Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 01:47 UTC
Static task
static1
Behavioral task
behavioral1
Sample
b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe
Resource
win10v2004-20240802-en
General
-
Target
b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe
-
Size
1.9MB
-
MD5
bf0be7951a7f27a4396800841e696208
-
SHA1
995f57699b300b9032443fcdfe5501e515f90ffc
-
SHA256
b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c
-
SHA512
5780f9eb37fe1f4bd9f7ee932b5e313a73784eda997418428fa96131c2cc4db25b974511a41ccdcfcbe9ec34c6bd0d1f588cfa9b4110de6364656856517ed253
-
SSDEEP
49152:ISlNHydXboE+2pKWTvP6p9kB/GS0fsXCFh:ISjydNCYn0+M
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe -
Executes dropped EXE 4 IoCs
pid Process 1776 explorer.exe 4280 spoolsv.exe 2988 svchost.exe 232 spoolsv.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine spoolsv.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine spoolsv.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1776 explorer.exe 4280 spoolsv.exe 2988 svchost.exe 232 spoolsv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe 1776 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1776 explorer.exe 2988 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 1776 explorer.exe 1776 explorer.exe 4280 spoolsv.exe 4280 spoolsv.exe 2988 svchost.exe 2988 svchost.exe 232 spoolsv.exe 232 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1428 wrote to memory of 1776 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 82 PID 1428 wrote to memory of 1776 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 82 PID 1428 wrote to memory of 1776 1428 b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe 82 PID 1776 wrote to memory of 4280 1776 explorer.exe 83 PID 1776 wrote to memory of 4280 1776 explorer.exe 83 PID 1776 wrote to memory of 4280 1776 explorer.exe 83 PID 4280 wrote to memory of 2988 4280 spoolsv.exe 84 PID 4280 wrote to memory of 2988 4280 spoolsv.exe 84 PID 4280 wrote to memory of 2988 4280 spoolsv.exe 84 PID 2988 wrote to memory of 232 2988 svchost.exe 85 PID 2988 wrote to memory of 232 2988 svchost.exe 85 PID 2988 wrote to memory of 232 2988 svchost.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe"C:\Users\Admin\AppData\Local\Temp\b76d12f6d6588fc9d55da09a697926cd535e942ef64825bd33b238fad284460c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:232
-
-
-
-
Network
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5d739d0c5a6f2887ac536d0248af885f8
SHA1c93b055e729ff4d574af1f5d443680c0a9a36a16
SHA256b1c7410efeded069f661ba4895c4a2cbba58edfeac996844a53dfaa0441f63e5
SHA512585281bf24bd5f7ebeed1c840c57e5ed22d15bb5cad88be6c1f35255aebabf3e38a53be46f02ad99879c011ec7c21c0280560cb16281281680618be728ce043b
-
Filesize
1.9MB
MD5d285a4b800e2fc06c7ce3315408620fa
SHA15c7339babd1f95aa8b93ad89f5e2c8d17933be09
SHA2562880952f9191a6b8deee0f449f0e9989db29e053669487904bbc1aed2b643086
SHA512655dd2d42067a33a11e8b088bd113b2058835d903b67d486568a7636364c749340f9b4637ed9e6a7e442e3a39fe65476b9099a4b777e1df036383a274cb9ceb1
-
Filesize
1.9MB
MD51d485dbe04a10b9cb681fcae1f0e874b
SHA18be9ebbb1d7922601a5e90671cdbb584a84bae42
SHA2564e3afbd9d80ddff805be69dab2ba9b084a0543c5c6bf8e6320893085cb2d0547
SHA51234316c0d6bf3162b43ec33215c69106de53f3dd82689f045ccd23f5c68a1e2182c57938e54df6e41fef29ad8c872efb3604e86e9f3cf07a4cc6dbee3b1a505cd