Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 02:37

General

  • Target

    f0fd0016c5c701dbe7689d478c293fe0N.exe

  • Size

    206KB

  • MD5

    f0fd0016c5c701dbe7689d478c293fe0

  • SHA1

    91c3028901eb74d6b3d3514139d654a5122bac20

  • SHA256

    aa3e8fae7ce9f67681df65a278fa728a89defeac3e00305371e4b2571a935b34

  • SHA512

    f5f60bcde88f76278883daed342776b30537f370dd88377ec37536692cfa236d274221d4c1682e43b083f9b09df1b0a3a66510bf2725dd9cf4249370a11c9b48

  • SSDEEP

    1536:/fsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbJdCUUUUUUUUUUUUH:/VqoCl/YgjxEufVU0TbTyDDalbg

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0fd0016c5c701dbe7689d478c293fe0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f0fd0016c5c701dbe7689d478c293fe0N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:116
    • \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4932
      • \??\c:\windows\resources\spoolsv.exe
        c:\windows\resources\spoolsv.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1132
        • \??\c:\windows\resources\svchost.exe
          c:\windows\resources\svchost.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3712
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    206KB

    MD5

    e50981a452d00730cd985a767727edb0

    SHA1

    827896da9932670bcc87cf25940d46f073dc0fe4

    SHA256

    fb4580cfdd7ddb10add4ab46773a08ea0a827c73c9027acf243f46789820a38c

    SHA512

    10efb97d752b5d150f589184dc634ed2ae0a0801c86c6470adc3a8f8a869ca1b624eabb9fe0219adb95796a35fa5d3c5365b476a8e98c5fc29c931eb6b77a21c

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    206KB

    MD5

    f50fb3f8bd19b5e4f59a370400df5ff3

    SHA1

    1d77326acad2ed57bf030d37e6ec5f00d02e4bf9

    SHA256

    59e2ff19c2b32fd1af0f18aa4cb325dcd66178f9601e49ccf70eb3378656a901

    SHA512

    469725c6e9458f98541cf699ccee2f19154f05b3386056232a5b13c4615d60560e3e219e80a351ad644367a1999b3b9a02fb13ab80a8ecc0cf0405a5c25ccef3

  • C:\Windows\Resources\svchost.exe

    Filesize

    206KB

    MD5

    93f7715f70bda840f614e195ea6ceb7b

    SHA1

    680701a631bd310dc61e09d0d4db92d0275899e0

    SHA256

    9c26fb168f0b429936439aed2a4c92e3209024969dbd2e093b26754ab4147661

    SHA512

    dac131c5fa1421ea986519522c3936c269f8c65591ab2437625037e67763fc304d5d80b4a39447d8957aa06f75cc5f16710d4c65e6ba33beadbc362b3dfd937d

  • memory/116-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/116-35-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1132-34-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2820-30-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2820-33-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3712-37-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4932-36-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB