Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

39a724fe21...be.exe

windows7-x64

10

39a724fe21...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2024, 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe.exe

  • Size

    302KB

  • MD5

    2b3b6074ec5c2ad094af41b6faaa9d3d

  • SHA1

    762314f063e3639bb9ceb98e3ce27af65e4d0db0

  • SHA256

    39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe

  • SHA512

    f74a282a71d4f60e20c6c9f23a32fe5ecd56287f977d6fa925609f7b374ed1c0e3a969088dfc8dca09123782a0b722552c908f5a463e1f8a7f79c1adc6ef01c8

  • SSDEEP

    6144:PeHwXUU5EYCTvaBjRjWrLJKuKnGML5NjcxP:PyMUusvalgg5NjaP

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Sets file execution options in registry 2 TTPs 12 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 35 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe.exe
    "C:\Users\Admin\AppData\Local\Temp\39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\TCI6J0U\service.exe
      "C:\Windows\TCI6J0U\service.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2612
    • C:\Windows\TCI6J0U\smss.exe
      "C:\Windows\TCI6J0U\smss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2500
    • C:\Windows\TCI6J0U\system.exe
      "C:\Windows\TCI6J0U\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2644
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\RUH8O1U.exe
    Filesize

    302KB

    MD5

    f60cb007f6c5c135a3b956e938c4fa2d

    SHA1

    7d27bc5a55890c5f68133783bede7ad999b4d906

    SHA256

    a0fbc7bc2a99681527c171fe4b942a29fe540ffb501d0dbf9037d7e4db10383d

    SHA512

    071b88bcaf9b71854f46667109a6a33b43e334b50ad2bb708ca13de768fdeda0ab9795c816ac13d151a003e6a8b636700d25d393cac8a0581e2563eb829372eb

    Download Submit

  • C:\Windows\SysWOW64\HCY6I2DXEN3J3H.exe
    Filesize

    302KB

    MD5

    0f976c7a5ee2e890a77e336fad293666

    SHA1

    028b43b5784de99522ab5d8e207197830bf82cfe

    SHA256

    e1e2c4e0fa2c1d9fa2ebf0144e15401f11dd4c2bc7cf4dcc4994cadb49da7042

    SHA512

    80612dc7a197d210d3e90d3830e10b10123ad04bd2ae20d807d1e330de3fd3a30f14804faf599fa0a1806ca3c50aa15404e103396e08b3359a8b87c194b1e9cb

    Download Submit

  • C:\Windows\SysWOW64\HCY6I2DXEN3J3H.exe
    Filesize

    302KB

    MD5

    073b40dda46f88cd415cbf39aa88837a

    SHA1

    13b662777bc214916aea42a707ff538449fc3ba6

    SHA256

    91460bb4852ef7a6223a00d85ffca94a70173ead773e5ce2064458e860ceee3e

    SHA512

    4aa8125bd76f166ad9c2f02852373de84c71a97bf2bf4f5cb7d2abd8662d8bcbda6284deb59ff410c508410ba402f63210d0b0c7cbfa956edfe386c38fc86f3e

    Download Submit

  • C:\Windows\SysWOW64\JIM8R7E.exe
    Filesize

    302KB

    MD5

    e3c673fb1bd25ea2d883bdb3dcf8c797

    SHA1

    3925fd7f016ebcd820f39ed0ac8b2d590d424390

    SHA256

    e884624f44648c80dcb427211f8df7abe262383f79a35ae8fd5f8c37dd9faa37

    SHA512

    0201fcb61223de5c51877dc7f6b3b1aa0518184c03b739808fde2f8934621c90e9a17ac48525de1d6c422b6c4d0a7012cd654abc528c44cd31348110fe67751c

    Download Submit

  • C:\Windows\SysWOW64\JIM8R7E.exe
    Filesize

    302KB

    MD5

    30bc2edd7f2a4f3a5990e3dc38598313

    SHA1

    e4eea56e88e0e095980769be7771c7c8b764b7d5

    SHA256

    c3505a1aca93041e0129f455b2976467e9f9c096d232a6b1c96e9ce9468fa960

    SHA512

    300b6ed4e2fa2ec84e0487443c6b793fb74d839933f752c0ee19766a5e32d7208fc8c4bb5c4967db2b6d64f62ab7bf362743a5be0663986aa8a093d1582d0e45

