Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5ca0de97d4...b5.exe

windows7-x64

10

5ca0de97d4...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2024, 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ca0de97d42ea910381b8527612adab5.exe

  • Size

    1.0MB

  • MD5

    5ca0de97d42ea910381b8527612adab5

  • SHA1

    923ea5a3367898223b6ef6fec311991d1596f3c7

  • SHA256

    04c4176ba82afc4749e1ffefed306badc56caf687b102d2917606e7445393d76

  • SHA512

    82daa9a14d74ed40f3403a7650f8e82aba02fa9191e53dc5ff1adf3f928092ed442a01c1623da147ff2f57f053f09910f35fdbadf7b2f8c8471b8ab6f5a83c5a

  • SSDEEP

    3072:Cqu7aslM9lhLElGtSIs48417nFdcQ4FdHLDC62ftOS2N:CqrK

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
    evasion
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 15 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ca0de97d42ea910381b8527612adab5.exe
    "C:\Users\Admin\AppData\Local\Temp\5ca0de97d42ea910381b8527612adab5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Windows security modification
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:3800
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:528
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4728 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4048

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hide Artifacts

    2
    T1564

    Hidden Files and Directories

    2
    T1564.001

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    11
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      2KB

      MD5

      e6ac57e8aacfc97c04c86d0aee61b4cc

      SHA1

      f5c17d4c0b36afc7d69e1c3ecc4f60e0e9e0d793

      SHA256

      d612754cc8550c6f59652c7aaa9cedf5b29fa6e87020db1dc20eb74debb66e9d

      SHA512

      765b7532b332c480a7c00ff2217182b39323e9d96302b8360097fd4a2e00f14c95eaaadb21b7ced0016b357f7f07cd3221780f2f97b779dbe68e945031c4b6e3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      Filesize

      488B

      MD5

      0ceb290e943615b1639c3a8cdef9aaa5

      SHA1

      c8217f8e948d42e1b8881bd73cb3c347646bac77

      SHA256

      a708d3930d79f1ada268c54493afdb0ec0836bce5b8e6e1d273afe5a3607dca9

      SHA512

      880e551eb188e7ee1a6eab2161534bb875477a4ea53cc46d81dd4d6682cc03278ac4eb321a91c66cc2b8efbb4288beea83ad771a26afd24ab36e35254856399a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\US0YGSNM\www.google[1].xml
      Filesize

      98B

      MD5

      4c985b40b5d75a9675d1453db9d85c49

      SHA1

      ce90f6596003bcda33a2ca33e253e72b9968c8cd

      SHA256

      1fe172981f17fe76fd9a54c05b19dc4189ba6bc9939cdf7b3f8c303c64960fc6

      SHA512

      338b1bcd76aaae2273d049169eb2ff14c46da74110c9bacf5e41f39eacfb66b3b499bc0cefab8949a90258eb3093a39315aa1c01d3ba809712bc5f1e352a0fe5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\jquery.min[1].js
      Filesize

      84KB

      MD5

      c9f5aeeca3ad37bf2aa006139b935f0a

      SHA1

      1055018c28ab41087ef9ccefe411606893dabea2

      SHA256

      87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de

      SHA512

      dcff2b5c2b8625d3593a7531ff4ddcd633939cc9f7acfeb79c18a9e6038fdaa99487960075502f159d44f902d965b0b5aed32b41bfa66a1dc07d85b5d5152b58

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\o-0mIpQlx3QUlC5A4PNB6Ryti20_6n1iPHjcz6L1SoM-jCpoiyAaBO9a6VQ[1].woff
      Filesize

      16KB

      MD5

      dd6fe4c6f321f39c750ee024b38bc1c6

      SHA1

      192f09d9b27fd7518a7b2cc7ba503d6f83c68307

      SHA256

      d2de7fbc083f058b6c7eeb6985a1d24e46e5e9be3aebf0f2d3b26204fc7edd94

      SHA512

      e677bce8d3920d2e755c9fb80a6a96922c5504ecf06b5a650787a22f29d5f39b2c37ca336bdca41b25b71d36caec21dac78d855e0819435165d3771701ca45a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\o-0mIpQlx3QUlC5A4PNB6Ryti20_6n1iPHjcz6L1SoM-jCpoiyD9A-9a6VQ[1].woff
      Filesize

      16KB

      MD5

      d22f975c52faaf5f561bcf90641485d4

      SHA1

      4092103795efeb56b3cf83a69d1f215771ac651d

      SHA256

      08cccd7191ddeadbb2ac3f16aaf5e3a0b65d2477fdb5a33e3b17d1bee9501d6c

      SHA512

      b85b99e957dc5ffc88b3ef14d14b7b7738e1210c01decc249fbb4a5274baa928b6d81e652244572e45ac162aa4616b0a0c607d59a01b01303e572ac3bce03382

