Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

93d67529cf...7c.exe

windows7-x64

10

93d67529cf...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2024, 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe

  • Size

    1.1MB

  • MD5

    29d044809809aabd82305ce04ac88736

  • SHA1

    683b89f68681730e2828be556d5c687cc1a4a2bf

  • SHA256

    93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c

  • SHA512

    a7517d7e12962ee42ff42fb941bc6756238cb9f157e8f14958563fc43f9929db8b3a76fd944d7136e21b5bc85178c76b2ba0e412ceb828a74e5b5e78b735c286

  • SSDEEP

    12288:Lkt3OB1IWL78Z8L7JQQRfOBkkt3OB9JQQRnOBHIWL7JQQRZOBrOB1IWL7JQQRZOV:4eB1BRWBZeBbROBHDRABqB1DRAB19

Score
10/10
evasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
    evasion
  • UPX dump on OEP (original entry point) 59 IoCs
  • Disables RegEdit via registry modification 5 IoCs
    evasion
  • Sets file execution options in registry 2 TTPs 20 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 59 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 51 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 21 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
    "C:\Users\Admin\AppData\Local\Temp\93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\63736\service.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\63736\service.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Drops startup file
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2844
    • C:\Windows\35838\smss.exe
      "C:\Windows\35838\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Drops startup file
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3708
    • C:\Windows\35838\system.exe
      "C:\Windows\35838\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Drops startup file
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3976
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\63736\winlogon.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\63736\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Drops startup file
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1012
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Drops startup file
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd
    Filesize

    448KB

    MD5

    a7f618a9f8e85aaee2b7053671dca94c

    SHA1

    63033e5564a8a5d27802e3bffdadbcf7e7ea3a12

    SHA256

    7d4e216dcd0a8bc514e5ec3fb48eab567d7c7b7fc585a176270367974f6ef64d

    SHA512

    fdbb023a0f8d7fb16869cb25f7de469cd54247d9bb371293ec4276ca1dcc926feb89e09e4f807021fbf48dcf5f2bec3b5ab092eb5e805c2071e90c02d95e115c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd
    Filesize

    64KB

    MD5

    8e1acdb764fc1c136f3869189fa7d52c

    SHA1

    139e98dd38ba33da9282373387a4745d5f255989

    SHA256

    86380e536b3a318d859e3cc57dd8faa2704e5f55522b4173aef2ed625a68987e

    SHA512

    e2595493e1b79f1235b002018bbc72b5372ba92160af4bb2319f4f93986bb8ca8d4ab2b1418e82cc04b939fa22084f80614f89ffef91537c39e96a974422aa8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd
    Filesize

    256KB

    MD5

    8f5d334a19ecd204e5aa1fd7268d3f4b

    SHA1

    2294eb28a22b57e10a4a65b1b60ab85e1b8a85c2

    SHA256

    24525d36e3ee1547f4e4e8807fc4457fbf71be87ea419f19f4cfc5be35f87065

    SHA512

    745c8329abb5a5e9c67828fcee3c38e643642fb8b743af6cf4b6dd9acba72b58410e693af1370bd3000e1650ee11c822562cbf48c9d4191ccc2a89d039d21fe2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\63736\service.exe
    Filesize

    1.1MB

    MD5

    29d044809809aabd82305ce04ac88736

    SHA1

    683b89f68681730e2828be556d5c687cc1a4a2bf

    SHA256

    93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c

    SHA512

    a7517d7e12962ee42ff42fb941bc6756238cb9f157e8f14958563fc43f9929db8b3a76fd944d7136e21b5bc85178c76b2ba0e412ceb828a74e5b5e78b735c286

    Download Submit

  • C:\Windows\MoonLight.txt
    Filesize

    176B

    MD5

    56473592d37a13c9098b21cb442e60fd

    SHA1

    6f0f49440289a6cef1d93e8c785747a3fb318688

    SHA256

    acdcb1f96825ca74387ebe03f2a12291f7678da2cf6092607aea2dab6982cf35

    SHA512

    6c635dc4f1ce55b54e39992531b0a4024c213af7fc3ab0f5b2642a932cb2201e7037a60e37c7aad42308ab7a84f0a2c655391935749d76f02ae7c3afd765dd2a

    Download Submit

  • C:\Windows\SysWOW64\crtsys.dll
    Filesize

    120B

    MD5

    a6f39a9b5556ce4c7cfd87677aa74224

    SHA1

    d0216d0a0219a85e0cc803496542fef521d125fc

    SHA256

    98a94698e85b53add5406bbebdee6d4e1fab5d50d773ecb0b6b45a2df4692b64

    SHA512

    f3469c1e92b46cb023d0708d5de96ffca7665761a0749ff30d059b5e986e347aad98011117587c47ee08c5bb8eb9c8ebd69b4d842057f5f78bd6abfde903b73a

    Download Submit

  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit

  • C:\Windows\system\msvbvm60.dll
    Filesize

    192KB

    MD5

    b1bbb62a1f02341bf14929284d985907

    SHA1

    60779a0498d314384b133ce737c39450a38be205

    SHA256

    e8cd83998a18db42e3e2459ec00e2c0d54223446253030b332591b808a0af91a

    SHA512

    ce73ec9202d8231fd44ad6bb88f30d64be9b99633f5e9a7803ea1db0883047ef26711cea21aa635f80b6b8d9c8477abd91b6190d647c81235c179ce4baf2c374

    Download Submit

  • memory/1012-1084-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-1051-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-1173-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-728-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-1110-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-752-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-1250-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-863-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-605-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-1072-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-1221-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-1035-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1012-703-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1304-186-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1304-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1107-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1170-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-725-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-749-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1247-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1218-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1195-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-860-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-602-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1081-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-704-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1032-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-700-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1069-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2844-1048-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1049-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-861-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-75-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1070-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1248-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1033-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-603-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1171-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-701-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-750-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1219-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1108-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1082-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3708-1196-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-862-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-715-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-727-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-751-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-604-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-1220-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-1083-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-1071-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3976-702-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4392-365-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4392-181-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download