Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
43759c1fc4a47cb344f8481fd619dd70N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
43759c1fc4a47cb344f8481fd619dd70N.exe
Resource
win10v2004-20240802-en
General
-
Target
43759c1fc4a47cb344f8481fd619dd70N.exe
-
Size
207KB
-
MD5
43759c1fc4a47cb344f8481fd619dd70
-
SHA1
25ecc4fc5c2e4c6eb6ec177df5936ecc5174c730
-
SHA256
aef795e47d4cad846dffb0bfd00ac4a26816478d8b8eb6a2e9014b380647937d
-
SHA512
30b0f26fae591e1e30092470402686bb8757345614040a6fe7767e2654c3a65f846f17b563fc9b67554fb98b7a764dae5c5c801aca09dd870deeae74f1cdeecd
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdIC:/VqoCl/YgjxEufVU0TbTyDDalbr
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 3356 explorer.exe 3012 spoolsv.exe 1452 svchost.exe 1080 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 43759c1fc4a47cb344f8481fd619dd70N.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43759c1fc4a47cb344f8481fd619dd70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe 3356 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3356 explorer.exe 1452 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 3356 explorer.exe 3356 explorer.exe 3012 spoolsv.exe 3012 spoolsv.exe 1452 svchost.exe 1452 svchost.exe 1080 spoolsv.exe 1080 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4840 wrote to memory of 3356 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 87 PID 4840 wrote to memory of 3356 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 87 PID 4840 wrote to memory of 3356 4840 43759c1fc4a47cb344f8481fd619dd70N.exe 87 PID 3356 wrote to memory of 3012 3356 explorer.exe 88 PID 3356 wrote to memory of 3012 3356 explorer.exe 88 PID 3356 wrote to memory of 3012 3356 explorer.exe 88 PID 3012 wrote to memory of 1452 3012 spoolsv.exe 90 PID 3012 wrote to memory of 1452 3012 spoolsv.exe 90 PID 3012 wrote to memory of 1452 3012 spoolsv.exe 90 PID 1452 wrote to memory of 1080 1452 svchost.exe 91 PID 1452 wrote to memory of 1080 1452 svchost.exe 91 PID 1452 wrote to memory of 1080 1452 svchost.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\43759c1fc4a47cb344f8481fd619dd70N.exe"C:\Users\Admin\AppData\Local\Temp\43759c1fc4a47cb344f8481fd619dd70N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5687e5dd1fa65c84c1bd79fc847d64d28
SHA14a302bb3c5af9feca8261df15c3131f23e1f096b
SHA2563472e3ce0200c8c652fba8e5d77c2d92b047c159c609e359b97fd9c93109106b
SHA51221b0375b517ecbf8b2a755efde4d516e71d258eb7431e003b89359ea8a035ef3c4cf0f5d9c97bdfa6b96f568da4373c222a0b8d45a47eb1f99ca34f650cf22d4
-
Filesize
206KB
MD5f3bfe18a21e7307a885394af7213f717
SHA16d70db742455f287b13165b628dacb5a1238bf0d
SHA256bc06c3801711aae38835f7bff605a038c6bf39e292a008cecbd18cd5d652144d
SHA512b1ee877b27480caa0bdca441f4de73c5ac58f80545fcb6003746cb919054ab6d866e124d5d79cdc5f92e00f026d1281f154c9ef09e856519683b15b1d632fe3e
-
Filesize
206KB
MD5f05185af4716f7af04197b59ac76eb9d
SHA17d44af8753c98b798f01a0757ae9538d9e7a6c95
SHA256eee103a3c1ddab8ae807bea008358c23299637b0a41df7b836e5de81056dbbbd
SHA51295dc60559616211523437c6efd4abc7f8ef5406ff0ffcf5b646f709a3fa83e7cbc688f421ff9de9886b614289fa1054c68dd07f60902a7ebc94e1ed559eb9c80