Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 08:14

General

  • Target

    43759c1fc4a47cb344f8481fd619dd70N.exe

  • Size

    207KB

  • MD5

    43759c1fc4a47cb344f8481fd619dd70

  • SHA1

    25ecc4fc5c2e4c6eb6ec177df5936ecc5174c730

  • SHA256

    aef795e47d4cad846dffb0bfd00ac4a26816478d8b8eb6a2e9014b380647937d

  • SHA512

    30b0f26fae591e1e30092470402686bb8757345614040a6fe7767e2654c3a65f846f17b563fc9b67554fb98b7a764dae5c5c801aca09dd870deeae74f1cdeecd

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdIC:/VqoCl/YgjxEufVU0TbTyDDalbr

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43759c1fc4a47cb344f8481fd619dd70N.exe
    "C:\Users\Admin\AppData\Local\Temp\43759c1fc4a47cb344f8481fd619dd70N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4840
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3356
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3012
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1452
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    687e5dd1fa65c84c1bd79fc847d64d28

    SHA1

    4a302bb3c5af9feca8261df15c3131f23e1f096b

    SHA256

    3472e3ce0200c8c652fba8e5d77c2d92b047c159c609e359b97fd9c93109106b

    SHA512

    21b0375b517ecbf8b2a755efde4d516e71d258eb7431e003b89359ea8a035ef3c4cf0f5d9c97bdfa6b96f568da4373c222a0b8d45a47eb1f99ca34f650cf22d4

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    206KB

    MD5

    f3bfe18a21e7307a885394af7213f717

    SHA1

    6d70db742455f287b13165b628dacb5a1238bf0d

    SHA256

    bc06c3801711aae38835f7bff605a038c6bf39e292a008cecbd18cd5d652144d

    SHA512

    b1ee877b27480caa0bdca441f4de73c5ac58f80545fcb6003746cb919054ab6d866e124d5d79cdc5f92e00f026d1281f154c9ef09e856519683b15b1d632fe3e

  • C:\Windows\Resources\svchost.exe

    Filesize

    206KB

    MD5

    f05185af4716f7af04197b59ac76eb9d

    SHA1

    7d44af8753c98b798f01a0757ae9538d9e7a6c95

    SHA256

    eee103a3c1ddab8ae807bea008358c23299637b0a41df7b836e5de81056dbbbd

    SHA512

    95dc60559616211523437c6efd4abc7f8ef5406ff0ffcf5b646f709a3fa83e7cbc688f421ff9de9886b614289fa1054c68dd07f60902a7ebc94e1ed559eb9c80

  • memory/1080-32-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1452-36-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3012-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3356-35-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4840-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4840-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB