Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 00:44

General

  • Target

    86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

  • Size

    91KB

  • MD5

    352087d465f180e096eb49568346e072

  • SHA1

    b74f05f94bf291ba6a9735798e0d6bffa766979a

  • SHA256

    86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c

  • SHA512

    600eafacf6651e6aa9713284ac092e74037e88b0249ea7925e27a9e2a51b2d3ed8d74d8ee4ad276230fac5b6c9902bf7a0433b7191e2844a0a150af55de8bb07

  • SSDEEP

    1536:ERsjdf1aM67v32Z9x5nouy8VTyRsjdf1aM67v32Z9x5nouy8VTQ:EOaHv3YpoutNyOaHv3YpoutNQ

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 21 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
    "C:\Users\Admin\AppData\Local\Temp\86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2164
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2008
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2812
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1068
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2488
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1908
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2416
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    352087d465f180e096eb49568346e072

    SHA1

    b74f05f94bf291ba6a9735798e0d6bffa766979a

    SHA256

    86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c

    SHA512

    600eafacf6651e6aa9713284ac092e74037e88b0249ea7925e27a9e2a51b2d3ed8d74d8ee4ad276230fac5b6c9902bf7a0433b7191e2844a0a150af55de8bb07

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    f25ae988a8062f1ee3dc9d444bc8f281

    SHA1

    012a00df03c73a71d524b4bb9590c937fe961c5e

    SHA256

    d14a606bce56bd72820ef9d76ea91ba26a547566062cb535e879512d786a532c

    SHA512

    5a37b23d32e4020e3d56b0315e72d8f530cc2430d504ce8bf85b66d27092786da002d714f8b6223001ced2862b31d2b8e5dfa9a61281044073375677a6df6369

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    48d89c59971e19da58976a3906b39571

    SHA1

    f59191f71d57e05890490ea7f5485748b1b289c8

    SHA256

    2414f17c240d84a0484c48c1504b9be302683a833e7aa1fffd04737ff26bf382

    SHA512

    628c5f61103d857680bd8d72d32ffe8d25c9161939185451722d3b1abb63f89e531e38454cbf36a39333252361c5b52cd89b708fe2fd9aa64eda4042eccb35d0

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    2ead3d43cb6141571cf9acc8e15b92fd

    SHA1

    d7f839d7bd697c0805ac695e5265f43e14241f43

    SHA256

    1a2ccc51d134d2d53055e7f441af5cecc78a52ce7a7688e7668e11745aa0785d

    SHA512

    3c2993818569c250bedd749d0b595d024960b029c91f50497a8f93d706b34c07cec38cbcbb8b918f2acbce00a512afa52944b8adbc22deb87ba5cec55c5a9b79

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    7c36e6bc68c189c3e553122cd4464f2c

    SHA1

    a6718be04fe9ef717ad3e3cd825620bd9475e2f4

    SHA256

    ba10afd0da2ed661952328d0c68befe6cb3d089e1dd12860fe323ae971118f1e

    SHA512

    a1a5aa8386ad4fd523099e296e5cef31871289a0183eccaed3bb8ceb0f5fa694b857020b4aa7ba1d226c941d6078bf21fdaa7d1d5d7bfd577b32a05ee1a9963d

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    09ba661c996dfbd18205e8568053006e

    SHA1

    a2e45b83c4b397602c5b4b8c1710e04447c157df

    SHA256

    8d38d8bf64815baa80e16eaf577c49428a6d31d951c0a065f62e00b7ddf8db24

    SHA512

    49e4614013d5e8d898073938281207a4502773d4c00963e806827643c1dec74dc5c04239c64e42f2c4c32f582b0143f5ca8fe95d5d80f1aadbf93466998a972b

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    97aa1842c48b8e0ae5e67485024d8dba

    SHA1

    a99cbddb77300aab4fc5d25f4ffa7e96aedd75b3

    SHA256

    5ed957ff4e3cb0a01b84b74735aad64e8040b01596b144976ebadb82333c83eb

    SHA512

    04ee3e1e984b7aeddf50972166da5803236bcbc65ce5c66891644d438905cdcac0546d9ad448a38dae7f613e20ee30dab7978cf0e0186903405cf1066d55dce8

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    49134d9823dee95a68d5f5c049e3e5a0

    SHA1

    ba07151d5ba7a1e771be9c9aef2142ed82d6d14b

    SHA256

    cdfcba625b384ce1e1191844e3f75a48f03c46bef3d9b62bd31b9d0202641c89

    SHA512

    59974ce9a6fafd24789dea42e916cd0f7f4be06732b43fe6bba96fa4fd4911100a2efc0c11f445dbe4141e356f716990ff8c3043545bd4f83fb37854334f61bf

  • memory/1068-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1908-162-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2008-112-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2008-117-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2164-159-0x0000000002880000-0x00000000028AF000-memory.dmp

    Filesize

    188KB

  • memory/2164-111-0x0000000002880000-0x00000000028AF000-memory.dmp

    Filesize

    188KB

  • memory/2164-110-0x0000000002880000-0x00000000028AF000-memory.dmp

    Filesize

    188KB

  • memory/2164-188-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2164-118-0x0000000002880000-0x00000000028AF000-memory.dmp

    Filesize

    188KB

  • memory/2164-158-0x0000000002880000-0x00000000028AF000-memory.dmp

    Filesize

    188KB

  • memory/2164-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2164-171-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2164-165-0x0000000002880000-0x00000000028AF000-memory.dmp

    Filesize

    188KB

  • memory/2208-187-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2416-177-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2488-146-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2488-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2812-127-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB