Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

34e8c0ae08...11.exe

windows7-x64

10

34e8c0ae08...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 20:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211.exe

  • Size

    91KB

  • MD5

    f0a63c666cb73fb5d97b2e945b1bfef6

  • SHA1

    953008051f8a4b3a4766850a4351d655a045e5bd

  • SHA256

    34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211

  • SHA512

    eadd974a9b5427b274ed0136b27c4b59f4624d09b6fac2698a189a2450f70d7df9a8fa168e61e3f6fe99329c06d069d54679ad30fa67307d4d536b683eaf37d0

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GAAwEmBZ04faWmtN4nic+6GU:zGms4Eton0AGms4Eton0U

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 18 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211.exe
    "C:\Users\Admin\AppData\Local\Temp\34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3684
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4992
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3160
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3996
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5064
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3532
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    e3c9a686f6943b6b25318703c939a23f

    SHA1

    4e4644f41b69dc1d12b0c745cf570811a806034a

    SHA256

    d6bb991e294f872f0ad1f7dbd6459134fae71cd352cff6f21be497cd60ce2ad3

    SHA512

    fee01f3a5e8beafc725aad95dccf61547451c4ca3a26d90c5360ef161b888ed2c0150c0d3ce82dd5435fd5a755f9cc7c1699cc3f3d7cec3cefa7a7feb8a524cb

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    894be25893330d3f3e3b1a0d2013aabe

    SHA1

    793cfa27c1083101efa2fe0f4c53ab8b1f4e22d7

    SHA256

    f7ae90eacfd2e7473255540368f3be83c1d751da8e65f0ae2536b1526f81545b

    SHA512

    696789f116ccd2b7be9136141a83dc18a8a7532766099cd2d725519ad10b541c25892e70a809199ef16fa39a277e400ccd2b1ef3bc1644c218d5232c75b34d39

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    309a3bb1a846a0913edae4d4940271d9

    SHA1

    cbdf306758867d274c1227d02467ae5bc13a4884

    SHA256

    186ac6dfd0cb8b6a02a5f714e18bf7fd78214196b26c710df42c28805885d4b8

    SHA512

    3cb4dcd4ea20bb242b3123c623157f2fcc5b78a042258210648f1f7946343394bcf2ccf6904a738ccfd775d7b4d53ab4f482b3a35f37406a1a1655c57d20429f

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    66064df1a003d4a442228c042e14db37

    SHA1

    5140cd17075f5bc59c1f25960aeeb1ce69761587

    SHA256

    432b774bb994572119140fa8c4b2897c8132d301bcd66edbe5427e8943b7a2fc

    SHA512

    d5a7a91dfd1ff747fd21121d55d9541a80b277af066653f83934cf9e29ef6a862c7ab166c1721b03a281e5630e86897c0e2fb8ea858fc52aac4ac2c2ebfc55cc

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    6993641d138cbf1ae3500b2f92ae3f97

    SHA1

    619248b9d61687cfd238c9b7802e188ffe007260

    SHA256

    856d6a9390f0f44a1c4660dd0d6402a638a010f5e4e16aa3aacc8a2f48560663

    SHA512

    8d0dd45ae3bc39aac72adb98430213df1e0db6c6b3a567c7c896be4ed54fc8980d848422d3f89183a565d85b4afb4a264e2bbd2df5ddeae7cfdcb64dff2ce7ef

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    f0a63c666cb73fb5d97b2e945b1bfef6

    SHA1

    953008051f8a4b3a4766850a4351d655a045e5bd

    SHA256

    34e8c0ae085fc555f0440edc3c514efa11148f176726e1afc806edf387752211

    SHA512

    eadd974a9b5427b274ed0136b27c4b59f4624d09b6fac2698a189a2450f70d7df9a8fa168e61e3f6fe99329c06d069d54679ad30fa67307d4d536b683eaf37d0

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    b355acb1055769492454b4aaaa1efcca

    SHA1

    cacc66b6d33dbbe96bca7c975887f53c1fb2ef43

    SHA256

    598eea8785da954755092b0e75fe4e0d1343ee365291f096e8e67c26a2d2531e

    SHA512

    248226b4ea87847cc2c8c8fe0d7a851e21fb7227ed671df431c4c701cf4049533a6a072934fa82a1507a438b70d473232a45e9cd631c66134f30c6468a4c03a8

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    42e3b963673f0b89fbcf5ab9c15706ff

    SHA1

    66215dae8052f9ed695a614ebcfd95c964f4d180

    SHA256

    4a137f9b2e2dbe08b03b48a99c575f24557b5b91eaa6c31d473af87b0a8ba230

    SHA512

    9a34c9ca7cdbbdbf5b2f83d6b7c011b14bf20f8e20c629d86f6bbf074c405346a26e6d65cc7cbe53f98e05df32663f4d1a9d685508279b06dd8b3af8a035e07c

    Download Submit

  • memory/1456-150-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1760-118-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3160-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3532-143-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3684-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3684-152-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3996-130-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4992-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5064-137-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5064-135-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download