Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

41bfd3ed3e...62.exe

windows7-x64

10

41bfd3ed3e...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41bfd3ed3e9f46a64045f646b9877a62.exe

  • Size

    480KB

  • MD5

    41bfd3ed3e9f46a64045f646b9877a62

  • SHA1

    044f4b5f9ad7571eccef8badd8040d74b5b22ce0

  • SHA256

    4687e6c0b22f4673584a2760d9856ed157f60478dee564e380bcae9ae0d0a9e7

  • SHA512

    a8c5c4278cfadf5458a0c2013f9630e6071dd84d61838978582c4a98dfbc9a3f2861a416df9602d5278545a2cbce487609004ccaa5f14e72e4565748c87a8c0e

  • SSDEEP

    12288:qlD20VBg4VerUbNHuYeSD20VBg4VerUbNHuYe:qlD2mgkHuYeSD2mgkHuYe

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 8 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41bfd3ed3e9f46a64045f646b9877a62.exe
    "C:\Users\Admin\AppData\Local\Temp\41bfd3ed3e9f46a64045f646b9877a62.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yxoxoicw.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC51.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC50.tmp"
        3⤵
          PID:2788
      • C:\Users\Admin\AppData\Roaming\lshss.exe
        C:\Users\Admin\AppData\Roaming\lshss.exe
        2⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\HMOJHZPEHN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HMOJHZPEHN.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2592
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2764
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lshss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lshss.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2644
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2704
    • C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      1⤵
      • Modifies firewall policy service
      • Modifies registry key
      PID:2660
    • C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\HMOJHZPEHN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HMOJHZPEHN.exe:*:Enabled:Windows Messanger" /f
      1⤵
      • Modifies firewall policy service
      • Modifies registry key
      PID:1604
    • C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      1⤵
      • Modifies firewall policy service
      • Modifies registry key
      PID:1528
    • C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lshss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lshss.exe:*:Enabled:Windows Messanger" /f
      1⤵
      • Modifies firewall policy service
      • Modifies registry key
      PID:1628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESC51.tmp
      Filesize

      1KB

      MD5

      ff3611e70c8072e02c4e8bef8d27b34d

      SHA1

      2e3ff2dcea68a8ca2baa6c05d6b8a9497e91dc99

      SHA256

      e259d2268dd2b49b344e8e531d94291774ae65d3b58343af45da1a90531905e0

      SHA512

      09512c0b92beb7afd385ff2730964a1e3a582d50a1a172094830785c23c16e2e9184def15f4744a8009ef7be97b1d138926ef43f3ce3fd652dfb9b11df599344

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\yxoxoicw.dll
      Filesize

      5KB

      MD5

      9cf612a4df1eba401b6267461f46b480

      SHA1

      681316acc36eba8927898dcc63b367e52dd41dd2

      SHA256

      3156746f73526fc229767910aeb4f67519569be2583b48e24751c3eee263acd4

      SHA512

      5b1b35e661a7d7046760dbe007fb017da83dae81c5508ab8dba02081601fa0a405d9ec59235e0b0f5103d95a7d740177f0e30788f42137d20ca166f7931d6f05

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCC50.tmp
      Filesize

      652B

      MD5

      ad550628040ec6040cf996ce91c4ba26

      SHA1

      b7abb5c6a11e40e7c7c8977125e8ebc4fdd9a082

      SHA256

      ca1b0c1e178732627da4e1aef1e70d8812ce8fd694d518d5c2b701fb5d15edd4

      SHA512

      4f19d01d7b7e04d23bad6b7d55b11346b70b796ede94d20b0a7c9811d0be1a8d160687dda56bd21570aa9a214d071955edc7e263d156a063d96cd6b5e531dde0

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\yxoxoicw.0.cs
      Filesize

      4KB

      MD5

      b63430207638c1a36b9b27002e0da3da

      SHA1

      54356082f32c71498c4ac5f85f4588e0d1c57ad0

      SHA256

      fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

      SHA512

      29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\yxoxoicw.cmdline
      Filesize

      206B

      MD5

      786996a810b9cdbd50ac0e7c434dc1dd

      SHA1

      5fb4dbacf3f0f67f8e901dd28381671026bac12b

      SHA256

      884f55dcc526a38ac143b20cb54bcd86888494e94dfdf573bc37bbf18905b451

      SHA512

      e50b789e8fe8dca5706ca75146f7d5f1a5e1897736ba5a70dcb6ae37f7d3e7fea6aed55894ddf0096c4e7ede4dbcf9e802f6d99cbcdb06da1fe03b90da8936b2

      Download Submit

    • \Users\Admin\AppData\Roaming\lshss.exe
      Filesize

      162KB

      MD5

      e55d381a87454ae5017d29034be8dc0f

      SHA1

      2094231584de417e5a33862da0abe9e0ddb4a815

      SHA256

      e124975fed421861082cee4323318c736624324328aefe744fc191fe2affe1a5

      SHA512

      66fc7ab2a48bc76de750bc13696d2e97136e4e0da9d1e6a56bbd3660c684e21002607edd3a857ad1c431a7dbe792b514ff8022ee86d9f74932513ec9acb944e8

      Download Submit

    • memory/2500-34-0x0000000074850000-0x0000000074DFB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2500-2-0x0000000002010000-0x0000000002050000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2500-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2500-0-0x0000000074850000-0x0000000074DFB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3000-44-0x0000000075180000-0x0000000075290000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3000-35-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-31-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-27-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-23-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-37-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-25-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-47-0x0000000075730000-0x00000000757D0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3000-46-0x00000000777A1000-0x00000000777A2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3000-45-0x0000000075730000-0x00000000757D0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3000-36-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3000-48-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-49-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-51-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-50-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-52-0x0000000075180000-0x0000000075290000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3000-54-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-55-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-58-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-62-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-63-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/3000-66-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download