Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

0ca47f3cc1...8d.exe

windows7-x64

10

0ca47f3cc1...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

  • Size

    91KB

  • MD5

    1ad06c84941d002251f4909077d551b2

  • SHA1

    bd6619b20b250923df604387847a47192550d123

  • SHA256

    0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d

  • SHA512

    76df341dd0a83c36c3453b33db54cc88f14ae7a58876c7a63caccfa14df2182ac65522cf8d9d8687cb69dbfa8911edeb7c4a7aac06c98e0f702e4c933ce3c33e

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GEAwEmBZ04faWmtN4nic+6Gf:zGms4Eton0EGms4Eton0f

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 20 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
    "C:\Users\Admin\AppData\Local\Temp\0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3964
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1440
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4828
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1448
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2704
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    6798ab28ba2035849f6649885461260d

    SHA1

    2ca61c2187ace14fc85bc20d6e3d89f78f5606a7

    SHA256

    b0f3bb887c7b39b50ed7e4548b0aba60509efc685c6caefd1ca23c8ae59cf9a2

    SHA512

    e2cc2e93cb0e8068f07fd90e0842900774b052108aaaf7ff71352b8bd2c211bb98bb3916053f38d9aa37ade34ba8d2bb6b9e30bff344b58aa2a21573228081ce

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    81ffc85326614092e09728a1905625b8

    SHA1

    57cab3d46d0590f0c1f8cf669636a939109c6843

    SHA256

    6b9ed752798bc080a86eb7701f7da2d206ab3d0cccbc84704d376a6d7c43ce87

    SHA512

    e6026b531de49d989fd64a68154831b2b2e0f34ebdc7dde6215d235898864b15a19d32c2641e5c7f945b391d4d7aa1a3098320afea07e41c338ce5178ce8fd64

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    c3df5a7a335a9998fdbf405532f56316

    SHA1

    1fbe80a3514fced0d1f7c0c24556e897b3eaa0a5

    SHA256

    f1eb28af3f6c54ab0954f5c8bff2e0f5cbc3eff6fa0b5d78adc9ea2f1304f585

    SHA512

    aebf8f8f4cbdaebb4f5a3686236c964dfaef503610061e4b4a52d1c3a77ddbb0b9be76defb5ec254d7bbd9e8b7019d9527c28e9cc741642f828bab3e46594234

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    0bf6c4224eaa03b49e59dbbb7dff8874

    SHA1

    7804993abeb09a925b3af7f43a58c3e430715174

    SHA256

    f3b9db1cfa892329a1de1be471f8f718795f19d7cd75358a18739c99139bf156

    SHA512

    be1005c690aa1c303ae0387f1580f8952d1c84172130fd6d1b305a10e98017e5ec62b8b92e4a6c2b6df45b4d784e327137ed2c0622d08bc26389dee3392634d4

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    455cd2411511b79730b7ece78fac2fcb

    SHA1

    83ec2dc1704d86ddb4abe4de4df1b03863ddae4f

    SHA256

    056079197b183257ad0dfccb65e2f3a613bc26dfc7d74a98a899eb58c7df2d31

    SHA512

    5a7b96253536fe456fbe3c5a0cf0c55431de3b643edc963bee36f32aa2d2ecdd1f88ab3d73b44087c3b42534865cc97a6d133102c931f5cd33668152dd8c41c1

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    1ad06c84941d002251f4909077d551b2

    SHA1

    bd6619b20b250923df604387847a47192550d123

    SHA256

    0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d

    SHA512

    76df341dd0a83c36c3453b33db54cc88f14ae7a58876c7a63caccfa14df2182ac65522cf8d9d8687cb69dbfa8911edeb7c4a7aac06c98e0f702e4c933ce3c33e

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    ef44df06c8966bd4d0ce87e788d1047c

    SHA1

    2d961a6e39ee2a01a4749ea9ee327bec441bca5b

    SHA256

    38f90eb0cf6129cca54423faa50f72ccb64005a8055f076cadfd4b12a4636816

    SHA512

    20589f81747c390a2308ee1227d01d750102b331a254ad936ed27f120a0ec3f3c722de1c3105fad46e8a45ea09514e8fafb6f7a8cc7dcba14eca93e953f948df

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    19aecd2525137caf2148450e7c978bff

    SHA1

    0cbaac3116b35ab383f59819f48ed48028d6e3bc

    SHA256

    9a49818af5b2e749a87defe7e59ab41de13eb0fe16651396c48128b11e828acb

    SHA512

    ee20c7eb8a5bb4d88206608afc528112febda2f16b07c9a2592b7916e608e70beb127cd60440655d40dbcb98ff578785599463b9cc5e8ecdd327896c95e8da56

    Download Submit

  • memory/432-154-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1440-113-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1448-130-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1448-134-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2704-138-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2704-142-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3964-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3964-156-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4152-148-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4828-121-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4828-115-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4832-126-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download