    Download Submit

  • C:\Windows\SysWOW64\JIM8R7E.exe
    Filesize

    302KB

    MD5

    bc1c60e1f5f4750db690673ec8f8925e

    SHA1

    be5edc278f2b9b413ed7c02745856d5faf32b5c4

    SHA256

    f9ec8dd9ba1a1ddfec8eef4e7990de0f159b9f6ad8a1377a6946711720423b4b

    SHA512

    420c6d5636fd2472fab73cc1c987b1e06439669d4187d7834b062b32da72febcf2ce74125935f1b465d4390b522d8d1e8065f57bb271dc032ecbd95ae126260e

    Download Submit

  • C:\Windows\SysWOW64\XPQ1T2G\HCY6I2D.cmd
    Filesize

    302KB

    MD5

    2c84475f1905134669c2b63508dbf69e

    SHA1

    d3f4ae021a03cc9e0580b373d49d97e2c2b9cf39

    SHA256

    867a91cc5aa50db568aec3b5c0e87884f8c308f056a7572e1e591fa01c134ccc

    SHA512

    a0eba44c2124fd3e779bdee6b5b64eb3472c1a237cb77abb97aca8508c2f0e11b4af71263f164245e069024a97ed5dc497d5530a07ecefb89fb95051afd38e4a

    Download Submit

  • C:\Windows\SysWOW64\systear.dll
    Filesize

    141B

    MD5

    f42c1d2c995ab4654b3f7baa1e3e01e4

    SHA1

    7967d8a3f27fb7762dbef5be31d9203dbd7f3d7d

    SHA256

    45fd1b9c30f6b21842c55874d69422b979d3500cdcbb544e4c836cb4a60d3d78

    SHA512

    014492d79f33437b839cd4d10b3274553c2a0928472b1f1d016275522d6f0f679b22af3dfb1caf2f6ec5c10357b5ce7e27020b72064c23eaa72aa10937812ecd

    Download Submit

  • C:\Windows\TCI6J0U\FVE0O6U.exe
    Filesize

    302KB

    MD5

    5afa8c2252bf593b79ae91fad017e3c2

    SHA1

    02a0d886b09ba24ca340fb3eea02d238b1bbaeb3

    SHA256

    44ab091bbc86edd28a199f33c4cfd41f0ebfd39424a458d934cfc10710cc866c

    SHA512

    8212a13ec845d9e7cd61693438ee0fb6fb31244cba778c776d2a175d7e008d63eeb87fcb2388645992d568034235c1a56ff6c06279c5d476de348f909f77c6ee

    Download Submit

  • C:\Windows\TCI6J0U\ORO8S6L.com
    Filesize

    302KB

    MD5

    2b3b6074ec5c2ad094af41b6faaa9d3d

    SHA1

    762314f063e3639bb9ceb98e3ce27af65e4d0db0

    SHA256

    39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe

    SHA512

    f74a282a71d4f60e20c6c9f23a32fe5ecd56287f977d6fa925609f7b374ed1c0e3a969088dfc8dca09123782a0b722552c908f5a463e1f8a7f79c1adc6ef01c8

    Download Submit

  • C:\Windows\TCI6J0U\regedit.cmd
    Filesize

    302KB

    MD5

    ae6cfd77f7336265b96a0cbb87aec1c4

    SHA1

    35bd95788c9813d7cd3a668b09a0a9979683389a

    SHA256

    dc5aebb3421a178978089540e11dc8f344acd5297c5373e22ff8b35712a43183

    SHA512

    257238c9a3105ecb2892bd4b14c656ccb129420cbc65e94c418dbf6008306c798fa30fc268026d9bc652f4957b487b474d6359fdab25f0afb2cf2a714fe2ecef

    Download Submit

  • C:\Windows\TCI6J0U\regedit.cmd
    Filesize

    302KB

    MD5

    65b1cde95b7fe6810f6d38bc4beb2427

    SHA1

    e2687a82ead112088bf70acbec25ca10531db2b9

    SHA256

    143b1dbb3d8ad129b18df96c6fafeb93139e99be31af5f7c72130f7dd2342920

    SHA512

    012d68371dc7d375b9d0b4ff763814af787613c6deec4794b68d5f22429013e0bcf39866fbfb52148aefc2808e414e52628b2b893aeedf05cb5e55df6efd6076

