Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    159s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 03:28

General

  • Target

    0cf5390295c3b5cd1e4d8fa29ec624aa.exe

  • Size

    271KB

  • MD5

    0cf5390295c3b5cd1e4d8fa29ec624aa

  • SHA1

    569323435ee0fdff12cb927a0583636591342846

  • SHA256

    3648ed90c126b451398fb10a2aaa053c21960c9a6451300f9dd9b84c973c2d58

  • SHA512

    33d285497e6880bbb9b5ac0f7abd0acb9997439f4eeacf4499406a0ee4828a7f42ae1384bb6ff765264985ddd094f5be76a657f3bd7591ff228610cc4e302043

  • SSDEEP

    6144:bUrqA3AheuswyPnDh4+AVx1OSu4u/mRMnxaHnb0sK5R2:bUWA3AheuswyLhDax8Snu/aMxKrl

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cf5390295c3b5cd1e4d8fa29ec624aa.exe
    "C:\Users\Admin\AppData\Local\Temp\0cf5390295c3b5cd1e4d8fa29ec624aa.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\start.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\start.exe" o6 (Small).jpg
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:4520
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:4492
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
          C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:1656
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MSWINSCK.dep

    Filesize

    2KB

    MD5

    2fe371a8b53e0460a831f544bd97cfe9

    SHA1

    1c8a3e28c8c1a57391a4e96f60f1cbe8d375dde3

    SHA256

    df1c1554922b96f5e8266fe7206e0a0ca755d3c234fd31c50deb71581f0dbe77

    SHA512

    fe4318005da5a675bf41e744350eab9d39574b819cdcf46cba0d101f5681492da574c94acade4dcfa69d3361a665a2022a98f257eb434fdf013b874ca2a12351

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MSWINSCK.oca

    Filesize

    21KB

    MD5

    1c239f9c061f5c84874481d2c876bf80

    SHA1

    9d72e36fdc6569cd407af822c548c462227248cd

    SHA256

    9fd77d86e00a5bec45f3825d4f7c8965b6b9d54ec161c10d0c0d23e36493ab88

    SHA512

    cdc7ea38e32ffff5c5e617ec9d3306d64ca8eab44561146d9e1213d83afee80aa95f05b184374eb5356e552b40825b0f0bc260be0c1238579c6520fa1c80d5c8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MSWINSCK.ocx

    Filesize

    106KB

    MD5

    3d8fd62d17a44221e07d5c535950449b

    SHA1

    6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

    SHA256

    eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

    SHA512

    501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\comcat.dll

    Filesize

    3KB

    MD5

    0daa5a5532efa4e816f99a30d0c0f3dc

    SHA1

    76a54d6705bd25a4f0715cfcbb1d4f997d6fa8cf

    SHA256

    894b180bb547c7a286a8f497d618ad2879b195720cac295fafb23b3e878a19c2

    SHA512

    85cde5e20deff18e2856586684dddd79bf6e21b711849593cec93e380495d6387de968c3b3cc79e558aaa821e15b26c59cc7d12b1ee9d6c42b5e281381e66551

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\config.sys

    Filesize

    264B

    MD5

    853c228b4e8391c998d4292a7c96eb7e

    SHA1

    84dd97ec6598902e755f8f30931d6ce749b1fdaf

    SHA256

    7d6caf005f1b31b1ef8fac11f8c4e7078d03712e3a5d08ddf89d24a73fdd8924

    SHA512

    d8f3a393286bb45ba51f70ac345f32770fc72a2f1fe8534a1ff8b622b2ebbccebeb18d6d72e98ee09d859e1fba587132df2b256512c48db2a854d79ac2fbb8a1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\csrss.exe

    Filesize

    208KB

    MD5

    f011ba0ecbe4a3dca9b51bd8dc282484

    SHA1

    c9ec1478a8facfc0c645fc66e147e57f6fb3eb7f

    SHA256

    42b0eaf2a07926c930e67f4aa5fa28918be34ae50abf96c46a954849cb0993c0

    SHA512

    9cc9524bd08c67bd24f41a0848c5b73ca98f3fcd73742e7b059875e502d93956749721231939a31d3f998e3fd90335f2adfd3f2a98c7784faf5a6f289a54ba24

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\start.exe

    Filesize

    40KB

    MD5

    9e8de391f13042eaf1e3e0535cd2a0c2

    SHA1

    5f1557e5da87529718382ce2c6daae381b0fab25

    SHA256

    07660ac4b6a788014bb09130a53dc02fac545002b9d31ef13d811b29117d42a8

    SHA512

    f71a8a22cc099c940dee6e7e5a0eaa36cac8c60d39f167777283b5753f9b4a1f2c74b96f5161a703e16370bb98afe9ad73404408f0ab4f81fbcb6f58b3ac4544

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\stdole2.tlb

    Filesize

    16KB

    MD5

    89f4d0dd6606a2fe15931e6888dbbc8d

    SHA1

    b33d2b19ce16a7ac275259d4cb6eb39d8f1825ce

    SHA256

    513d9f6db0d993db6d720df1ff4fed2c6a9b067522cdee389ca40d3b618b6a55

    SHA512

    63a38e48e24e9c20f823592b59ec0010a114d237cce3a486300cf90ed9e866f40be8dee81aeb2ce42c05405e1903de08a2c70a166f370a7142f916f91b79a965

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winlogon32.exe

    Filesize

    56KB

    MD5

    18a6ce8b4b65d96cd25e5d9052f135d7

    SHA1

    aa17693a96a928069458facf79d5f2b9bd1b21f7

    SHA256

    4264386d61a9d6938f6ef76dd8bdd73f589b948e67b08d3334051429a3fffe1d

    SHA512

    8b9a269ac3984ff69b2bb7d0302ec288b208b76d3c190d0a3c07b03695a15f2648f0e322c6bfb82bdd36465e89ed47f87bf4a937dcdb20f4ed137f124de950cc