Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

d0b0e88ab2...ea.exe

windows7-x64

10

d0b0e88ab2...ea.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe

  • Size

    196KB

  • MD5

    80d765bf7ac04c4607cacf0754b73178

  • SHA1

    a2a91440be0fd6d4f316553926bcda919032b776

  • SHA256

    d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea

  • SHA512

    e0a09385f64e0ac27c3d894f7bf4d3ed5f115265c1b23fd7ac2166ec4023402abcca1b3dd499a68ee59b31331ede66fec50331eb88ac7427a820bd0bb7b297b9

  • SSDEEP

    3072:ZOgUXoutNzxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoSJRARoYlld9n2Qpmx

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UPX dump on OEP (original entry point) 30 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 18 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe
    "C:\Users\Admin\AppData\Local\Temp\d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2884
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:596
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:976
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:240
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2248
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:704
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1632
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1740
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2952
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:440
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1252
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1840
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    2aff5fc0805ebf82640f4a2cf0e03c86

    SHA1

    9a50161c6ee26c09d991f846373b717e350dd860

    SHA256

    50165ad7e0528655e4f7a038fa642a8b1d0c596f34a209ce3d40556bfe24b6ee

    SHA512

    850d80e2e5996e32fc90f56758779f10ef6532ff8216599c6bd8d3d6d209556a9c1debb445662631291fe5ffa833bd3fdef901899a352389f0499aa7e69499ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    de70ec0f8614e42edc1e0e040c648561

    SHA1

    68ae869fd7a060b3c01a88448128b578db26e77b

    SHA256

    b2395e9b9aaa986afaec5cc0f5cd9af856fe85c0931f3fe212183a1789ba56d0

    SHA512

    a91529f875efe2c79873c728146d85329d73b50d537830123d9a490d17b356b566e3d91acdf7ac39628d1406209781ce880b524b7301f94841b48f78f17cf008

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    196KB

    MD5

    80d765bf7ac04c4607cacf0754b73178

    SHA1

    a2a91440be0fd6d4f316553926bcda919032b776

    SHA256

    d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea

    SHA512

    e0a09385f64e0ac27c3d894f7bf4d3ed5f115265c1b23fd7ac2166ec4023402abcca1b3dd499a68ee59b31331ede66fec50331eb88ac7427a820bd0bb7b297b9

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    2d7bd2e61a849b5b2039d6f01712e7a4

    SHA1

    40ace6ed9c1e72601ec14a14524e85ec20c86db0

    SHA256

    bbf12c0229a2720941c50e0459d166ff261e5cfbe8d523ee3381d3ad41e01dea

    SHA512

    9f31978870352f05c3c86f237e50e9e9a32c2340c91716cf3a33fe970b827c771c1717ca43e48697cb675f43331ceede896537e6fc3e1beb610c5492ac7dedff

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    82205505e13fa436ef107c71feaded5c

    SHA1

    7e93c1cd199dc9e7b2874f7a65db3d84451b7110

    SHA256

    95c1de7b490ed668c10c2d0048236fc62e440fe3ed2b044b930f7fdb44127b8d

    SHA512

    4684101fad49417138f2871b947b4bbddc3c65b09cb95864a08cb8fa48ad342d848a93e9faec87c3ba439304cf0f911839a5fcfe1dab2a47a1eccc29dc6cb98f

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    2b8eedc5c49e5b141cb7977923ea01b5

    SHA1

    3791fb9adabe25ebb6fd60e1e35731dae7ecf8c3

    SHA256

    1ee52f686deb46b101ef02fde4719138539e8ab596c7ad6e671d67aeba1e6ef3

    SHA512

    5b2e014997ae11b5ee9ea24de54b55fdb6d8891d0a2f725fc1cdbac989d70b021eff732407a8f25b950ed2bb9dc4ed0a8ed44feddd4205aabe1d623b944be402

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    457d826238ba4df7afd49537d064532b

    SHA1

    ca9a6879ed44fd34512ed8fed39fd8746782dcfa

    SHA256

    9f85ffc7a8920810b2260c26ba70b1bca39ce71c0aadd082dd9c637a10b0ca2b

    SHA512

    1a249e1b57b7eeedc985c62e2fd901bcdb0868378f3fe0909000804a94f06a248e469a724a910f27823eaf15cb0af74cb42bc1340328056ac9b460c7943ea200

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    a76415de17396e225e730e778d496b31

    SHA1

    2d98f8d8969b5b1580d4d4e761fcd35e1c103ccd

    SHA256

    c0af64d9c1fff068927aed504a41bbf8a70ae8f0ea72af36df2601eead8177f3

    SHA512

    43c98c58c9f105a92151a3b5c748d901490216c6b22c0fe1b90103c9db5362a764df8f57cea707cb5a98e13f29dd96ab5bb768f07067120b2da7fe3ee3ce5bdf

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    0322c82abb4272415bace360bfdc0b18

    SHA1

    c39ac10827c3e5289b4007f2a69c87c0c311b1ce

    SHA256

    8f209344e87b24ed887bc163b3300ca9a19b4a65416a0fd0212272db1865201a

    SHA512

    e9f9de6423cf205643054c190225f302d38f3f8ccb2a5d211af260ebe94b06cc474bfc760d83ea59ba0edbbb019e67b892162f7403cf75594a384c885958734a

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    8ef89cb771772c767f97874b097f520e

    SHA1

    5dfeccec6a1d6e7c9a235b014332eef206905997

    SHA256

    5739debf82ebfe46cac449cd0ddf5c2fa26d7f47ac85e57af1a03257beeb47ac

    SHA512

    2324dd1bcec6436faacd9d0b3abdb2f96e64cb2554284b43aa537b2df3a2ca5048895bcf84575948ff0d0d860e596e6cc555f5f470af7995088c7ba875892052

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    0d780601caaa036d886a487f6c4bbb54

    SHA1

    4247e752936cf520c38d81cd6273f6f147b07eb9

    SHA256

    da048cfe57f62b8daca0b6c3b5c06642f9658db136477529f52b507ee2c09308

    SHA512

    e25dd0d8b5e0ceb7653a8031f627c0c22bc7890ae910d94ebb84158fe6865b5d4cd46dc9091953b4c3d06f7111e0340cf1126ba76b41bb6e5c662547c52a9a45

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    2d296f5ccf2ace5c75facb95e6c30c42

    SHA1

    056fc5ba7a639a63419e343eef2f35d9c10f3bd5

    SHA256

    3e4a030312e965c01f91944dbfe929d0452cdba168887b1608e9e19ae0a83141

    SHA512

    a60548f67232038d56f0dd344ef0a167077b026f0668020e1952eec1c091b73f76f5ec315c0c12dcb28b757058c9fac1b1fef741c85844d5df39e747c80a9cd0

    Download Submit

  • memory/240-136-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/240-133-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/440-252-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/596-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/596-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/704-207-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/976-123-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1252-262-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1632-218-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1632-220-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1740-232-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1740-227-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1840-272-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2248-149-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2400-298-0x00000000738FD000-0x0000000073908000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2400-297-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2400-427-0x00000000738FD000-0x0000000073908000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2400-398-0x0000000073D01000-0x0000000073D02000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2884-145-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-237-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-143-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-131-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-216-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-146-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-126-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-214-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-108-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-424-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-426-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-239-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

    Download