    Download Submit

  • C:\Windows\TCI6J0U\service.exe
    Filesize

    302KB

    MD5

    a90546e8eceead82535e8a8da545b50f

    SHA1

    059d8f8efcf466918962b434285093ef4cf3ec97

    SHA256

    046c07b136af902d1abf6484954d9455712c984645b586a1d88c2ecdfd47dfea

    SHA512

    2bda3242e20fc503717c05242fe125460a5061e3ebcdf29cf0ebf9dcee1a21a6bb423fb7fb4116ac49c799fc6ce56288722e7eab4587b82123e3c3c4e8bc16d5

    Download Submit

  • C:\Windows\TCI6J0U\smss.exe
    Filesize

    302KB

    MD5

    479d613cf233d6cbdbdc21015502a468

    SHA1

    7dd3b744ba27417bfa860ebab25e4c113f7eb849

    SHA256

    f292f34f31ad6da9f3a5cd04d97044c29d19c4d0c0fd1cc13494ff9c1d64d0c0

    SHA512

    8a528c2811680ac1d252191bbfe3716dd1f795c856efc84046fb0507c1d3c83c0087aa6d65023d11d5c8ab8cd5fc4adb38e8af928362b925777b1aee6fad0f8e

    Download Submit

  • C:\Windows\TCI6J0U\system.exe
    Filesize

    302KB

    MD5

    a8990c55e45a53ba229c552d1e05c749

    SHA1

    9b718363d6210ce01919b6b57f93232c163f2756

    SHA256

    b41d96c226208fcb048d5792924a52df25da65e7ac4d3e47bc37af1b0b21a806

    SHA512

    8db74ce9d721d583c2ca8fbc703235c95aea750532df281c15ccb9e316fb74925f92eb581d803cf0fa990eac002e90b45febb37e9fe9989559de1f4000b749ed

    Download Submit

  • C:\Windows\TCI6J0U\winlogon.exe
    Filesize

    302KB

    MD5

    3eb0ab99e5aaf5c0edb6d0729edd2b65

    SHA1

    bdb43c93d8e63b6d59baafd5ff4f8fdd676f894a

    SHA256

    12a1b5b4650fff1a30b4499a7ba3aa547771c2885fcd90d1a565823e8ee0ad25

    SHA512

    46f18f1275f573c0f655f3080703ef245b725859d1ca166cdab2aa64a4c6c9d83161c8f1bcabc8d10d5bfebc9e82d8eefa94c7d7aea0662e06ae6917d5002a20

    Download Submit

  • C:\Windows\TCI6J0U\winlogon.exe
    Filesize

    302KB

    MD5

    66ba5030edec6082aa2d6619de8e3b78

    SHA1

    e7c69fedf6abea94a645f4d310ef048f296d53ab

    SHA256

    d0f190ce845b8fa57fd12eeaf83f5dd60943af46ccd7efe2d445bf07f91a73b4

    SHA512

    a083663e4739f742add2ed511064db346aa41ea9973e2e14a8ae6a329ea969d72e722db9b77dfb03af237076562b23b204c13f1c4a3629de22bd00648e5b2bd3

    Download Submit

  • C:\Windows\XEN3J3H.exe
    Filesize

    302KB

    MD5

    1f72904a41d27fdb67913cf5a7ba9fa5

    SHA1

    89531ad5af449c24c1e383d1a46970f2ec2d032e

    SHA256

    fd27f79fef8e978c027b86f9d83dd1d29402dd63aeb6d523cf026e23fb9a0909

    SHA512

    284e7e42b082a822a976ff58b4595735f27e036bcc28c21c361c7d6787f288d4d9edca5ed9dee45041056cd2bff3ba2421aa1f180cf695b33b67df7b6ee7b8b0