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\responsive[1].css
      Filesize

      66KB

      MD5

      781608aaede6e759fe48d7967b0a6c53

      SHA1

      bc595134b15c604ec6d42dded9f6d167d94084ac

      SHA256

      7371dd376a195424e3df2ee7877a045a2d60c307b3b3a119789c7160b7c21b92

      SHA512

      0eadd4bd38115eee3db9c62508143e7b93b5ff5fc5f8f05489af21c6499ccfc9e741d4de740e75ab933a32de2a1ca5cce7777a60b015ba53e503196e75bd0c71

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L3T8W3B4\style[1].css
      Filesize

      165KB

      MD5

      65760e3b3b198746b7e73e4de28efea1

      SHA1

      1d1a2cce09b28cffc89378b0a60cbb1aa8a08c4f

      SHA256

      10e40ea3a2ad69c08d13e194cf13eb4a28a093c939758a17a6a775ef603ac4fc

      SHA512

      fbcb91f26b7bd874d6a6a3b1d4d6f7277ded091cdae5706c285b4d5d17446a1bf58572c224af38393ce49b310a51d5c5d60711c7094e5d32abbaaf10d1107e1b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\api[1].js
      Filesize

      850B

      MD5

      3b2e99294f82f2ba64c2ca33c8b607e1

      SHA1

      991dabc70bbdc7e83b422f16044866e286bba07f

      SHA256

      5c233ff100be4a898501dd4838cca4ecf914eb5926cc287416793208eed9d151

      SHA512

      ce5f2e9e1caef7b744767386e8e10273703d6856590b6b8f812ee73fc4aaa53319f12b8c42ce087448ebf11766dd27ed8376786d741a8ebc37c24450a9545e67

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\d[1]
      Filesize

      23KB

      MD5

      ef76c804c0bc0cb9a96e9b3200b50da5

      SHA1

      efadb4f24bc5ba2d66c9bf4d76ef71b1b0fde954

      SHA256

      30024e76936a08c73e918f80e327fff82ee1bd1a25f31f9fce88b4b4d546055d

      SHA512

      735b6470e4639e2d13d6b8247e948dbd6082650902a9441b439ceacc4dfce12cd6c9840ee4c4dcb8a8f1e22adb80968f63ace0c0051811a8d6d1afb2b3c68d74

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M8F18HYR\p[1].css
      Filesize

      5B

      MD5

      83d24d4b43cc7eef2b61e66c95f3d158

      SHA1

      f0cafc285ee23bb6c28c5166f305493c4331c84d

      SHA256

      1c0ff118a4290c99f39c90abb38703a866e47251b23cca20266c69c812ccafeb

      SHA512

      e6e84563d3a55767f8e5f36c4e217a0768120d6e15ce4d01aa63d36af7ec8d20b600ce96dcc56de91ec7e55e83a8267baddd68b61447069b82abdb2e92c6acb6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WHUIQOC9\analytics[1].js
      Filesize

      51KB

      MD5

      575b5480531da4d14e7453e2016fe0bc

      SHA1

      e5c5f3134fe29e60b591c87ea85951f0aea36ee1

      SHA256

      de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd

      SHA512

      174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WHUIQOC9\counter[1].js
      Filesize

      40KB

      MD5

      9e33acb5cab6802df44887bd6df31416

      SHA1

      f96f235aeccf43da8e795c291f3a3c1390d8f377

      SHA256

      ca02d1a91f43d6b8c5d8d127d04e95afb736ae1779577bde0a6f0641cc4f4893

      SHA512

      a6cd85df3e64c7b7b462dd07025563f5ccf4c8b98394ba0d31e9705fc933ee89e1c13874b11f428c090179ebc70bfbe2728a92a8b56fa5a58253cbb7793fe333

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WHUIQOC9\css[1].css
      Filesize

      530B

      MD5

      0a127ad39a8ebe4207492293b556adf6

      SHA1

      17d3dad64e4f9139cfb85bbcca6659a8aa532a48

      SHA256

      c1294965425b5028a83bbe5eeed0cd9b92733ec41efd07e34532522d4c97b6e1

      SHA512

      5aa845c5c6c20259d9c6bc0c9fdbd13ff178ba4008865f7113387767db0ad39cd53c1d276cfa4997186fd39f21d30bf00caf8d092e5c04119d992368b1563df3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WHUIQOC9\jquery.fancybox.min[1].css
      Filesize

