Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

72890e3d55...a6.exe

windows7-x64

10

72890e3d55...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    23/06/2024, 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6.exe

  • Size

    91KB

  • MD5

    37e4425c59ced7ea7c201d40de8359ca

  • SHA1

    d862ba4fd5c06baf561b0ae94c3f9179a2535f8e

  • SHA256

    72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6

  • SHA512

    38c10b130b722e498d7fd537337b7d0f7a9054d39030168723a40ca3a22b276a295436efc4486b4d33bb8f16b94e509f2369760dc4a571102fdb113d3adaa781

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imu73gRYjXbUeHORIC4Z6:uT3OA3+KQsxfS4ST3OA3+KQsxfS4u

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 18 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6.exe
    "C:\Users\Admin\AppData\Local\Temp\72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2188
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:264
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3016
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1936
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2004
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2300
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2088
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:392
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1732
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1128
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2900
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    230KB

    MD5

    4f51f1a4d9535f401049639d25b1fcdd

    SHA1

    09f3bbdac04ab7549ec7261c221e2dcd70e6de59

    SHA256

    4e820fc9c35eccf4465ce618a4039c1d8213bbe676c0e32e41a1b5c41dcffd52

    SHA512

    64262319fa72ec5c839b3bc58a1e5ed02fe1e9e46d9ec8a6bfb2ad412ce8089d042ee8f8bdc62f412089e24f453146d26bc7aea9185cbccba0b73fd666699868

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    12454f2c35c13f0d7df910b55133f763

    SHA1

    9eafa18de73a66d8291b5303e5f769b9e9fe4aad

    SHA256

    f462cbfc5b4800642dc7f4110825753fe8c8ad0501fec60c2e7ff3f248374293

    SHA512

    b89be6d46ea7681c9678a2c867f84dfa32c76e056b8813e03eb6efbe0ccfe563abfda006fd168dccbfb275d6b7a8c8836a744f315a1dbd337dde49472fe0d3be

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    53a2c4b4b9146d833a7575aa751ae85b

    SHA1

    f4a083ca691c475845af8b20aad679f02d6d8281

    SHA256

    162cbd497f1112a1784b8eb9f21107f14b2cdf6280d944221b9970cd21d7b3ce

    SHA512

    2ab3316d5f0d1605a0ec1f4a244735b423c9492fe6d6c9185b53c2c21bbc9310e49b02f782bb68f54af42641b1a39f6ffef493c4430a90b473250f2002ae6de4

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    6ec703876047d22e618d6b6779ee4e46

    SHA1

    f0817c619933af8010047f6f21c8123bb9e46132

    SHA256

    77656ad68f35bcf9b8202256f56ce71fedc709562b58ae34334f7f7790f3d027

    SHA512

    20028a83d5149f04db157589948a28e44304831672636e380cb0f2fc18b7d2f2aa0e00c315529f9d8c23062050339b09e3abaa9c59bdcadd7468a6c64822c831

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    b3bbb7ebf536681da414f92859f2e34d

    SHA1

    195058669609e0d274f43a4b1fe61a9f679b56e5

    SHA256

    6e6c447d980172875f4634a6386506e3a280c9660fd127a784fa8eec49bb5111

    SHA512

    8008af322839c8f3450cb90e366698634436ced770478a31311a30bf6ad9899897c4b508adef7eec86f21881d96e8608d41928bed299c9c5b1195f3ecf558267

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    8663016a71aa2143cef34c01e239c537

    SHA1

    764a4eb859c5e76441e97932fdfbbc58f2bc2a96

    SHA256

    2c65983b74cee232f86b7b3d412afb51e8e75936b2a1c8335f231cb3c6b73296

    SHA512

    9f5f1ca5976f6b8e62f73f5a3da9ccde6afc0730bd833aa36f79a556450a4c3560867722528653c63e8eff1c34a1e9ba7ac9fc98d2ca1013e2b03a9f3ea96b65

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    37e4425c59ced7ea7c201d40de8359ca

    SHA1

    d862ba4fd5c06baf561b0ae94c3f9179a2535f8e

    SHA256

    72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6

    SHA512

    38c10b130b722e498d7fd537337b7d0f7a9054d39030168723a40ca3a22b276a295436efc4486b4d33bb8f16b94e509f2369760dc4a571102fdb113d3adaa781

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    d20b6eeae83cee33b7bac031ba37bc71

    SHA1

    a0942a63a9b2425e84061c366f27368c26813033

    SHA256

    3898ef8503542a3d5cf8640076f17aa2d0710db2c18267e2af95b879eb4a5a60

    SHA512

    b370f5cec7acd1fa704859e24da5051a42998b4b437de1522faf3d0b29919b402fab5d6b12f59a4a213920138faee90f643b669401f655beb8eabbb5916cd96f

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    665a9439616380b58e4d4893dd568ac1

    SHA1

    52e196da5a2ccf981d2e315750ba46e665f1c8e1

    SHA256

    d0c23efcfeadfdb2224c96d08e481f42913cbedd4a2b484dafe670ea7373aa37

    SHA512

    49f8000a6737576be775efd1ac4b49d027d06afedafad7f9d9ea4ec09fd6df974470f069fe34fe458bd125e95a6fd3c373cda908724d4dc4a05f19ed58095e80

    Download Submit

  • memory/264-116-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/264-119-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/264-124-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/264-117-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/392-267-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/392-262-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1128-288-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1128-294-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1636-162-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1636-170-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1636-163-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1732-275-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1732-280-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1936-153-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1936-148-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1936-168-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2004-227-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2004-220-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2088-248-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2088-260-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-125-0x00000000003B0000-0x00000000003DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-152-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2188-1-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2188-147-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2188-457-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-300-0x00000000003B0000-0x00000000003DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-219-0x00000000003B0000-0x00000000003DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-2-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2188-161-0x00000000003B0000-0x00000000003DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-242-0x00000000003B0000-0x00000000003DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-258-0x00000000003B0000-0x00000000003DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-115-0x00000000003B0000-0x00000000003DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-114-0x00000000003B0000-0x00000000003DC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2188-4-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2208-332-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2300-233-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2300-237-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2300-241-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2900-307-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2900-302-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3016-132-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3016-133-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3016-137-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3016-145-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download