Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

test4.exe

windows7-x64

10

test4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 19:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test4.exe

  • Size

    9.4MB

  • MD5

    73d1cea4a5006924ed638debbaf499f2

  • SHA1

    fe7460ba99fc162e5cdc86525593992645496ab5

  • SHA256

    256d07c7196d58f02c9aeeb8f888d6d0f005c38a385fe54aea1c4192dd98fb07

  • SHA512

    559520b507fb57873c499476c3e347d72ba869ce4d3ef3ae25609a19cb3c3776e761854a4837975832213910fabe8d55ee080737ae9f4d8d613318c5cdc29f94

  • SSDEEP

    196608:dvfZZnCZww0CeVdEX4B5Afq/i7cXKP3ynEM1fe4clIkwiA4zOC3CRIOGhqw5Mz7:57CZwZ7EX6229q3bwi4RMqw5I

Score
10/10
discoveryevasionpersistencepyinstaller

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test4.exe
    "C:\Users\Admin\AppData\Local\Temp\test4.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:348
    • \??\c:\users\admin\appdata\local\temp\test4.exe 
      c:\users\admin\appdata\local\temp\test4.exe 
      2⤵
      • Executes dropped EXE
      PID:3928
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:412
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2300
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3164
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4876
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\test4.exe 
    Filesize

    9.2MB

    MD5

    bcc2ec5df92b3311268bd77a08f6c595

    SHA1

    72e06d959800f33b2aa9f9903979de4e15f12f83

    SHA256

    ef536b66c50cd2372d954dd790ef1a77bcac1632747d00cd425ae2272b44ce1c

    SHA512

    84a6942d26a54e376168990429fa44f033e7f39182338a30498cd9289c65f341a7abfa2b6706abdb32ea1c6b2ca6cbb82bf260aec8eddd71522b6dc1e6a153d5

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    7caa6e9484182ad353f46ffdf40d2169

    SHA1

    129bf36e1adfe1e59d0481ab713ea06d8ae70059

    SHA256

    21e9fed50ae0552a99db01785c7e9c98c1bc8cff8a0106a9bad1f42fc0d00475

    SHA512

    0a7350de53d3cebb5c8a82d7311cb7382f134c11124de4094d1131194920fdc0b135b71207113523162ebf288252115dcf1598634c3297a70fb207b216bf7dd6

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    1e83d7c36a39f91fd355694fbbf5d908

    SHA1

    f914623c700649394a9a7b2b595401024257be91

    SHA256

    77bb53794a7a5ef1a19f17efe75270f07c6309c0b0f7c3cc496eafc6895eebce

    SHA512

    adca94f5c97fbf388fed36ebfb30c04442aa1d6c0cc9945ef65969c08a84f2c2c9fe9f4495c6fef081fbd037fc32749ffcb54428cc8811d9a7f164948e27c8cf

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    d139b21e7ecae936c63d37cf2e3e314d

    SHA1

    f1f4e300b5a035cd48e08d88b775d3808ec55798

    SHA256

    e92fa94363158ff02df7cc1908ab80fd8b90c60dc5303ad8e15379186166189f

    SHA512

    df027944f8860f0251fdb86708e19e4bdc26b61d88d2bce5b21c6cab293cec084bc5a5269f6a6bf9458287db0431e5a6bc357c886675ff387fba18170521c5c0

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    701a3d47cb88781a2c6b8a8d1834f31e

    SHA1

    4f6ddd25b5beff12bd502b8afb438e95e97b625b

    SHA256

    0b28d41d8f06af1c7baa453ae6a76bd3cbc534d362f30252f7693c2202973242

    SHA512

    ce491d10e8c49d04e9773958f21ee77b25028f8726e07dabf2a79414aedf4a898143efcfaaf5b002b77f314cc2fcc7b9e165630b2eb8759fab173b7d92879ef3

    Download Submit

  • memory/348-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/348-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/412-11-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/412-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1460-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2300-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3164-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4876-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download