      12KB

      MD5

      a2d42584292f64c5827e8b67b1b38726

      SHA1

      1be9b79be02a1cfc5d96c4a5e0feb8f472babd95

      SHA256

      5736e3eec0c34bfc288854b7b8d2a8f1e22e9e2e7dae3c8d1ad5dfb2d4734ad0

      SHA512

      1fd8eb6628a8a5476c2e983de00df7dc47ee9a0501a4ef4c75bc52b5d7884e8f8a10831a35f1cdbf0ca38c325bf8444f6914ba0e9c9194a6ef3d46ac348b51cb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\js[1].js
      Filesize

      188KB

      MD5

      fb229d0c88463669637bdf6305f6aef6

      SHA1

      72f318b91935147c6cc54b07440ebbc2344ee3a0

      SHA256

      1ae086f9ba24307c9d02bfab407fd6365bd9eccc110b4996d13f7b9ddaaabf09

      SHA512

      27bad8d15b9e012822c41397a8b02cecbc2f3963960957781aa8ee6f1c51d211be0aff5b88558713d2a3fa845f9f14208ee745bfde9b9a4ddd0d871380d5b529

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\js[2].js
      Filesize

      243KB

      MD5

      e2687f3d7ed890f2f7a35e99806841da

      SHA1

      77b3513743c4ab3a8af5f54a0593b109d94d9ec3

      SHA256

      708ca908db57428633e5e647be65f6edc015205aed4e05692f02161e682ed830

      SHA512

      62dbf3aeb64dc7b4f3749d01b54aa1d292d1cef89a4617d54265085617ba7dd2907e31305153f912f2178b2e79bbf4c5fcbf13632d33def143f192d1b9fd77fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\reboot.min[1].css
      Filesize

      3KB

      MD5

      51b8b71098eeed2c55a4534e48579a16

      SHA1

      2ec1922d2bfaf67bf3ffabe43a11e3bf481dc5d7

      SHA256

      bd78e3bcc569d029e7c709144e4038dede4d92a143e77bc46e4f15913769758b

      SHA512

      2597223e603e095bf405998aacd8585f85e66de8d992a9078951dd85f462217305e215b4828188bf7840368d8116ed8fb5d95f3bfab00240b4a8ddab71ac760d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\recaptcha__en[1].js
      Filesize

      502KB

      MD5

      37c6af40dd48a63fcc1be84eaaf44f05

      SHA1

      1d708ace806d9e78a21f2a5f89424372e249f718

      SHA256

      daf20b4dbc2ee9cc700e99c7be570105ecaf649d9c044adb62a2098cf4662d24

      SHA512

      a159bf35fc7f6efdbe911b2f24019dca5907db8cf9ba516bf18e3a228009055bcd9b26a3486823d56eacc391a3e0cc4ae917607bd95a3ad2f02676430de03e07

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\script[1].js
      Filesize

      9KB

      MD5

      defee0a43f53c0bd24b5420db2325418

      SHA1

      55e3fdbced6fb04f1a2a664209f6117110b206f3

      SHA256

      c1f8e55b298dc653477b557d4d9ef04951b3b8ba8362a836c54e2db10cda4d09

      SHA512

      33d1a6753a32ec06dcfc07637e9654af9321fe9fa2590efc70893eb58c8603505f2be69084fb2bcbf929218c4e7df9f7a8bc3f17a5b41ed38c4d8645296ebab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z0UNWU5J\zyw6mds[1].css
      Filesize

      1KB

      MD5

      4c2e266587bb622926747856f9bdb65d

      SHA1

      16999e0d2a01b96b70a0ef191461388c5047f1ed

      SHA256

      cfddcd1ab28963d8219ef42d0b455b1e062521bfe7b100d4c47e0b9dd0a79023

      SHA512

      c9526cd6537aa068b48641fd2dfb93843fc5f535faa4cd856d4d3427c8f1e97d79c969215a9291fd50a96597c43dba3c45a3fe2ad32c78677e38f93dbfc32ca0

      Download Submit

    • C:\Users\Admin\E696D64614\winlogon.exe
      Filesize

      1.0MB

      MD5

      5ca0de97d42ea910381b8527612adab5

      SHA1

      923ea5a3367898223b6ef6fec311991d1596f3c7

      SHA256

      04c4176ba82afc4749e1ffefed306badc56caf687b102d2917606e7445393d76

      SHA512

      82daa9a14d74ed40f3403a7650f8e82aba02fa9191e53dc5ff1adf3f928092ed442a01c1623da147ff2f57f053f09910f35fdbadf7b2f8c8471b8ab6f5a83c5a

      Download Submit

    • memory/3724-0-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/3800-35-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3800-27-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3800-40-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3800-22-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3800-215-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3800-21-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3800-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3800-63-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download