Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

b27016a1e7...70.exe

windows7-x64

10

b27016a1e7...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/04/2024, 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70.exe

  • Size

    45KB

  • MD5

    f4dc5ff155bea6cac06d9bd22afcd892

  • SHA1

    65de87ea390aff2005c44c664dd6ad401af0b798

  • SHA256

    b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70

  • SHA512

    49a948dab7767a7df7f825bf16c965fcc9739d71fe70f04f97484511e9e59e9d83f7d1af3075ca8de7ff94ce8e80f478c7375e52e9c4c18f0aa473c1c7be88eb

  • SSDEEP

    768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nEn1:zAwEmBZ04faWmtN4nic+6G1

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 18 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70.exe
    "C:\Users\Admin\AppData\Local\Temp\b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3016
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5088
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4696
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3980
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3548
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3036
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2300
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    2276cf79391b64a479b32df415708903

    SHA1

    7d164eff317428059849efb7b96722f761065f8c

    SHA256

    a1a1ecf164cf07c48d0caada8ac945a64fd4f477ddd93749110c87b691659eb2

    SHA512

    59653bf9adaa4a45fbd41bfa9ad91a1198be460c05d2cc3b24328bd8d128dc4d2bc6310f3d8f8caee199d76db392c71964573c1ad6824558f1c2e4dd339ccba8

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    0a57fd798aefa28307473c2e69cf3af7

    SHA1

    185fb3f56e499d882a204737c237e39b16113d53

    SHA256

    252e370b58ddb6c708dabe39fe3421c4cedc5fd3be0d341503f6c8a2e1128676

    SHA512

    be81c2faec6acfca151a453f0d8796868aac1ed48136e60844749ee2b7c7e9d0d2939561dce6ee0bb7b88dfec498cb7421c8cf76e3279a411abf4f14e6f0e538

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    03ca636befce04afab8ce2ad10379769

    SHA1

    7d3695f49c6a99e9b51dbd8e268a4c871e40f9ca

    SHA256

    9e32fd51858e2185917c8ea7df3a8c18be4f09cbd8fb422a7d5e807d007bb4a0

    SHA512

    b49112f3020fd8bdc8dfb70d97211d849802c1fad2a06c515fdcfb25adbac3cd849d2d642d970ed8b816370c1d1c62eba2375f12bc8f7a503ff75eef8bed1589

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    07234c50caf5114528ecdb532964b94a

    SHA1

    3cf1d840bdf7413a847a4c034a184bcf8fa8062f

    SHA256

    d15faa22f0f32a45b166b664c1847ae202997efdebb437c8e6edd2bb114377b0

    SHA512

    633a9db707fbeff32d26c4c7a498d978842b847016522b12cc0fcae070d6e693eaaa4f9d7e4ebdf268b5ec99503ec1f3a2d73f810e2f1d89cded7e5b5abc13eb

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    45KB

    MD5

    f4dc5ff155bea6cac06d9bd22afcd892

    SHA1

    65de87ea390aff2005c44c664dd6ad401af0b798

    SHA256

    b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70

    SHA512

    49a948dab7767a7df7f825bf16c965fcc9739d71fe70f04f97484511e9e59e9d83f7d1af3075ca8de7ff94ce8e80f478c7375e52e9c4c18f0aa473c1c7be88eb

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    8993bf2ae7b4465522966748fea68291

    SHA1

    07d6f2d1755488acbba383fb0ae552327b3a034f

    SHA256

    d3ecb9b9cb6385519d045eb488b9418a4a7a0e17c2b4501101b6fbe56e5cbd6c

    SHA512

    7b628c34b1fe1d60e5c86c3c0b64d5074fc78e66c11ee08b7a55c36e24264b8608ecc25e749fa925532fd4e74e00a95a97415f08921078f3fcc78ed42bb5fadc

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    968179a50aa513cffc580793d3b4c93d

    SHA1

    8a20d703eab5b81dedbff70601c3dc7c8b4b76d5

    SHA256

    6f9ba0a79bd08467600c4b22df103e6c4a5b784845dd643030cb931ec8f82cc5

    SHA512

    96f691ddcfc4f17eaf8c40a40f543b98b524f9571fcb11fa0016552bea81a7aa4d0b224b54e54c99f040b134e9036a47e373fac1105e4ee1b93b97edb390b375

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    aed35e0930464549215b196fa8b7b5f4

    SHA1

    93f8380124316be7db5a9d27b12f8b52ccfd342f

    SHA256

    4c1943e91018beeeaa834036bec958861463365546e853e7a8a00a15291a1978

    SHA512

    4ad863d1aebe200d342b3f57fd3db3d658cea847910ac4f9d1a90d165b7dac0e8144f22bf73ddc04f49fae72e023a96f562f30de186016c71b30b5b3c328ea2f

    Download Submit

  • memory/2300-143-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3016-148-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3016-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3036-135-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3548-129-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3704-147-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3980-123-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3980-120-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4696-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5088-110-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download