Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

279a14e5e6...9N.exe

windows7-x64

10

279a14e5e6...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    279a14e5e63ce040d19cec6770552acfbca3987252ffc5c7b5f49509b16da859N.exe

  • Size

    3.9MB

  • MD5

    8de58fa69187da447b5bb410475d4500

  • SHA1

    8df0491973255a49fac9bdde06a93b3e4c8dddb4

  • SHA256

    279a14e5e63ce040d19cec6770552acfbca3987252ffc5c7b5f49509b16da859

  • SHA512

    e9cc1da5bd2d04f15ca55311ef5e5face7bdb772744caa47b483ec4e3bf1a4c13ce4cdecb931e5c9218ed40b9ae8b2350877b665d813746e00ed685ed63afd02

  • SSDEEP

    98304:nNRBOBfKgQIm9EOTqw8vjh9Ac9nUNupK4hVvcF+yHrAr:NR/gmeOqv7Ac9F0kh

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\279a14e5e63ce040d19cec6770552acfbca3987252ffc5c7b5f49509b16da859N.exe
    "C:\Users\Admin\AppData\Local\Temp\279a14e5e63ce040d19cec6770552acfbca3987252ffc5c7b5f49509b16da859N.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:624
    • \??\c:\users\admin\appdata\local\temp\279a14e5e63ce040d19cec6770552acfbca3987252ffc5c7b5f49509b16da859n.exe 
      c:\users\admin\appdata\local\temp\279a14e5e63ce040d19cec6770552acfbca3987252ffc5c7b5f49509b16da859n.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4176
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2228
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1512
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1688
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2568
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\279a14e5e63ce040d19cec6770552acfbca3987252ffc5c7b5f49509b16da859n.exe 
    Filesize

    3.8MB

    MD5

    46c17c999744470b689331f41eab7df1

    SHA1

    b8a63127df6a87d333061c622220d6d70ed80f7c

    SHA256

    c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

    SHA512

    4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    ea2908c8ae286f87602e40c4823d722f

    SHA1

    a74238e5f8a57610cb0fee40e210007cc837219e

    SHA256

    29a42487243906e61c01db731707f4a8379a0ef9ab3cbd79cbbda86dba6d0b7a

    SHA512

    4fa284e8730ddcc8d936a3aa93b80b8a1495535fd20fd88b2b7f4517d2e3173871ef8f3da713f46cbba2df2aee51e1dbb1ac06bf73724a3feb19bdc41ba44834

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    b0b6e90c633bbef6e4cb975355a7ab27

    SHA1

    1ea35abc8b24d9bcecf4c2245c777bde13b83258

    SHA256

    5a9daac4e8bb916a97f1447e2f601744af206b3e42b0da886aeb8a905b644912

    SHA512

    129cfa5870c046bebcba053a854b76fb6092ca702e16883dd6172ab3e4ffb2a5f1954004c2743bd7cfd6426b7e982fd445d82185d1b05eacfb36f3bdac9b950a

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    66a9b9c3d3df1a6192a844882b5f4f77

    SHA1

    e9cab0f0b9eee1279c63b6ed1df5f7d1e4e68a08

    SHA256

    8b0c370e9058bbb7a4c3cfede248991369b228f02b92eaa06ce21afa206f89df

    SHA512

    8c420f0b9ccf4fe05f845bf5d220c4e5775fe7afff1311d32a86687fd980edd9736ec0fa5a7cdc31b586761a73ec5a707e4f42c12cd469962a28553df3da423c

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    0369fc873e638d0e05fd9432dea9830c

    SHA1

    9ad143c39e5be3b725ba16525a3bdcf0939512b2

    SHA256

    85cdc2c72104de38b61b3dd5d042a64784f75c2f15a1821902814cee1d9197cf

    SHA512

    1a328eb25e06acedd5ccd4f56d24adb0d60521adf1ad4f60aefc494f7ca931f4057078413063491bec947c214e277be6680d5d6672c6265b8a4c5c3f6cf6b1f4

    Download Submit

  • memory/624-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/624-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1512-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1688-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1876-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2228-12-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2228-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2568-50-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download