Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

90e1a6abfc...a1.exe

windows7-x64

10

90e1a6abfc...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2022, 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1.exe

  • Size

    138KB

  • MD5

    b747d7d3251d18ca0e12f8a845c03213

  • SHA1

    e8d6b7b0eec90a4488d4ad8f291be736907fd27a

  • SHA256

    90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

  • SHA512

    a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

  • SSDEEP

    1536:dybBm4TdrvqMa4M7H8JTcdr405kanhduwf+RF:dybBm4TO4bYZ4nahXK

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Disables RegEdit via registry modification 3 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in Windows directory 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1.exe
    "C:\Users\Admin\AppData\Local\Temp\90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\WINDOWS\h2s.exe
      C:\WINDOWS\h2s.exe
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1984
      • C:\WINDOWS\nacl.exe
        C:\WINDOWS\nacl.exe
        3⤵
        • Modifies WinLogon for persistence
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:572
      • C:\WINDOWS\system\lsass.exe
        C:\WINDOWS\system\lsass.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1240
    • C:\WINDOWS\system\lsass.exe
      C:\WINDOWS\system\lsass.exe
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1152
    • C:\Windows\SysWOW64\explorer.exe
      explorer 90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1
      2⤵
        PID:1388
      • C:\WINDOWS\h2s.exe
        C:\WINDOWS\h2s.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1432
      • C:\WINDOWS\system\lsass.exe
        C:\WINDOWS\system\lsass.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1648
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:396

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\WINDOWS\SysWOW64\w
      Filesize

      2KB

      MD5

      41f66bb0ac50f2d851236170e7c71341

      SHA1

      59bcec216302151922219b51be8ad8ab6d0b8384

      SHA256

      ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

      SHA512

      d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

      Download Submit

    • C:\WINDOWS\h2s.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • C:\WINDOWS\nacl.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • C:\WINDOWS\system32\drivers\etc\hosts
      Filesize

      578B

      MD5

      4cedd41692993cf5a0a40baeb724b871

      SHA1

      fc1eeb1d88966ea4a816bcbdab320830b6f70261

      SHA256

      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

      SHA512

      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

      Download Submit

    • C:\WINDOWS\system32\drivers\etc\hosts
      Filesize

      578B

      MD5

      4cedd41692993cf5a0a40baeb724b871

      SHA1

      fc1eeb1d88966ea4a816bcbdab320830b6f70261

      SHA256

      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

      SHA512

      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

      Download Submit

    • C:\WINDOWS\system32\drivers\etc\hosts
      Filesize

      578B

      MD5

      4cedd41692993cf5a0a40baeb724b871

      SHA1

      fc1eeb1d88966ea4a816bcbdab320830b6f70261

      SHA256

      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

      SHA512

      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

      Download Submit

    • C:\WINDOWS\system32\drivers\etc\hosts
      Filesize

      578B

      MD5

      4cedd41692993cf5a0a40baeb724b871

      SHA1

      fc1eeb1d88966ea4a816bcbdab320830b6f70261

      SHA256

      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

      SHA512

      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

      Download Submit

    • C:\WINDOWS\system32\drivers\etc\hosts
      Filesize

      578B

      MD5

      4cedd41692993cf5a0a40baeb724b871

      SHA1

      fc1eeb1d88966ea4a816bcbdab320830b6f70261

      SHA256

      fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

      SHA512

      e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

      Download Submit

    • C:\WINDOWS\system\lsass.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • C:\Windows\h2s.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • C:\Windows\h2s.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • C:\Windows\nacl.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • C:\Windows\system\lsass.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • C:\Windows\system\lsass.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • C:\Windows\system\lsass.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • \Windows\system\lsass.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • \Windows\system\lsass.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • \Windows\system\lsass.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • \Windows\system\lsass.exe
      Filesize

      138KB

      MD5

      b747d7d3251d18ca0e12f8a845c03213

      SHA1

      e8d6b7b0eec90a4488d4ad8f291be736907fd27a

      SHA256

      90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

      SHA512

      a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

      Download Submit

    • memory/396-106-0x00000000039C0000-0x00000000039D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/396-95-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

      Filesize

      8KB

      Download

    • memory/572-108-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1152-110-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1152-72-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1240-90-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1388-78-0x0000000076651000-0x0000000076653000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1388-83-0x0000000074B11000-0x0000000074B13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1432-99-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1648-104-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1700-55-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1700-105-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1700-70-0x00000000006F0000-0x0000000000756000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1984-107-0x0000000002580000-0x00000000025E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1984-109-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1984-111-0x0000000002580000-0x00000000025E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1984-71-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download