Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4f5b142774...55.exe

windows7-x64

10

4f5b142774...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f5b142774646ee49a0e64379cb5cf55.exe

  • Size

    108KB

  • MD5

    4f5b142774646ee49a0e64379cb5cf55

  • SHA1

    e3cbe137d5d9d0055aab6e27a0013a1d90df2d2e

  • SHA256

    95ff1da7b20a1c764bc69e6eb03957c06e909d25cb470db3b445cdf010f454d8

  • SHA512

    507598e3cef8e30f9885a6968cc5ec6f5c87fa5dbd533cca841a9774fc4f231b8828a90baa8139bf73c55982c4d664a1abeac85408e53e5efeb6c27d7ce39932

  • SSDEEP

    1536:fbJm3OA3Bdy2pMYPfodlK5Hc3rRy9sK47gBo2aKs:EOARvfGA47gB

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
    evasion
  • Disables RegEdit via registry modification 10 IoCs
    evasion
  • Disables cmd.exe use via registry modification 5 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f5b142774646ee49a0e64379cb5cf55.exe
    "C:\Users\Admin\AppData\Local\Temp\4f5b142774646ee49a0e64379cb5cf55.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
        PID:2728
      • C:\Users\Admin\AppData\Local\smss.exe
        C:\Users\Admin\AppData\Local\smss.exe
        2⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Disables RegEdit via registry modification
        • Disables cmd.exe use via registry modification
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Users\Admin\AppData\Local\winlogon.exe
          C:\Users\Admin\AppData\Local\winlogon.exe
          3⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Disables RegEdit via registry modification
          • Disables cmd.exe use via registry modification
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:2924
        • C:\Windows\SysWOW64\at.exe
          at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\6084-NendangBro.com"
          3⤵
            PID:1508
          • C:\Windows\SysWOW64\at.exe
            at /delete /y
            3⤵
              PID:1672
            • C:\Windows\SysWOW64\at.exe
              at 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\6084-NendangBro.com"
              3⤵
                PID:2260
              • C:\Users\Admin\AppData\Local\services.exe
                C:\Users\Admin\AppData\Local\services.exe
                3⤵
                • Modifies WinLogon for persistence
                • Modifies visibility of file extensions in Explorer
                • Modifies visiblity of hidden/system files in Explorer
                • Disables RegEdit via registry modification
                • Disables cmd.exe use via registry modification
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Suspicious use of SetWindowsHookEx
                PID:1912
              • C:\Users\Admin\AppData\Local\lsass.exe
                C:\Users\Admin\AppData\Local\lsass.exe
                3⤵
                • Modifies WinLogon for persistence
                • Modifies visibility of file extensions in Explorer
                • Modifies visiblity of hidden/system files in Explorer
                • Disables RegEdit via registry modification
                • Disables cmd.exe use via registry modification
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Suspicious use of SetWindowsHookEx
                PID:1484

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\br3951on.exe
            Filesize

            2KB

            MD5

            c604b27034c41f2bd78025d3f71428fd

            SHA1

            36f6c4d1167296fce2684b87cd78427f9be9d26d

            SHA256

            6b6bc6db416da348e731c17b3ea9073a3930eec44ba0c5dcfce493db450bee85

            SHA512

            24e0cb816ae002c584e3073f705f1f301708a79e439991c8b5870cdbeb411bca7b86cdf248d35415b59fb8ccea15ceef1c13c7ef5193092d0b3b16030b5c0e06

            Download Submit

          • C:\Users\Admin\AppData\Local\csrss.exe
            Filesize

            64KB

            MD5

            a4b2eb968445ede53f1d2af665c0ee4f

            SHA1

            af729809378cadb0513511fae7a58e2012490814

            SHA256

            634bed2d4ae0ff15f0226035869850ef213c3f61025b14ba4925ea4e59f94f94

            SHA512

            0c106b1fa8a63b119b3416512c3e3c1dd04ab7cbaef4151755d7d78be41e4d112ef738f2de3a51fb4a9299a824714e313ab05358a7e8ae8506f2d061eb2e7d09

            Download Submit

          • C:\Users\Admin\AppData\Local\svchost.exe
            Filesize

            42KB

            MD5

            4892a40c902248b55f45d4433491569f

            SHA1

            bf2b5aa351f27b67f9d393117479aeb61896d0f3

            SHA256

            e5522784caf1c21af901fdd9da331ac1476790f17590c1fd4e4fc45c8eb8f92e

            SHA512

            dca93c6269f2dc4b8f1d581eb84e48d014e275eca6f5a909f7f24c5873726afc226ef9a74068dd5c45f69cbc56cd462a69581908c63230221612aca7f304990a

            Download Submit

          • C:\Windows\SysWOW64\cmd-bro-ikx.exe
            Filesize

            76KB

            MD5

            d694565625e97ad1808aa1e1e6e1beb3

            SHA1

            0bdd4239779dc367d8a71212472301bc8fd80649

            SHA256

            e58280e394cf47ebcfceeb66017ff6288280bdb0f0280dc41e9bcf477b72d6db

            SHA512

            f3d8745661b5bf461699a5fad96409c16550f1d4c229b1a3cf80025bc711780e519b196d18c0493b6fc08986468275dd3c12eaf53c06e7b7152757b4f05768d1

            Download Submit

          • C:\Windows\SysWOW64\sistem.sys
            Filesize

            10B

            MD5

            18d66f5bb829b46ba31fec38dc8edc02

            SHA1

            6331b61b52b9e3652ac4d397507cd5dfd91fb272

            SHA256

            718570acc49ac85ce98832363678da3722b2161a73bbac7610d85e2cedb1dffc

            SHA512

            544cc0010a3323f3c3248fb248c93486d0cd396ee574eb16af98a4e47024b1c975147c6ff1c905a5f85287134163ab1ac0ffd03dc8ab1d90d91da3c241a47c87

            Download Submit

          • C:\Windows\sembako-cfzjkih.exe
            Filesize

            108KB

            MD5

            4f5b142774646ee49a0e64379cb5cf55

            SHA1

            e3cbe137d5d9d0055aab6e27a0013a1d90df2d2e

            SHA256

            95ff1da7b20a1c764bc69e6eb03957c06e909d25cb470db3b445cdf010f454d8

            SHA512

            507598e3cef8e30f9885a6968cc5ec6f5c87fa5dbd533cca841a9774fc4f231b8828a90baa8139bf73c55982c4d664a1abeac85408e53e5efeb6c27d7ce39932

            Download Submit

          • memory/1484-189-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1484-223-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1912-222-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1912-147-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2156-220-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2156-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2156-41-0x0000000000770000-0x00000000007B0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2156-44-0x0000000000770000-0x00000000007B0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2736-186-0x0000000002780000-0x00000000027C0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2736-43-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2736-94-0x0000000002780000-0x00000000027C0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2736-97-0x0000000002780000-0x00000000027C0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2736-219-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2924-221-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2924-98-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download