Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

90e1a6abfc...a1.exe

windows7-x64

10

90e1a6abfc...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    73s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2022, 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1.exe

  • Size

    138KB

  • MD5

    b747d7d3251d18ca0e12f8a845c03213

  • SHA1

    e8d6b7b0eec90a4488d4ad8f291be736907fd27a

  • SHA256

    90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

  • SHA512

    a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

  • SSDEEP

    1536:dybBm4TdrvqMa4M7H8JTcdr405kanhduwf+RF:dybBm4TO4bYZ4nahXK

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Disables RegEdit via registry modification 3 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in Windows directory 12 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1.exe
    "C:\Users\Admin\AppData\Local\Temp\90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\WINDOWS\h2s.exe
      C:\WINDOWS\h2s.exe
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4816
      • C:\WINDOWS\nacl.exe
        C:\WINDOWS\nacl.exe
        3⤵
        • Modifies WinLogon for persistence
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2716
      • C:\WINDOWS\system\lsass.exe
        C:\WINDOWS\system\lsass.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1676
    • C:\WINDOWS\system\lsass.exe
      C:\WINDOWS\system\lsass.exe
      2⤵
      • Modifies WinLogon for persistence
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:4860
    • C:\Windows\SysWOW64\explorer.exe
      explorer 90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1
      2⤵
        PID:4544
      • C:\WINDOWS\h2s.exe
        C:\WINDOWS\h2s.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:740
      • C:\WINDOWS\system\lsass.exe
        C:\WINDOWS\system\lsass.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2024
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1904
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4308

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\WINDOWS\SysWOW64\w
        Filesize

        2KB

        MD5

        41f66bb0ac50f2d851236170e7c71341

        SHA1

        59bcec216302151922219b51be8ad8ab6d0b8384

        SHA256

        ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

        SHA512

        d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

        Download Submit

      • C:\WINDOWS\SysWOW64\w
        Filesize

        2KB

        MD5

        41f66bb0ac50f2d851236170e7c71341

        SHA1

        59bcec216302151922219b51be8ad8ab6d0b8384

        SHA256

        ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

        SHA512

        d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

        Download Submit

      • C:\WINDOWS\SysWOW64\w
        Filesize

        2KB

        MD5

        41f66bb0ac50f2d851236170e7c71341

        SHA1

        59bcec216302151922219b51be8ad8ab6d0b8384

        SHA256

        ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

        SHA512

        d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

        Download Submit

      • C:\WINDOWS\h2s.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • C:\WINDOWS\nacl.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • C:\WINDOWS\system32\drivers\etc\hosts
        Filesize

        578B

        MD5

        4cedd41692993cf5a0a40baeb724b871

        SHA1

        fc1eeb1d88966ea4a816bcbdab320830b6f70261

        SHA256

        fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

        SHA512

        e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

        Download Submit

      • C:\WINDOWS\system32\drivers\etc\hosts
        Filesize

        578B

        MD5

        4cedd41692993cf5a0a40baeb724b871

        SHA1

        fc1eeb1d88966ea4a816bcbdab320830b6f70261

        SHA256

        fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

        SHA512

        e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

        Download Submit

      • C:\WINDOWS\system32\drivers\etc\hosts
        Filesize

        578B

        MD5

        4cedd41692993cf5a0a40baeb724b871

        SHA1

        fc1eeb1d88966ea4a816bcbdab320830b6f70261

        SHA256

        fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

        SHA512

        e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

        Download Submit

      • C:\WINDOWS\system32\drivers\etc\hosts
        Filesize

        578B

        MD5

        4cedd41692993cf5a0a40baeb724b871

        SHA1

        fc1eeb1d88966ea4a816bcbdab320830b6f70261

        SHA256

        fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

        SHA512

        e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

        Download Submit

      • C:\WINDOWS\system32\drivers\etc\hosts
        Filesize

        578B

        MD5

        4cedd41692993cf5a0a40baeb724b871

        SHA1

        fc1eeb1d88966ea4a816bcbdab320830b6f70261

        SHA256

        fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

        SHA512

        e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

        Download Submit

      • C:\WINDOWS\system\lsass.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • C:\Windows\System\lsass.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • C:\Windows\System\lsass.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • C:\Windows\System\lsass.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • C:\Windows\h2s.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • C:\Windows\h2s.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • C:\Windows\nacl.exe
        Filesize

        138KB

        MD5

        b747d7d3251d18ca0e12f8a845c03213

        SHA1

        e8d6b7b0eec90a4488d4ad8f291be736907fd27a

        SHA256

        90e1a6abfc7c6ac32340937e305703c2809e757480cf40a5d63d4f4a0e1013a1

        SHA512

        a27918551e691dc3624826c74afc98e434bc3a14345db01988f25720744e83da3f6e69c7163b61d21eca6eed47cd47c97bb25c4fc5a6bc98c0e9b06477c3e669

        Download Submit

      • memory/740-172-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/740-168-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1676-164-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1848-132-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1848-177-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2024-176-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2716-167-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2716-180-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4816-178-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4816-147-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4860-179-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4860-149-0x0000000000400000-0x0000000000466000-memory.dmp

        Filesize

        408KB

        Download