Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:57

General

  • Target

    6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe

  • Size

    91KB

  • MD5

    0e5817d0795284c455c76f25df817392

  • SHA1

    b05e09a68085a4a1cd79d777da7f120b9fc39cb3

  • SHA256

    6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf

  • SHA512

    0106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuKm3gRYjXbUeHORIC4q:uT3OA3+KQsxfS42T3OA3+KQsxfS45W

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
    "C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2840
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3924
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4756
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4196
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4864
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3352
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2768
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3100
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4036
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:536
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1080
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2392
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3780
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    1cf48007aad3603d663b61ed3f054f2d

    SHA1

    ba815bd7bb654a0c61e17dca799894bdf2fdfe51

    SHA256

    f31e9d581fef9b19350f4928bce33711a181639dcf4a02225d0b7855360a7a7a

    SHA512

    6772d9aab5a95e82dae6e26d4f2bc2380f938fea1eb971ea2dbeceb5ae05d9465d58199e2d066fed3213cb30c266649db84b197ab124206a683c1999b77047e2

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    9acd8d94d61cf6fb2e38ef84657b9596

    SHA1

    a0742558055658a700a446ef37e4f39643c1caf9

    SHA256

    204d060ec8c0eecb27f54728559d1e9c571cb0607d4a0b3a5da0385697bcf8ed

    SHA512

    a0feed0c244dc1f29404ac013cfc084ad6862fb8e8c1e308050cb852e3a977ef4ffbe4dc6f298811e3d2bf5fc608f59768b636c7fbcc860e9d110e9e2fd9c14c

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    0722baa786d5beecac91e62503e57161

    SHA1

    2406054c7ed57769fffb6b023ff835cf8e2c5bcd

    SHA256

    9f8f52ade7e053020b1728c6a25b3c35583b88fad430b3499f06e240fe516e8d

    SHA512

    65c5e9a7a5a6a8a87f7a89ba84ad0203dc3f388f73679d2ed9439a6adf51a13a645d31971df3e58b9de30421554ba1ed40bdeb1c7c3119e5e44b14c32c9e9ece

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    cb7096fc7a738270bb6232148d6dfb90

    SHA1

    d6014dd50a67d30efb678763f44d46d03a5c8713

    SHA256

    d0bbfa9f927e0c04c1aa1505150e71c3e64c2b108957967cdd14df98bba93cdc

    SHA512

    e9b720765cf162a91d7fb4b5492cb351190afa1581939c4cc656946d0426791101d6c4138f37142f022f85bfb73b5b4294d9c41304b17848edbf4f39a510f985

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    4956789ec6d9a856f6c43f04549fb2cb

    SHA1

    66dde89760c78f535de20b88abf6ba291504d999

    SHA256

    e59b0e8d975d6c2d50e7899bf33d8b1995cd36714bb17a7b7dcab010836831ac

    SHA512

    0f0a84f65290236e64b0730c211f79922bafe803556b3ae3a1e3d31544735577e2d9abe507f06948fc0f73832aa54988969b5f5f0046c46f308c58700f8bbf6c

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    bced9a829bb680355786ac6ca02386d9

    SHA1

    c6b210f436e1e86740a98d446dbfccc3d84b484e

    SHA256

    9868954b4b8dde34d13565ff3f974d94896626f6c771733e67bfe7f2eaec50dd

    SHA512

    4b703ac89456028b22a178a8673e4acdd585d617027c5231178f841169f895e1341cc3e511f206bb7941e82b15bfd74216c75e28d50460a03a0e707844b2c503

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    a00dfd4e68e05b5a92ee823f32b6f64a

    SHA1

    c2381ce4be9b40f955068daecab784fd952bed55

    SHA256

    bc46f5342c58f4116cc31f5cb7deeda5e0f453bacc5df4e8f77ead392a635975

    SHA512

    c73ca7fdf453e209d36bb9df123d5be7e8c919da9dc1b95960444069066db7461de9fa94806f481d14e37a7a53e9f3dee2d622d0feeef9768c2bbb5b74422829

