f135068187f808415008919950170222fa

  • SSDEEP

    98304:+TCx1ykMv3Aiju03ej9Qfqy/mfr1e2E2IojD4jpLik:m8yBAi6zvmY5e2cogJ

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27ead79e625289762f6dfae5111ebaa0N.exe
    "C:\Users\Admin\AppData\Local\Temp\27ead79e625289762f6dfae5111ebaa0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4860
    • \??\c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
      c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\svchost.exe
        "C:\Windows\svchost.exe" "c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe "
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1208
        • \??\c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
          "c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe "
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4464
          • \??\c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
            c:\users\admin\appdata\local\temp\27ead79e625289762f6dfae5111ebaa0n.exe 
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3368
          • C:\Windows\Resources\Themes\icsys.icn.exe
            C:\Windows\Resources\Themes\icsys.icn.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3256
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3688
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1644
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1856
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4968
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4976
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:5072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\27ead79e625289762f6dfae5111ebaa0n.exe 
    Filesize

    5.2MB

    MD5

    03ae2c0b80414638c9575189a1377c90

    SHA1

    8dad3039fd0dea101935ca78c300b6da50198eaa

    SHA256

    97f6f183b6d7737bb20ac4ed9cc56a0b1897b2389d9cdc329917ea8419eabdff

    SHA512

    5b5236184b6121c97f986d0be569fcb2cec70c14635782f88d2baab385dedfb7a957ae9b96db0566b9199286375b8d5a78293181fa68582bb238d78c751a3472

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\27ead79e625289762f6dfae5111ebaa0n.exe 
    Filesize

    5.2MB

    MD5

    f6c40fa1a030b5bce648ac5ecce9dde7

    SHA1

    11926d6cfc0697cc6fe53cb0aafd12c79cfd3316

    SHA256

    2086d610c468529e59dd66cad78e6699fd6512c85eb0ae840b09db663b73dd73

    SHA512

    deacc2c60028c4316d2f5dbc0b4954247eaa0beea191bbd7cd038df4c0368017d8b99ef057ddcce99bd35a3bd246bc68a3242f8cffecdfa3d6e880b8cd733622

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    8a7acc8e8591f41b7d96858ebdbd4541

    SHA1

    5b876ed2b0aef03514f0f706c167f29b5d20666d

    SHA256

    0ba221a3cbbf0c5177083f2d8309f60aacc4b621c41ed5c8801bf505fb1223c4

    SHA512

    0c443b8d67788a1fe007379e817c43896a24d7a93248bfcda6e6471fc44fc893a849c20a51c433da196a86c749f4d65a2a921209a3edf315ef11db5e25dbc10d

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    81431e8c7a9cf24c1e41751bfba32ad9

    SHA1

    96d029ad4731cbbf137e3ecaf1000ff176e3589e

    SHA256

    896f497d5a1f5fcbfa0a4677704c8084f5882072391220bd1bda04abcd37310e

    SHA512

    d7c41cd7284fb4c311a6bb7876788e8c6bccd964355eb3c9309c1c83029ab013e73c7ad089eecdbe3c4a1e0eaef90b950fce4dc19c6811ed8d444f453a29b2f5

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    85a4e4e6f4ff58a26c8bc2e7e775724b

    SHA1

    f9848049717845c5b18b107cec58a492b8173bde

    SHA256

    c3d25abd9c8e1751352e73b89ba95e07327395b051853c083f217f38b2dc8575

    SHA512

    4786eb4e1683e1b59662bb70d036cbfc71368246b2d2fd2b115248a9a91866aab3286023b9eb67b8ea452d2a8d6c3aed664ce72de61421338fcf22710251a446

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    93b6f59205b2878e8cded0ac63366d3b

    SHA1

    7505b81c98c72f68a8f90962ea8768dc09df2536

    SHA256

    d31462f7bf91650358c4fcd4b72da8aa4be85ab8412499bf979701d90d826c6f

    SHA512

    6482999be940e009e4b5c9af0cdf35697d341634340c3f071efcfef655c6bc3dca76e4c77a5fb29698d5de129f8388f65a35d0b0814df347bbea490b7234ee6e

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • memory/1208-28-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1636-12-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1644-84-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1644-38-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1856-74-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3256-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3368-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3688-76-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4464-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4464-21-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4860-75-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4860-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4968-86-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4976-73-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/5072-77-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/5072-81-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/5072-85-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download