Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d72d2f0e61...1N.exe

windows7-x64

10

d72d2f0e61...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2024, 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe

  • Size

    211KB

  • MD5

    7b1a668eb5c6d16ed9c06e6d7b5fcb40

  • SHA1

    861076702455b7207cd93d36f7911fad16a56f89

  • SHA256

    d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811

  • SHA512

    62441c1433b1b4977987f3498144a5634900333f0a599698e7323f5010169c8e9c38fcda9fd16940f40abc42baac59cf75bd331343dfdd5dc1b07aa5c4400ee5

  • SSDEEP

    3072:WD6Xtx68yygRBE52mxkEOHLRMpZ4deth8PEAjAfIbAYGPhz6sPJBInxZqOf:Wh8cBzHLRMpZ4d1Zf

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe
    "C:\Users\Admin\AppData\Local\Temp\d72d2f0e6154799277900b2290c0c853cb37a2e0d6464492d6ec928c3c770811N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4888
    • \??\c:\windows\userinit.exe
      c:\windows\userinit.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visiblity of hidden/system files in Explorer
      • Boot or Logon Autostart Execution: Active Setup
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:848
      • \??\c:\windows\spoolsw.exe
        c:\windows\spoolsw.exe SE
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1596
        • \??\c:\windows\swchost.exe
          c:\windows\swchost.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2036
          • \??\c:\windows\spoolsw.exe
            c:\windows\spoolsw.exe PR
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3628
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4228,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:8
    1⤵
      PID:3172

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\mrsys.exe
      Filesize

      211KB

      MD5

      0ceea8f87dbd59baa6e2cb8f06ebf4a1

      SHA1

      9dea4cd321c9be5f3215f02645ae29a9e79d5a3c

      SHA256

      737b8e59be5d2846b2b0b5a4b1792398d1ca6dca39ad0fba365692098c574690

      SHA512

      85b34f3b86a811ec862fca94dff8498edfe30505e5d8ac86d4c473d792f54f476dab097d5c279b822ef96f9afbeadbd88874d94b181f171f1656558f95e714bb

      Download Submit

    • C:\Windows\spoolsw.exe
      Filesize

      211KB

      MD5

      3c40f4e604de07c849b8aad883c1d9c6

      SHA1

      9b8662bc94b3614175c755f6f80141ba8b04d6e3

      SHA256

      ebbd49932c71ef20b4fca205fc46dc0a4e5e9419e24f29088ceddb7bafadee27

      SHA512

      0d4e8bcdfacee5d418789dfb0f6ec53d6f1ad179f34a282f124a02de67812a91857e3368254d536401b598a81778747cef47d0c8143bba271a86753476579c85

      Download Submit

    • C:\Windows\swchost.exe
      Filesize

      211KB

      MD5

      8e35b41013f7114bd9040259b7a2a145

      SHA1

      efb9e78d863b8330374844410b34bd0938063967

      SHA256

      573d263010f03d026eba4c319e70d954e9898973dad6d7430ba6936d83becfe0

      SHA512

      060a9ca4c3399e35d1e93a64396aae2be6a68028bf7b218fddeaf610abecad7c24c988d88183dc4fcd38003d9562b91c97eeb6fb42e65c381098f8cf624c6e0f

      Download Submit

    • C:\Windows\userinit.exe
      Filesize

      211KB

      MD5

      d08113dcd09a6947bdeaf3b34445323f

      SHA1

      f1ec7b118ad69a4dbe635260c5c9e7249dfdbca9

      SHA256

      2433b375031fd6488d3438b8e489b3ba96e1dcd5a7264248909aa4a9575e6d42

      SHA512

      d91fefeffb09924e01b30f8becf046b97fe0b3d46ba7ae2970257da44ffd404cbc1c088aea1bff7ca1885f74f48b61cd26734d72188784eb5a32714bb99d2edf

      Download Submit

    • memory/848-38-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1596-35-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2036-39-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3628-32-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4888-0-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4888-37-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download