Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

666.exe

windows7-x64

666.exe

windows10-2004-x64

Analysis

  • max time kernel
    9s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2023, 01:17

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    666.exe

  • Size

    4.0MB

  • MD5

    fb06afbe05e9006fb0974b34db9b3e47

  • SHA1

    798adfdf387a81d4e4784508b1c7a45c2574e5fb

  • SHA256

    4958c554787a589449e918fc5e3acc61b0ca61fdbf7ce0b658d4f60e2052f48e

  • SHA512

    5a7d0ae0e43cce249f4a8bd1239697a36b6f903336b23dd0b9c7aec415e0209dd24385e4f90d14a911208214415625f4a90ac490c1439f48be34cabde1c89080

  • SSDEEP

    49152:zO24L/Por4CZ8BSnxlGWJzV89A6E2Lfv/jMuxB4sbD3IqSq+3:zDIMdD89aSlxBx3

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocks application from running via registry modification 3 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Sets file execution options in registry 2 TTPs 12 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 6 IoCs
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • System policy modification 1 TTPs 13 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\666.exe
    "C:\Users\Admin\AppData\Local\Temp\666.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Blocks application from running via registry modification
    • Disables RegEdit via registry modification
    • Sets file execution options in registry
    • Modifies system executable filetype association
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2236
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2800
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2160

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      2
      T1547.004

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      2
      T1547.004

      Event Triggered Execution

      1
      T1546

      Change Default File Association

      1
      T1546.001

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      7
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      1
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2160-12-0x00000000028A0000-0x00000000028A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2800-11-0x00000000029C0000-0x00000000029C1000-memory.dmp

        Filesize

        4KB

        Download