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    fb86919120183fe4c8288032db5cfe66

    SHA1

    d463d926c42b3a4aec6352d3612d021dfaa23bc4

    SHA256

    eec6303d5a835053dbaa7583d08f152ba3de1041e7d933101422676eef75f22a

    SHA512

    8df9339573f14669a5617dc24f9691a7e756f16f010f31e6f735cb5cab9e0d8ca003fe77305014d258079db7f5952d5cae4534a216737639f4881ab1eb15e6b1

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    0e5817d0795284c455c76f25df817392

    SHA1

    b05e09a68085a4a1cd79d777da7f120b9fc39cb3

    SHA256

    6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf

    SHA512

    0106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    b78047daeb9c0b13e78b55cf11972626

    SHA1

    3c669e472fa1ab028f2e920d869a6d10a8dd1e73

    SHA256

    179aac65216f930886850ff105dc2e144d695b5fb9509cb0ed622ab045296810

    SHA512

    89603507373e47769724004e6d1679282397df9112fcbf6bde5c815be6abe044bb85696a0922d109dee6f55c9b5e369c05ddc206022e54d026404783a1928fb2

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    88c5986e991f02b9c46cd5ddfa3dd254

    SHA1

    a30aba09a07d249ff9df2fa0d7ea73d4fab26e70

    SHA256

    0914a6c20aa6f74c146925ac4347da26c346678e23f0de06fcd4e8f33d376062

    SHA512

    bf9d60318def65d8db736df262d929f265e2e865c0f0be24b951d81392b9158494a4884dc1fc6c4ce8a3000eb6527ba3688b209f66fe047b5c49a2390c19cd3b

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    30124627eb25d19170b4e23873c86f14

    SHA1

    d61e6ea2809984735ae9c411bc6273fddd2f97dd

    SHA256

    98cf5cb7999c7459dbc9d304680c454c6c625abebca94c0440f64dc60eb75cc7

    SHA512

    927f337f33e422ff5133d935c6f68fa236539c7c84682bb9b3b7733f5410b9e97ea6301e7c03c6f9a5644d16d850a669e27839a9f18a98add1f7f193abfd6a51

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    866c63b0d15281a57633aded8c94135a

    SHA1

    a53109c802dc2bf4335c141c12d7d6b09aba0daa

    SHA256

    0d1b7d0461da4f8107387e644e3c46667da9fdbeb3d34416bd9dabf5afeeea7d

    SHA512

    fa9708d1f6ef3b7a27f2c5428e7f5358fd403ca02605202381557c5c8de544e1e2942c48981afd7fdb80b935b7ac69f2b5e1324246ee3c7cb7951e2c6b89db4e

  • memory/536-235-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/536-231-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

  • memory/536-229-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/1080-241-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1080-237-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/2392-250-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2392-246-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/2392-245-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2760-288-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/2760-287-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2768-205-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/2768-207-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/2768-212-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2840-145-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2840-300-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2840-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

  • memory/2840-5-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2840-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2840-284-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2840-2-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/2840-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2840-140-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

  • memory/3100-214-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/3100-213-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/3100-218-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/3352-161-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/3352-152-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

  • memory/3352-153-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/3780-265-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/3780-254-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/3924-112-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

  • memory/3924-119-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/3924-113-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/4024-299-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4024-294-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

  • memory/4024-295-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/4036-226-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4036-221-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/4036-223-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

  • memory/4196-136-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4196-132-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/4196-131-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

  • memory/4756-121-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/4756-122-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4756-124-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

  • memory/4756-127-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4864-141-0x0000000075390000-0x00000000754ED000-memory.dmp

    Filesize

    1.4MB

  • memory/4864-142-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

  • memory/4864-147-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4864-148-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB