Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:57

General

  • Target

    6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe

  • Size

    91KB

  • MD5

    0e5817d0795284c455c76f25df817392

  • SHA1

    b05e09a68085a4a1cd79d777da7f120b9fc39cb3

  • SHA256

    6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf

  • SHA512

    0106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuKm3gRYjXbUeHORIC4q:uT3OA3+KQsxfS42T3OA3+KQsxfS45W

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 24 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
    "C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2080
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2676
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2816
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1884
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1032
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2424
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2864
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2488
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1792
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:412
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:352
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1312
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1252
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2148
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:992
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Filesize

    235KB

    MD5

    38f600cd69dbcff49e0b3da148a55ca4

    SHA1

    f617a23facd5ea520d50274aaee6b132812e904c

    SHA256

    672153c27b47493f130fd5e4db4dcfd7ff5e9c0d7b43fd172786ccdd14ec4004

    SHA512

    d52344e42cbed07eca06206ecc0f3af11310ce9b38288c844fe0ada769c08b26f6759c4ad66c22322be2711853a70861d92598fffd6aed72f7eb54efe9fc76d2

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Filesize

    240KB

    MD5

    253086a5c68964b3cc276c41f7345df2

    SHA1

    669f776c2e84d071ecf00b53a1a1521d3c0e7b9f

    SHA256

    f42058caf8cb9c244f2fa142186791e4faa1607c02432eb26341881fdb15a9b2

    SHA512

    fa98d8df1ad145849d105185b05cdaa37e06c3857912e4346ad3484f689759d652de3b7375a4f162e64b692b4327dbdeba0efee2e29287760a57593d25b86f94

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Filesize

    231KB

    MD5

    d64dd3563fc80fe0ca3f905eccf8f46f

    SHA1

    a81b84aa0ab2f73ce34ff5813535a9cc8f2af93b

    SHA256

    4763851cfa45964b7a4310d13d4d329554575d34110c779ff4f450de0892b7ed

    SHA512

    3bace8449295338dbe1fe5c450f089ab63cd21a6397d2518f345b3abde6c022be57b7216aaddaa41c5966afc329c7f4dfd60a213b9e984ec3ada073150233d5f

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    0e5817d0795284c455c76f25df817392

    SHA1

    b05e09a68085a4a1cd79d777da7f120b9fc39cb3

    SHA256

    6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf

    SHA512

    0106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    07b475ab48073f9ac1e3ba5944a4feec

    SHA1

    c4f269ad475d63e422aa8eaccc3c52ed9f2536b5

    SHA256

    16e7da71da41e7902ff2d95cd6e4bf1990b1602e286dc16aa5179190ebc37849

    SHA512

    5319d3d5061cf42eb8113199ab9ef933a06a1b66c7e651217831b55b1ded4a34754e9116f191ef332f2c16b2c7bc07ed9e06d1a69601f293deb9915b0f5fa52a

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    ad2045b54e786f2b8ea22ab361313582

    SHA1

    5efc874ea5edd0c0ff265e43358651ca4e5665f5

    SHA256

    ab4c8b569296c80e334b9114bf4bc16b36945df02aa6cd2d06a74269285b6c8d

    SHA512

    cb09fa284a1c3b02634da11d29fe7c1ad4761c3556a4e9f802f0523c18bbc72351b653c215f1deca1f017608cc9d1671c54042c41d3eb61fdc5fae3175530907

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    efe65b598ecec236e5e8b1f18ddfcea9

    SHA1

    dc84ea697f08e482caea011144bd01edb0153bf6

    SHA256

    efd315332724d69164901331d06626b83e7065ffd5ed842f7a247c6f3c0c6c62

    SHA512

    1eab8d92caa4a2098cd279b9912ccbc7029fd360e4bb2bfb99c86d2f6960fbf36c274777805905a108c45b409043f508c2eb51ad042d46786952c450167751a2

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    15d9fa181bc927dba228d19728bf1efa

    SHA1

    dba6faa7244451d1d75c1e5d2e48e3edceb6bd3d

    SHA256

    4c7a44906fda52d26087bbbfd7aee5bef3af0122ff7c6f40aac15a5acd75b7e7

    SHA512

    dd3bcdba8769504ae04960391a8fa11516f9dd3873799dcd5aeabc3e49d7a4092b3eab868a912a0f7d48f307755da23fca968e58d4e9360e48a7155a36bcf6ce

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    7c128c28560eabc72308ce87b08774aa

    SHA1

    cfde3f238b348fa42aaa93d378b38ef75e30763e

    SHA256

    ee22a856c3f98560b80ea561429559625ea5712130349711c16535dd53be2a36

    SHA512

    4652a9eff9f09ffd19a57e87b38c3acdbecad66feeaac6cc4493cf13b10b3d6f3a7dd4521c2aad52c88bb4f0527206b0f70aa9e209defa90207677a70231ebca

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    853adf0747cc508dcad58714b0bba3e4

    SHA1

    9ed0ca53f1a2bc2b6b330d33909de180606812d6

    SHA256

    f178704d8dc03abe711fc0d93486fd2891a56268896f83d61fcb27195aef647e

    SHA512

    51091be2c5af9482942164b5d37a8d1e077717ff0dfc20244ea22d1067c39e6691b5fa97753dc376a6dcc39a87c8e3730ca6e954db0327542aa35ac79607f2c1

  • memory/352-281-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/352-274-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/412-275-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/412-261-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/992-331-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/992-335-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1032-157-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1032-158-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/1032-162-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1252-309-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1252-303-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1252-302-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1252-304-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/1252-312-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1312-296-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1312-291-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/1312-288-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1312-287-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1792-259-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1792-247-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1884-144-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/1884-148-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2000-489-0x000000007392D000-0x0000000073938000-memory.dmp

    Filesize

    44KB

  • memory/2000-461-0x0000000073DE1000-0x0000000073DE2000-memory.dmp

    Filesize

    4KB

  • memory/2000-361-0x000000007392D000-0x0000000073938000-memory.dmp

    Filesize

    44KB

  • memory/2000-360-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2080-4-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2080-114-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-249-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-116-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-503-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-250-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-262-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-1-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2080-306-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-156-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2080-502-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-273-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-2-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/2080-143-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-487-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2080-289-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-131-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-186-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-122-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

    Filesize

    176KB

  • memory/2080-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2080-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2148-318-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2148-322-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2148-325-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2424-172-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/2424-176-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2424-171-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2424-170-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2424-179-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2488-199-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/2488-200-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2488-242-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2676-115-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2676-120-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2676-123-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2816-130-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

  • memory/2816-135-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2864-191-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2864-185-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB