Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

34e8c0ae08...11.exe

windows7-x64

10

34e8c0ae08...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 20:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211.exe

  • Size

    91KB

  • MD5

    f0a63c666cb73fb5d97b2e945b1bfef6

  • SHA1

    953008051f8a4b3a4766850a4351d655a045e5bd

  • SHA256

    34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211

  • SHA512

    eadd974a9b5427b274ed0136b27c4b59f4624d09b6fac2698a189a2450f70d7df9a8fa168e61e3f6fe99329c06d069d54679ad30fa67307d4d536b683eaf37d0

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GAAwEmBZ04faWmtN4nic+6GU:zGms4Eton0AGms4Eton0U

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 21 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211.exe
    "C:\Users\Admin\AppData\Local\Temp\34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1732
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2524
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2756
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2340
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1764
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:348
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1116
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    b941593922bf12ad2615eeea8d358dcc

    SHA1

    6823e35cea1a7fc76986c279a0dfff9897e9a078

    SHA256

    f120a2c17ff1e6bcff725c63615f23b283d88a58f9e2597b631c06a02bce0a33

    SHA512

    fb459a97b72d3742708391d5fc180a865550541b3a1ef8b24f0eec5c4008c179540e872ce344bd7be1a2719d4258c084ddf905195d07f1a32d961ee4cb895365

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    91KB

    MD5

    f0a63c666cb73fb5d97b2e945b1bfef6

    SHA1

    953008051f8a4b3a4766850a4351d655a045e5bd

    SHA256

    34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211

    SHA512

    eadd974a9b5427b274ed0136b27c4b59f4624d09b6fac2698a189a2450f70d7df9a8fa168e61e3f6fe99329c06d069d54679ad30fa67307d4d536b683eaf37d0

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    880619e01f0a53b2713fc31d5baec4ad

    SHA1

    ee146cac745f32fff74cf5737d33cc17606b3914

    SHA256

    fbb3d4dd94203274aad9b42d4c76f3b82bcc4e1b0dcea5e875ce2af6e66f1186

    SHA512

    d8cc3bf0f95a984be9f8d85f135d986d18893de0685a7083b4b37d443fb525b31b50fef00f2f49f295b192141d8ae6d46342a962c3612613302328a6598783d7

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    4b5b170c185bdc4c41759d585cc79fb5

    SHA1

    cfcba7896d0c67a38c63833929ed9a517e8da673

    SHA256

    91bde7499222fc1b64d25e4c381924426f5cdcaa76f9ec70818a63e3008313f3

    SHA512

    92af5434bbcc1d84fd5dab84b4ad992944697b2d47fbd62ebd9180d5d0cca200eabce932fbfbf47513202c09d37622fe89eb9d5e167604b92d59d53a9d3637da

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    85de26eebe62c3765e4193b9f4841877

    SHA1

    652421d88f8717a600d003938f2fb389fc410025

    SHA256

    7d7ef06c14db7e9d128ae2c08b4b835f9962b03efe11ca54077f9180a1dbf8c6

    SHA512

    d9a2f414c87be351b35b99917e84918b8e0a84d5a0543d81d97bde43a33a04c461f39ac3dc35f12a9489889740d9339e1ac0e7018c0d7390f6186a78003c5937

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    842261dc83b694ab9a7597775809e75e

    SHA1

    73979bf381e809e7f769dbdda81850e508309fd8

    SHA256

    c918f92cf3e79877776dae606f26b99f6804a70170110be585c9d8ed9b6ca16c

    SHA512

    9ae05eb19b6cc97e021c1ecbb931ef94fc253a9431145d64ad5cf2fd586e3eff31e15f7f3e19bdd17b06e4d61af44aa2308e47bf3b228870b0530f925b74a349

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    373f68325df92e70945a4c290e70ffc5

    SHA1

    14c86233beec332dda4035af7185f51f7795cb4d

    SHA256

    0bf6eee4c64e8232ea989e3dd3941140c762e3727ff5d30ffc4d5c9afcaec17f

    SHA512

    19843b3dc456b29762a2cf575aef5a66e24d0c0c03374832a3e56217bef1098793b4b4857640a2ecb514dd5022fb8c1c42f054dcf2132365d37c9ceba3f8720e

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    eda68a11083d5ef4138a33709e21a532

    SHA1

    e5c8271861a955cba5dba9631d7dde0f282523f5

    SHA256

    f85ce3b8ab9b4b6d6ae0b16676d73222fb224f20f17a2de3098af99009783d35

    SHA512

    ce7fda5fba89db586f5ae70c0957b548a8bf69ceba6be9f9efcc7bb3cca5d520d751c90b6d82dfc0e14b6b643f910fbe68081f1ab5642e3e24a66588c6377f5f

    Download Submit

  • memory/348-160-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/348-162-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/840-185-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1116-175-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1732-109-0x0000000001DD0000-0x0000000001DFE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1732-135-0x0000000001DD0000-0x0000000001DFE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1732-134-0x0000000001DD0000-0x0000000001DFE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1732-186-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1732-110-0x0000000001DD0000-0x0000000001DFE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1732-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1732-159-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1764-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2340-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2524-111-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2524-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2756-128-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.