Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/09/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
f0fd0016c5c701dbe7689d478c293fe0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f0fd0016c5c701dbe7689d478c293fe0N.exe
Resource
win10v2004-20240802-en
General
-
Target
f0fd0016c5c701dbe7689d478c293fe0N.exe
-
Size
206KB
-
MD5
f0fd0016c5c701dbe7689d478c293fe0
-
SHA1
91c3028901eb74d6b3d3514139d654a5122bac20
-
SHA256
aa3e8fae7ce9f67681df65a278fa728a89defeac3e00305371e4b2571a935b34
-
SHA512
f5f60bcde88f76278883daed342776b30537f370dd88377ec37536692cfa236d274221d4c1682e43b083f9b09df1b0a3a66510bf2725dd9cf4249370a11c9b48
-
SSDEEP
1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdCUUUUUUUUUUUUH:/VqoCl/YgjxEufVU0TbTyDDalbg
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4932 explorer.exe 1132 spoolsv.exe 3712 svchost.exe 2820 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe f0fd0016c5c701dbe7689d478c293fe0N.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f0fd0016c5c701dbe7689d478c293fe0N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe 4932 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4932 explorer.exe 3712 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 4932 explorer.exe 4932 explorer.exe 1132 spoolsv.exe 1132 spoolsv.exe 3712 svchost.exe 3712 svchost.exe 2820 spoolsv.exe 2820 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 116 wrote to memory of 4932 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 84 PID 116 wrote to memory of 4932 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 84 PID 116 wrote to memory of 4932 116 f0fd0016c5c701dbe7689d478c293fe0N.exe 84 PID 4932 wrote to memory of 1132 4932 explorer.exe 86 PID 4932 wrote to memory of 1132 4932 explorer.exe 86 PID 4932 wrote to memory of 1132 4932 explorer.exe 86 PID 1132 wrote to memory of 3712 1132 spoolsv.exe 87 PID 1132 wrote to memory of 3712 1132 spoolsv.exe 87 PID 1132 wrote to memory of 3712 1132 spoolsv.exe 87 PID 3712 wrote to memory of 2820 3712 svchost.exe 89 PID 3712 wrote to memory of 2820 3712 svchost.exe 89 PID 3712 wrote to memory of 2820 3712 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fd0016c5c701dbe7689d478c293fe0N.exe"C:\Users\Admin\AppData\Local\Temp\f0fd0016c5c701dbe7689d478c293fe0N.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD5e50981a452d00730cd985a767727edb0
SHA1827896da9932670bcc87cf25940d46f073dc0fe4
SHA256fb4580cfdd7ddb10add4ab46773a08ea0a827c73c9027acf243f46789820a38c
SHA51210efb97d752b5d150f589184dc634ed2ae0a0801c86c6470adc3a8f8a869ca1b624eabb9fe0219adb95796a35fa5d3c5365b476a8e98c5fc29c931eb6b77a21c
-
Filesize
206KB
MD5f50fb3f8bd19b5e4f59a370400df5ff3
SHA11d77326acad2ed57bf030d37e6ec5f00d02e4bf9
SHA25659e2ff19c2b32fd1af0f18aa4cb325dcd66178f9601e49ccf70eb3378656a901
SHA512469725c6e9458f98541cf699ccee2f19154f05b3386056232a5b13c4615d60560e3e219e80a351ad644367a1999b3b9a02fb13ab80a8ecc0cf0405a5c25ccef3
-
Filesize
206KB
MD593f7715f70bda840f614e195ea6ceb7b
SHA1680701a631bd310dc61e09d0d4db92d0275899e0
SHA2569c26fb168f0b429936439aed2a4c92e3209024969dbd2e093b26754ab4147661
SHA512dac131c5fa1421ea986519522c3936c269f8c65591ab2437625037e67763fc304d5d80b4a39447d8957aa06f75cc5f16710d4c65e6ba33beadbc362b3dfd937d