Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

87de581263...3N.exe

windows7-x64

10

87de581263...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe

  • Size

    45KB

  • MD5

    06102d862a4a1aad9e0cc4972065a3b0

  • SHA1

    9197edb6b32290f31276b39a2af162efa7a65327

  • SHA256

    87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793

  • SHA512

    280ee6f811c8d2e9b153f17874fe56d18b4760fb20edcefffd04ae2428b35947205ecf890de64f59eb0f1f11fe488dee4f36dc7a7e31cc7071e72422e386ae23

  • SSDEEP

    768:5qt/WXwCXV/aNOFi5XOCmg9TgEqxZihrWS9ybsvw+I9D88888888888JXl:5UWXaMU5Xvp3FrbCEnl

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe
    "C:\Users\Admin\AppData\Local\Temp\87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3056
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2876
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3316
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3972
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:512
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1268
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4476
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5048
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2428
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          4⤵
          • Modifies registry class
          PID:680
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2676
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4436
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87de581263a39b277af7aff727f4a2ee71c6354fd494773a09b00fd094c66793N.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Recycled\SPOOLSV.EXE
    Filesize

    45KB

    MD5

    d8d281753a419185b9e0741afbe741a0

    SHA1

    417af6051aa1f79057c7cd9d0bcf48d2bdabb56d

    SHA256

    fb770d28648b9b9dff7649a6bc256b864ebad55978b530d75b3efebe6986ffd1

    SHA512

    d7402114de5a5c242dd01d14589226cfac89540fd435c7091d1854f5de2facd2cb12eb4541b245ca0722dcffeb55061b3f5a808f6090518cfd8920043603df3b

    Download Submit

  • C:\Recycled\SVCHOST.EXE
    Filesize

    45KB

    MD5

    595811ca02a2ab88705471d302649e69

    SHA1

    a88c5195744e432bd92455a5265535b8affe6a51

    SHA256

    791094d0ab6cca4885e2809700389f379def63c9c11aba292916f4414420f2f9

    SHA512

    f3d64f51716b1a97c57f028e3ebc49a1eb5bec952ed94f8f4008112a039090e47331333ead7f995ee10f9710db5a3d81bd421f61988c1c6d8d8917153f2f5249

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
    Filesize

    1KB

    MD5

    0269b6347e473980c5378044ac67aa1f

    SHA1

    c3334de50e320ad8bce8398acff95c363d039245

    SHA256

    68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

    SHA512

    e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDC97.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    Filesize

    16B

    MD5

    d29962abc88624befc0135579ae485ec

    SHA1

    e40a6458296ec6a2427bcb280572d023a9862b31

    SHA256

    a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

    SHA512

    4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    2KB

    MD5

    f2ea28f1ccea5d5d1dcf40cbc9ece6fb

    SHA1

    f32187d5328fcfb3210aaa7009604e330a7af7d7

    SHA256

    f06aec9360eaceca3c134110ba30f08fe6e0e37283f40d15dd04cd5804fa2127

    SHA512

    471e66d4268cef25f60e0ddb5c7912395de3a1e4174ee719f7a4d47bed60d81ca237c5b1eb80dfdd817abd24a2ad3f1e0c509a00b0b04ce10df2ddd10d3f574a

    Download Submit

  • C:\begolu.txt
    Filesize

    2B

    MD5

    2b9d4fa85c8e82132bde46b143040142

    SHA1

    a02431cf7c501a5b368c91e41283419d8fa9fb03

    SHA256

    4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

    SHA512

    c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    Download Submit

  • F:\Recycled\SVCHOST.EXE
    Filesize

    45KB

    MD5

    9431b9b571ebe9435b28ad1870951a4a

    SHA1

    1dc7833ca2eb05af3260a049edb1dcf6efc33efd

    SHA256

    6457787b479ae274b841fcb31ab14a3c8faab85b72f8f3b0d45a9dbe54202cb1

    SHA512

    2f2fc1e05ac9dfa9b113b012979b5558b81d43249ab446544dac6d3150052481fbe87cd5b6248da927ff79ed88f4caa8e4433ac32b1c5d17993aa37e509a583e

    Download Submit

  • memory/512-244-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/512-45-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/956-76-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/956-0-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1216-241-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1216-17-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1268-56-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1268-52-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2068-82-0x00007FFA89100000-0x00007FFA89110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-83-0x00007FFA89100000-0x00007FFA89110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-80-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-79-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-81-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-78-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-77-0x00007FFA8B1F0000-0x00007FFA8B200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2428-67-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2676-73-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2876-242-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2876-28-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3056-30-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3316-39-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3972-44-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4436-75-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4476-60-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5048-63-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download