Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

acf7edad5b...9N.exe

windows7-x64

10

acf7edad5b...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe

  • Size

    77KB

  • MD5

    f4ec07ae9293761594c1562b9228b870

  • SHA1

    c1f0ac8b4e77fe57f9c9bbaf2ca426f1ea606879

  • SHA256

    acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9

  • SHA512

    c82cf33a019ffdfd28ecbcc279d3cd8062b4f72e2df3ac03b2df8e6d3a87eb4a25292b62cea170c9fac8b39c30525ae6ebed1f17b1918f57eb22b6069cc36721

  • SSDEEP

    1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoKv:FD40Dmx7y9DZ/Z2hGVkKv

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe
    "C:\Users\Admin\AppData\Local\Temp\acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3528
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4852
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5044
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5080
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:396
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3500
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:968
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3612
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4028
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer.exe "C:\recycled\SVCHOST.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1164
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1884
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1632
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\acf7edad5ba5a53d1e5adf34c6cf8578e743c491c62fcdcdc79167f8d9e594e9N.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1060
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
      PID:3380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SVCHOST.EXE
      Filesize

      77KB

      MD5

      164d7245f06ebfcfa15f15995cc65820

      SHA1

      a7ed382939446664f920550e9879798282a62c2f

      SHA256

      b7b05952dc0fb5ea670204ad7108c836f7235033f39498006302f73d4066b0a2

      SHA512

      81a2bb5e4312dd78de293f0876ff0eae7bd9741fccc98ccfccd5b017b6b04cf165335a2ab4d37ae53e8ddbdcaa2a9248d029dd85f35303a96d123477e7412c09

      Download Submit

    • C:\Recycled\desktop.ini
      Filesize

      65B

      MD5

      ad0b0b4416f06af436328a3c12dc491b

      SHA1

      743c7ad130780de78ccbf75aa6f84298720ad3fa

      SHA256

      23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

      SHA512

      884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      1KB

      MD5

      0269b6347e473980c5378044ac67aa1f

      SHA1

      c3334de50e320ad8bce8398acff95c363d039245

      SHA256

      68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

      SHA512

      e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TCD2403.tmp\sist02.xsl
      Filesize

      245KB

      MD5

      f883b260a8d67082ea895c14bf56dd56

      SHA1

      7954565c1f243d46ad3b1e2f1baf3281451fc14b

      SHA256

      ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

      SHA512

      d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      1KB

      MD5

      12f3f34c60b9ce7d57d692f21e3eec74

      SHA1

      4f191c37a4817864f726d8a64f7f15f0c24dbf37

      SHA256

      88f17d210043249e86b2d91bef560fc153e37eccac6bd46db5f699d3243ec865

      SHA512

      7e90b58755bfdac46a71a3b92d4b81b3a98447d7fef201e2cafd84599a65b183484d741d46d55fec44b3d25c1b3a3d4b22eeb8ec454ca5a4715ee388b00eadc2

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • C:\recycled\SPOOLSV.EXE
      Filesize

      77KB

      MD5

      c8fc3cfe3cc2d94212f62a5a4e7cf175

      SHA1

      465fb4112f1149e49378ad6f20f28f5c48835023

      SHA256

      c01dfd8c4942624b609a5ba6f7a711105b99760a565975fbe81c5f52f8b348ab

      SHA512

      37a29d52135c773b841803331b57137127208dbe96e9f99d72b8a56871b912bfd4423e190f5689c055f84475762d0c73f9648935c69a2bd4e23b9c437f579380

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      77KB

      MD5

      349a7ae1a5a8bdd45481e4cc98983fba

      SHA1

      fb82c8c6bcc83f125cdb9fe7ccb81492cc06a4f1

      SHA256

      3e6844d173e1a11839485ec0e04b26afa6aba1643b96569c4a0193a329c4a3c1

      SHA512

      791ce7b65e958614316b1451cc4a2edd287b7dcc903eacfe27ef5bc284e1cf79ddf253ff4eef036dcd3facdb389314caba4888863e4657155297b857262e96e0

      Download Submit

    • memory/396-55-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/968-59-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/968-63-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1060-83-0x00007FFBC4A70000-0x00007FFBC4A80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1060-84-0x00007FFBC4A70000-0x00007FFBC4A80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1060-79-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1060-81-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1060-82-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1060-78-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1060-80-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1168-292-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1168-17-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1632-75-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1884-72-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2280-28-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2280-298-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3500-60-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3528-29-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3612-68-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4316-77-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4316-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4852-39-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5044-42-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5080-46-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5080-299-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download