Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

41bfd3ed3e...62.exe

windows7-x64

10

41bfd3ed3e...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/01/2024, 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41bfd3ed3e9f46a64045f646b9877a62.exe

  • Size

    480KB

  • MD5

    41bfd3ed3e9f46a64045f646b9877a62

  • SHA1

    044f4b5f9ad7571eccef8badd8040d74b5b22ce0

  • SHA256

    4687e6c0b22f4673584a2760d9856ed157f60478dee564e380bcae9ae0d0a9e7

  • SHA512

    a8c5c4278cfadf5458a0c2013f9630e6071dd84d61838978582c4a98dfbc9a3f2861a416df9602d5278545a2cbce487609004ccaa5f14e72e4565748c87a8c0e

  • SSDEEP

    12288:qlD20VBg4VerUbNHuYeSD20VBg4VerUbNHuYe:qlD2mgkHuYeSD2mgkHuYe

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41bfd3ed3e9f46a64045f646b9877a62.exe
    "C:\Users\Admin\AppData\Local\Temp\41bfd3ed3e9f46a64045f646b9877a62.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Roaming\lshss.exe
      C:\Users\Admin\AppData\Roaming\lshss.exe
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4456
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtamg5mu.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4272
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\HMOJHZPEHN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HMOJHZPEHN.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:4448
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lshss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lshss.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:3564
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:3704
  • C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Modifies firewall policy service
    • Modifies registry key
    PID:2208
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\HMOJHZPEHN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\HMOJHZPEHN.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3176
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4000
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lshss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lshss.exe:*:Enabled:Windows Messanger" /f
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1104
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES571A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5719.tmp"
    1⤵
      PID:4956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES571A.tmp
      Filesize

      1KB

      MD5

      63678e13db285db1997540bd76eb671d

      SHA1

      2b6b5084bcb9eb8e20f2960934be3fb7628f6ae6

      SHA256

      f2ba780ffb899e379477f466d40fcac73711ac4c968a83abb1da97e7fb53adfb

      SHA512

      dc39db7a8e9b9161fc82fb647d9f9da83feefd08217e8d629e2265385d92f2451ab99f9758c69bc7d3ed5456c29aeaf3aa0fccdc269f8c7fb8481d7d3905e788

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qtamg5mu.dll
      Filesize

      5KB

      MD5

      2a2158974a0fc4cd7971e4ffd68b4f62

      SHA1

      c2cef5e4074928b197a077f90a09ae1aac81c110

      SHA256

      30711a3bd4eb10af7b0473cf24f05e119f145b10a8988036d0c9e79243dc5d50

      SHA512

      7d1ad747a09c2ec4b2ba67a7df2820cb56d02fffc34022139656dcca5141148252a148135d4c393918e9e07ac56e5caa0f9900baf646dab58e20c6ee77da9a03

      Download Submit

    • C:\Users\Admin\AppData\Roaming\lshss.exe
      Filesize

      162KB

      MD5

      e55d381a87454ae5017d29034be8dc0f

      SHA1

      2094231584de417e5a33862da0abe9e0ddb4a815

      SHA256

      e124975fed421861082cee4323318c736624324328aefe744fc191fe2affe1a5

      SHA512

      66fc7ab2a48bc76de750bc13696d2e97136e4e0da9d1e6a56bbd3660c684e21002607edd3a857ad1c431a7dbe792b514ff8022ee86d9f74932513ec9acb944e8

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC5719.tmp
      Filesize

      652B

      MD5

      1ed88f69a05309ccc36c31e34a54ee86

      SHA1

      f4ea9916ed08a33d80203862b7175fee9e5a0f86

      SHA256

      9dd67f2058b6dd605997c0961fac39e7157da8b0d7b9a3d796cc37a1b98feeb8

      SHA512

      dc1d59cc7d4499df2328e80d934d25c48b13b2b9441d47373483a630b631deecca512d3671b12a9660ed2f04e9e1669b519cf35df9522ed01dd5371a611386db

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\qtamg5mu.0.cs
      Filesize

      4KB

      MD5

      b63430207638c1a36b9b27002e0da3da

      SHA1

      54356082f32c71498c4ac5f85f4588e0d1c57ad0

      SHA256

      fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

      SHA512

      29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\qtamg5mu.cmdline
      Filesize

      206B

      MD5

      8df003fc4b721bb82c29b7e3ac631988

      SHA1

      3e0b465aac8b14d757fb8e906b67361e6034dda8

      SHA256

      6ac6880d38669957a87112268289e2dd3a1c2677cbc8f9a0ff02deace3e9336a

      SHA512

      78736ec189c6ad77ef8409d06e68c288a8a4b2aff7c45e55a1fa46615cdfa9433626b36eb74acc8f1add7fa7253c084b3f634c9d3cb552749667c58e38d5591a

      Download Submit

    • memory/4272-9-0x0000000000950000-0x0000000000960000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4456-24-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-47-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-27-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-35-0x0000000077B56000-0x0000000077B57000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4456-34-0x0000000077A60000-0x0000000077ADA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4456-33-0x0000000077590000-0x0000000077680000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4456-70-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-19-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-63-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-57-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-36-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-39-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-43-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-40-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-45-0x0000000077A60000-0x0000000077ADA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4456-44-0x0000000077590000-0x0000000077680000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4456-53-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4456-50-0x0000000000400000-0x0000000000473000-memory.dmp

      Filesize

      460KB

      Download

    • memory/4736-26-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4736-2-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4736-0-0x0000000075240000-0x00000000757F1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4736-1-0x0000000001150000-0x0000000001160000-memory.dmp

      Filesize

      64KB

      Download