Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

72890e3d55...a6.exe

windows7-x64

10

72890e3d55...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/06/2024, 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6.exe

  • Size

    91KB

  • MD5

    37e4425c59ced7ea7c201d40de8359ca

  • SHA1

    d862ba4fd5c06baf561b0ae94c3f9179a2535f8e

  • SHA256

    72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6

  • SHA512

    38c10b130b722e498d7fd537337b7d0f7a9054d39030168723a40ca3a22b276a295436efc4486b4d33bb8f16b94e509f2369760dc4a571102fdb113d3adaa781

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imu73gRYjXbUeHORIC4Z6:uT3OA3+KQsxfS4ST3OA3+KQsxfS4u

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6.exe
    "C:\Users\Admin\AppData\Local\Temp\72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1148
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1712
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1532
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4088
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3688
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1924
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3904
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
    1⤵
      PID:884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
      Filesize

      91KB

      MD5

      3943555927d8bb016c798deb21e8329b

      SHA1

      9a6c9c6e77243ae244fce4ea292002c9fa73b4df

      SHA256

      536df776ac3d5e45d19aaaf515051c0fa17a20c6a61d92fd56187962bdf2f749

      SHA512

      d051af7c5cbbf9e3a966d630d6491ee42843faa7687a7dae4f61820d3e41525f63ac42bbf97fb86b8bcb21ad3b3c83e197add8db5095ed789b4afaf91eb0660f

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
      Filesize

      91KB

      MD5

      dab0cf5b36550789cf548e715ac20e08

      SHA1

      27e3a0b0f76fa1ea4697dbef7cb522163b9bc99b

      SHA256

      4a97d3f4598ce1c49ce7bccad8598269df388c7447919f9a6c9d3a4a4e65e6f8

      SHA512

      c4c239dcaa261abbce96795de26f89c2766f288fda202713ad0e2e162ec3bebba4252dfb0eea1271f732f7701618bfc23c71d0cda49a2d4fd2525f60ad35eaa4

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
      Filesize

      91KB

      MD5

      7472b24276b8a01204997eec1116adfc

      SHA1

      fdf9b7dc6a1c5939266979efe4f7bb0749da327f

      SHA256

      b18b6343ee5c046306dc81a1bae0db4db1fbe13d610d394adfa789880094fdfe

      SHA512

      ffee4d09fcd8cff584ac03481f46d72e982f4006ac2fbf2d9519752960b15d2870b8b230570d5d7baaec2af2163bdc59150f4ea87bca7b76fa0df9783d55eba8

      Download Submit

    • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
      Filesize

      91KB

      MD5

      ab81d888fa17446ecb64a59ef37b919d

      SHA1

      b99b0a7ec252b7c57513e5c67c4388d6473181ce

      SHA256

      16fa2927dbf58ae837bcb2ef7bca95b462348fe3d8a16338632696f218788c51

      SHA512

      9cf7fdb0c6f4172f97192d576d7e8cb74cebaf838bc05fc051b4cea82670425ea30f5dd080e302dbe6083f6fb6a5b6bff53ec201d0c0a62c69cd3771b07974e9

      Download Submit

    • C:\Users\Admin\AppData\Local\winlogon.exe
      Filesize

      91KB

      MD5

      37e4425c59ced7ea7c201d40de8359ca

      SHA1

      d862ba4fd5c06baf561b0ae94c3f9179a2535f8e

      SHA256

      72890e3d55eb16d4d1bc1c0c2c02d043852bcb971c7d62d35280645a49c587a6

      SHA512

      38c10b130b722e498d7fd537337b7d0f7a9054d39030168723a40ca3a22b276a295436efc4486b4d33bb8f16b94e509f2369760dc4a571102fdb113d3adaa781

      Download Submit

    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      Filesize

      91KB

      MD5

      5cfe55cab19638b0c5ecdfaacf8764ac

      SHA1

      56e8667321589ff398ea2a3c4441d3a0d8053843

      SHA256

      d733a78662a291ba1ade301d7defd096db2399c457a12cf35ace09fdbb6964f0

      SHA512

      4076e261f1fbb6c096f320153d0519d1d232a207c382c06d5f67c1db70d5ec5eb66338bb4653f2f65d941ac9972477c8966fe68903d11cc842d0b9ea6e1216ed

      Download Submit

    • C:\Windows\SysWOW64\IExplorer.exe
      Filesize

      91KB

      MD5

      6f05eeb83a65f1e34ddbb15ac2a110ae

      SHA1

      b9e62a1918e591ee4f09916ae001819c32bb5142

      SHA256

      b625880ff92b16db8ea8b984862d9fdce061f3b02281274ffd6a2b74209a3d4d

      SHA512

      b8220a87290bb654576aa8a975b5b01f0c9f9940e7b0887b733c6373982acfb415d3c67bb846c49e91e0e8cd6590bef25f0112524e685b6a1305e02de4c245c6

      Download Submit

    • C:\Windows\xk.exe
      Filesize

      91KB

      MD5

      d8ec322984ca4625b8b493eedfbdbe7f

      SHA1

      4f64f0e11c691e9485742392f4f4967e71b5b133

      SHA256

      a760037ece7cae9a23a37fa4842afff3dfd03ba2f4e4970f265d273611d4192b

      SHA512

      84c775b1f3739d8360a9f7aec8b259afca9277e07940ad446cf9e9fe26d654ad88e73e5c32db5de44d78c9911cb9aef4b752167a8c8120e6c11aa23dcece50cb

      Download Submit

    • memory/1148-3-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1148-176-0x0000000000401000-0x0000000000427000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1148-0-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1148-175-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1148-5-0x0000000000401000-0x0000000000427000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1148-2-0x0000000074F70000-0x00000000750CD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1148-150-0x0000000000401000-0x0000000000427000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1148-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1512-140-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1512-146-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1512-141-0x0000000074F70000-0x00000000750CD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1532-122-0x0000000074F70000-0x00000000750CD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1532-126-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1712-113-0x0000000074F70000-0x00000000750CD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1712-120-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1712-115-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1712-112-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1924-159-0x0000000074F70000-0x00000000750CD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1924-164-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/3688-151-0x0000000074F70000-0x00000000750CD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3904-168-0x0000000074F70000-0x00000000750CD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3904-173-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4088-136-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4088-135-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4088-131-0x0000000074F70000-0x00000000750CD000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4088-130-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download