Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2024, 21:55

General

  • Target

    72f2c0d0219a96d4d58e2b2318488ed4.exe

  • Size

    1.5MB

  • MD5

    72f2c0d0219a96d4d58e2b2318488ed4

  • SHA1

    e6b5dd941ce68bb1e4f4e034499cc0659e106a2c

  • SHA256

    e7548b46d7f8fd80168a791e02954e884e822518461a255608339d1c27f2eba1

  • SHA512

    45729283436c548acd6b2510748091560c5a1e6b51c00c8078327c86370e6340298bf8e73c91bd9214d0648b38be68ba5584374f7957f49fb162b8a605d9403b

  • SSDEEP

    24576:IQtwG88Y4oykSHC+IAW3kp+dpLB0rHi2Y0GQzTVxYrNZj8/qKDV:IADZY5ykeC+IAW3kypN0rC2KKVxqWDV

Score
7/10
upx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1252
        • C:\Users\Admin\AppData\Local\Temp\72f2c0d0219a96d4d58e2b2318488ed4.exe
          "C:\Users\Admin\AppData\Local\Temp\72f2c0d0219a96d4d58e2b2318488ed4.exe"
          2⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2532
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C 1.bat
            3⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\ProgramData\Ksn\KSWebShield.exe
              KSWebShield.exe -install
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2784
            • C:\ProgramData\Ksn\KSWebShield.exe
              KSWebShield.exe -start
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2092
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\1.bat
            3⤵
              PID:1128
        • C:\ProgramData\Ksn\KSWebShield.exe
          C:\ProgramData\Ksn\KSWebShield.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\ProgramData\Ksn\KSWebShield.exe
            C:\ProgramData\Ksn\KSWebShield.exe -run
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2548

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Ksn\1.bat

          Filesize

          50B

          MD5

          461f5f7c86789523ff09ca0abfe7b890

          SHA1

          0dcc8a8b9d3c5dc709c69f6ac5cf24f1a302ca01

          SHA256

          8bab8122f6ea4defd7648e8ea4d91defb8813bd2111535f6e42441db21cbbd01

          SHA512

          e9d5b9ebb88c82174ccfde778039ee8dcb6c98e6d511c748829144c8f1ecf07fc5dfcd20436b25eff20841ec08fcdfb7c66ae4f0ae103169214c9d830adc4188

        • C:\ProgramData\Ksn\KWSSVC.log

          Filesize

          202B

          MD5

          fd9cbd5e18719dd5000d5f4e203cb258

          SHA1

          d10dbafece88ee1be1c875c7bfb79ec5c0b7f3d0

          SHA256

          258faef5532717c64bb866aa8367657c39297f5801ea8b820a55ca88ca55cbb6

          SHA512

          67388816f672c952bab3081c22ef00070158d5ca34bc3f53a034e1e4b5992f2cd720a2da69fb03a64fef7dbac8ba29409d89538d6d3be225761cb298b37076ad

        • C:\ProgramData\Ksn\KWSSVC.log

          Filesize

          296B

          MD5

          4824ed167a767c74e38c297ead0361ae

          SHA1

          494364946b6cbbf693b2af114892079bce935bb4

          SHA256

          e486360e0a92b7c9843e9c252fc14843faba9125deffcff2556d86cc65658e5f

          SHA512

          db25092c3ca81a8d50076029517eead0d253c6246b44b165af32d8616ea8617d0db9288b4ad2ff91f2e9e67feb04d41ccd62505acd752920ff16a41882c84bd8

        • C:\ProgramData\Ksn\KWSSVC.log

          Filesize

          546B

          MD5

          5e371e37045b5fd98ced7b74b8dedd8e

          SHA1

          51968a3a416fbdf146a43466bf73d2bcf81dce0a

          SHA256

          88dea586e436c689b4c2cba4ed67975520a27785bb95a05b4be7870b9e60f559

          SHA512

          6408e73a862bca5c933594bf412cc3b7bb1a96afdba0d0918d4ee63c316c8f80625aaeb2ad59d1ca9c49904e48a25699ee3a3352a30ace42f53c9d87fb16a2b3