    Download Submit

  • C:\Windows\XEN3J3H.exe
    Filesize

    302KB

    MD5

    b7a2cf3b95a2271bd0d30b7216512477

    SHA1

    ccaab585b54c59d9f484147c9cfe4f76abbd0c2a

    SHA256

    a29d22e37bbb8f17299e8c59d87a720c8a377de0aecfc2c03277e14edeaf3e1c

    SHA512

    f15823ff8931b0657949e0518ffd6ef88bfd3b752d863bbeb39a8bd3c495ac2b95a20a33e2e2d20c7bfc6bb9965b0e8312142e25e2a6208b99ea8c8691632180

    Download Submit

  • C:\Windows\cypreg.dll
    Filesize

    417KB

    MD5

    fc8abcba7beed80838a5e4648d805948

    SHA1

    889e8bcc6800b6966b849fff57df1e1b4e286871

    SHA256

    50243a2ff505fcb43f6d3047ea6a434e7b567bbfc84d0b7be6b677864353ea34

    SHA512

    cbc20dace4ac89f08e47bf24454b8741c423253bcadf10fcbc8a62fbe3bbdf810a97c2201f8f138ad5d6ec54e52ced897e8e9fcb1fa67eda485e136f0d262f62

    Download Submit

  • C:\Windows\cypreg.dll
    Filesize

    417KB

    MD5

    c4b8a8c69c01cb54185f2b9b00389020

    SHA1

    0bf59a8c0c08b2d0aea013670e796dfb3d44deff

    SHA256

    5a4ce5403b4725c5e9ed26e43d861967c26f0de0b57eebf1812cc729c2dc48f7

    SHA512

    4ee088d3acca98e2263ef7cec96d29461025f297a026f9fe30b5759a2c7b4abceb11ebc9e8b30ccb876b9bedd66bc692b4a33aefa933b5a8951c5a4837e5cd28

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    302KB

    MD5

    ecda12a13394b439dab4dbb0a849dd64

    SHA1

    46fd4be745f644f9e49405f95dc984c3cd19b993

    SHA256

    e5eed5d273ee07652afc54e5ee3d75f91a4f8f293eeabaebfbad785df3645758

    SHA512

    77bbbe787b875424892164bbd5c1afee11af4211596c0c390a5425a4ad0aca98161608234f48aae21f2d234c5a9f9cbef6af2c62c4187d201e5780520a6e1684

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    302KB

    MD5

    69aa7b0824033b395baa0f07ae853e8c

    SHA1

    e47a1432f634a073ced82ef9b1777024d7003c26

    SHA256

    dae081e2b54a9da84cffcddb26fbebdbcdac2609117dd4b14599588f6753e398

    SHA512

    1b65b7d3cd6d628eb8b221fec8d65b1f8b2c97f8fc55b02e531ffff1d4b49f164044f7c379723dd57204d3334684b287ef1d65db23cba85f3704467963cb8d93

    Download Submit

  • C:\Windows\moonlight.dll
    Filesize

    65KB

    MD5

    8e6e31f8df128a746ff9a3a38f8f78c0

    SHA1

    e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

    SHA256

    dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

    SHA512

    eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

    Download Submit

  • C:\Windows\onceinabluemoon.mid
    Filesize

    8KB

    MD5

    0e528d000aad58b255c1cf8fd0bb1089

    SHA1

    2445d2cc0921aea9ae53b8920d048d6537940ec6

    SHA256

    c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

    SHA512

    89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

    Download Submit

  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.3MB

    MD5

    f51eb28b17fd0c4603acd9b94c2a46fc

    SHA1

    06c2f4fa3f9a21b33534064443fc797eca56507a

    SHA256

    d22b4677ee5ae0cbcc344b10a5c6dc7961fab43115877854459bafc33f33963c

    SHA512

    c69f5f4196381344efff3207119aa1f7dc6ff98d3e15d62eecfe6d49629d34500b622118f93dfc97397435bdc0ddf9db643ddbd7ec52a6ecc7cad82f31bd9378

    Download Submit

  • memory/1700-222-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2032-0-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2032-179-0x0000000003700000-0x0000000003752000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2032-67-0x0000000003010000-0x0000000003062000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2032-183-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2032-55-0x0000000003010000-0x0000000003062000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2032-47-0x00000000026F0000-0x0000000002700000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2500-69-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2500-220-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2612-68-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2612-219-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2644-217-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download

  • memory/2644-218-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download

  • memory/2644-221-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2644-110-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2644-223-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download

  • memory/2644-224-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download