Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

a026042dc2...05.exe

windows7-x64

10

a026042dc2...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

  • Size

    91KB

  • MD5

    5b55d07ee1a06e0e149f7a12031ea5e1

  • SHA1

    dca66ca8c269ea9ca355d6e0b3f3d1925db63faa

  • SHA256

    a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05

  • SHA512

    83491e7ed10c4125e9d9ff34abef77726d23e6e6166309b16224528c6f859dff936fa27d538859a99f6009bbc634855f1c1a570893c1d974f5d7341f3e6af60e

  • SSDEEP

    1536:XRsjdLaslqdBXvTUL0Hnouy8VjERsjdLaslqdBXvTUL0Hnouy8VjYf:XOJKqsout9EOJKqsout9Yf

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UPX dump on OEP (original entry point) 18 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
    "C:\Users\Admin\AppData\Local\Temp\a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4788
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3448
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1360
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1944
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1540
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1924
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    c4029c3893480b4aa11467642db6723e

    SHA1

    adfa7cfee6494a9d97850a431c8dc55b4074ef67

    SHA256

    99d233a22fbe2ae7f45b5d2904922af6be1503224c52ba5d12ede540ddb28c39

    SHA512

    e12cd0c678e7256b482b63d1c050357ba3cc54e7ac644624469e1b3f509529e5636af83233e9a24f1abcaf193e7cfb66dedb6ed2c0861fdde98fac893e62a082

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    2a1c0159f96b5f73c56a703c1109de37

    SHA1

    920e3fff390011abc071eb2904203eca3b975014

    SHA256

    1ca91df3391a2b22c30c46ee28019caa41a9948550d1a1de4eb3739814c188bd

    SHA512

    d328de1c5b95d326a94c39c8bd42d0e3dea51c4a3024acb0480adee8d3ad8e6e75f51e103c75222cd82aa20d784697bfa30978594e683cdc40a21c44111a2b6d

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    735a901e56a1cf6b918bc4a283f7c455

    SHA1

    6f3d1a208f6ea1db51ad619929b2dca685a01d41

    SHA256

    affaacbe9e107e17993525d7b22292ddf320c5494edeb484027a25a8256b32e4

    SHA512

    93ddd7d02ce0346a0bb48fb94a6f3fdc78f8def1439303e6a126dbd2d2849370311eb7fa1916be73f7f3bc653746705cb65db2c8a97dfe487ace24f66a18e5e0

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    bc28d6c3bd89c143f5e1dcc3aa62979d

    SHA1

    7855f7ad4dc9e39b6fcb92611d96821024c78251

    SHA256

    1233bb423b797e084aef66f55d3e9e50eb70b2906005f45780c95a629b89a6ff

    SHA512

    6a5a1a6c5c6d3600f8bc2aa834fa699baec92ae941b8c06cdd82110b7b6c642434b06d061f738f43f9913e296989c17af6ad2b508a345a788a669182e2ddc403

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    5b55d07ee1a06e0e149f7a12031ea5e1

    SHA1

    dca66ca8c269ea9ca355d6e0b3f3d1925db63faa

    SHA256

    a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05

    SHA512

    83491e7ed10c4125e9d9ff34abef77726d23e6e6166309b16224528c6f859dff936fa27d538859a99f6009bbc634855f1c1a570893c1d974f5d7341f3e6af60e

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    62b4d1d34b3f921aa4bcc21436e247ae

    SHA1

    b0c7a814e0d4c212c561b28a4baeb19ff0bc1f76

    SHA256

    9e8bb41d115dee6d523ba86e1a7aa32542943eea3e15385b83b38c5a3bda001d

    SHA512

    a33390b8a18d7fc90761a1068967d5313f314a3116da08e08d76360f450e754c1867ad1d9d1ff396826505314e900907a7a6816c89f621289dde08076f1d3faa

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    ef36fe07c26e00085e5dcfc7abc21df4

    SHA1

    e3e89c20f97aa3c1a97ffb0a71175b50a145ea9d

    SHA256

    9c5219d62156f20c95a62c836b29ce4f2baa20c1d2c152d22a368cb0135e389e

    SHA512

    7e0a8f0a8f44de2006f5b183ec162b61fdae6ad3319327c328abea77043b994f3e2d7b9977772254d7fa8d2fa90afeba0874d7ef7597a6d55ac8d22d703c1988

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    0bbcbb462746041026df8d055d7f0a69

    SHA1

    013e699cd6d1470b7a19935cd17b6c8d366832db

    SHA256

    4e3740ee80763ed9c64149c5519dbe0669740638c57fb2b241243ce8d679191a

    SHA512

    6675d6f7a229f1acca959db9215f3ef6944f0c28b44e400d39203d99a797bbf040a01c9ca838fdff02f0e8385fc3a40482764d41852456a53329d6cd450d3c53

    Download Submit

  • memory/1360-121-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1540-134-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1924-139-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1944-126-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3448-114-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3448-108-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3476-153-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4164-146-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4788-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4788-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download