        • C:\ProgramData\Ksn\kwssp.dll

          Filesize

          633KB

          MD5

          8c8dc085ab24bd23b77f146c78c8ff14

          SHA1

          3c01f9a5338fec055dd2fea36e468d160420a0b8

          SHA256

          ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

          SHA512

          4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

        • C:\ProgramData\kingsoft\kws\kws.ini

          Filesize

          57B

          MD5

          dfb202edae2fbb1c1566fee62e1e1535

          SHA1

          32ef53037441b6956d432d8d219071435b747ee6

          SHA256

          90572957c29b8bd17203c5cb2c03c682b303c8a3252cea17939e8db953fd2368

          SHA512

          26d4b1ffc43aa8966133c433c0403549d4495e04f33b1e3706f48152042124d0ab18806a6e28afd9ef524d221aeadf4204be06433338d5e811cac4dfd8974b3f

        • C:\ProgramData\kingsoft\kws\kws.ini

          Filesize

          446B

          MD5

          186a37ecc97bacb5f2e07c3b229d9860

          SHA1

          250d11778172d6c482719cb3232e1e927ad37344

          SHA256

          272085c1329a1f4994f608059155f75753b3ffa8cf78d51b29555244a00691a2

          SHA512

          ed897ae28126f721204aa47898524d4ad6827e87f689fced7ee1506b02389abaef818242e7accc96178737bdb8551526051203a91bb3aa59fd074a73bed2e92a

        • C:\ProgramData\kingsoft\kws\spitesp.dat

          Filesize

          71B

          MD5

          68e770ef3116fb6fb8e21b9e141a41a7

          SHA1

          58ceea7ab0c119487830697be04efb4fddc524be

          SHA256

          a149c7a63f601b690d1dc97c6aea093d14b14991cf22f5f55995da7e4186c523

          SHA512

          788d537bd1c0a30bea47d8c2dfc79fa23976341a9765b766847242a158a1ef6123bf238f2f4cc5669b5939dc8d5b8e5e07e8cb3d78ea3442fcd8403bd7b9c0d6

        • C:\Users\Admin\AppData\Local\Temp\1.bat

          Filesize

          106B

          MD5

          c9beeb4d38b000fb99082dc5149c8ff1

          SHA1

          7e4e3ad68b415e4611ee2bf961cc7b6059b8d5f6

          SHA256

          6e5b24747493fcb5f1f707f78f6b41530c8e769ed36a61d8b7fdb0ae50576f8e

          SHA512

          c6cb8b55f1bf2c5c09e6f743394fc909cf3e3c34b3d6906d33ed6325d804a41a4c8f68bed0f8d487098028e55500b2cbaa80da2f3bd2b6633403c9b5369a9342

        • \ProgramData\Ksn\KSWebShield.exe

          Filesize

          197KB

          MD5

          2bcfdc7e51a9c556e5fb04e4d02fed39

          SHA1

          33e6eca60078affa733c2300605c91adddf992b0

          SHA256

          ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

          SHA512

          86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

        • \ProgramData\Ksn\kswebshield.dll

          Filesize

          437KB

          MD5

          0b629e4318e64a6ab7e2c43ad6cc3e83

          SHA1

          27e835072fb85614f49e7cd586f64bd10bfcd497

          SHA256

          41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

          SHA512

          298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

        • \ProgramData\Ksn\kwsui.dll

          Filesize

          457KB

          MD5

          272764640b4b296e13c7c136cfbaaca2

          SHA1

          8c4f405469d370db5270c64f119d5b5ba0eece4e

          SHA256

          50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

          SHA512

          97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

        • memory/1252-76-0x00000000024B0000-0x00000000024B1000-memory.dmp

          Filesize

          4KB

        • memory/2532-74-0x0000000003230000-0x00000000032A0000-memory.dmp

          Filesize

          448KB

        • memory/2532-0-0x0000000000400000-0x00000000004B3000-memory.dmp

          Filesize

          716KB

        • memory/2532-59-0x0000000003230000-0x00000000032A0000-memory.dmp

          Filesize

          448KB

        • memory/2532-97-0x0000000000400000-0x00000000004B3000-memory.dmp

          Filesize

          716KB

        • memory/2532-99-0x0000000003230000-0x00000000032A0000-memory.dmp

          Filesize

          448KB

        • memory/2548-53-0x0000000000240000-0x00000000002B0000-memory.dmp

          Filesize

          448KB