Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05/07/2024, 21:01
General
-
Target
42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
-
Size
459KB
-
MD5
72ab3f264137afe93ce5b00511f59e92
-
SHA1
59e9280f83fc2d33c7b788d8fcc2f8db1ef848e8
-
SHA256
42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e
-
SHA512
c65e52d572dd8e1736af032aabc42c42ff228c2eb394d43906a5c677e3160e89862e2a47b0d47f3440c7704b925355f848b1d2cecb369cc61a6631e5a52aee10
-
SSDEEP
6144:JY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju4zT:OnWwvHpVmXpjJIUd2cUusvalxzT
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 42 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe"C:\Users\Admin\AppData\Local\Temp\42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
459KB
MD55c217f6923d68e727574a1c5691ebd04
SHA15ea380bb2e98f8d05ed52538be983b67627214ca
SHA2561cf7583b281cb7224428c7ba085d08c0b82084ddf14d3c20a843ad188857b8ad
SHA51260127539eb40413a7d8d3a7d5fd37e2f1768bae452920e158bfe727b40d9c624e0b6418b67aa0c846a43e7ccbe2db06a68e378873f5f9040ee22a94805984d83
-
Filesize
459KB
MD5317ecc3065cd0a82e028e1251a04f281
SHA140268d14d102a1badedf61de35b695a41dfde296
SHA25638ea8feea0084cdee6022cfdd6be0e3f58c095832ce89312cc1380e1a1e73cfb
SHA5125a21c1418026f24a863e9f1c1a2a0df0a977a9a50e9890743a6fc2aac84b149aade02f0f1b40ed9b22fca29be4404a93bf9d5d7ba346cd35449f08c144015278
-
Filesize
459KB
MD58c44b575f94e4586198fe92c0f18447a
SHA1355e78109bb3fdb51751141f7347a7bfa410df0a
SHA256f8d6900a1c40b4845965b75fc1fce3d5e2d08c76863019c81ba5f3cb80a21b4a
SHA51282164c06e718779bdf72646391b4e19edd1d331a337921a2792f730a3e21932ebe1154c44ffdf0357a701b35b35ee278436f87f7cc7b470f4bc3626968cd1a1b
-
Filesize
459KB
MD535a12a7fc163ee19c4e64da9235e056d
SHA16fd5d1eeb8a6c72c59cc7e0021a596045b4f5321
SHA256d381cf28b76a3937be888ca93e25fdbeb9a1b190587349b54fdbf067b7bb5af3
SHA512baf768696e324b0f84bd31b090ae9d2d02e2bd486baa057bfaa02288c3f730a9236f77e3367799607b7a9e720332cbfd116a2358a625c4419de2f32454c28f4f
-
Filesize
459KB
MD5cf1d20f7e0c368bdd8ba57b46d44b534
SHA1b87b2fcc6f11a61a66197347bbc39973c748a7c0
SHA256c0ece04a7784ed6fa759b980ab2668735e9564f896a6d3b3a4a22d1094b1ee18
SHA51236aaeeb9c1789b87a61ae38e39fbf5b777df591e1601c4ce422c55ac911b29dd548204ccfa24562a240a44553f9118a6af2d9cf7496b01b8d68de9762c52923d
-
Filesize
459KB
MD5043104a75e907b6fe1e5c4b7db5f979c
SHA101926744f8d970cbffe429967840ccf97be0c24c
SHA256df99bba5e16101750592b67a7fb90a3383e99c3c903d19af3f10887a7e2e2945
SHA512d56a984b4573c28f27853c1116ec56f2221f66a30647182543763f09ccbd5d49563112ee85ca43394fc585adfca14d4f7ea56b535517d057677996aefedc579f
-
Filesize
459KB
MD50ed13a12faa717084849ac5167d06da6
SHA12554b9ec31712fca1d177d4e8286505b2216667b
SHA25642c1687a1fa667f96f07b7fadbda9ed03abfc3bb1b0e37479bc4b0a0f2b03ccf
SHA51207928b33438448aa134084b7e9eaa28cb5ce2833c19fddbb6fc46cf4f5e8a30e7554025623adc2bb7e50816786da3c2e6874836b4f762d12a99b81aa891e217e
-
Filesize
459KB
MD5f4be5a6f8d1d6f406b0207c6383a1fec
SHA18ed928e459712099ff414d287458807fef985b5d
SHA256d7d3ace97a2273e70ef07b0979ce19516daae1a0d86217c0baa12a7dfa53582c
SHA51293caed153785f6257dd95c3545f33bf6e33e862f3a471065b5cad6894c08e65ae30a9fd391b0d75f80cb9f124cfa23d2aca76ca1fed3ef8c145e6fb47bc6dc11
-
Filesize
459KB
MD56a61014a87548b27daaf5849db88944a
SHA1519b8bbef05068b647b31d0ceb08bad13f074c2f
SHA2565e693d71a2a016c07f0130745753b499dee7fc1df11134e2bdf0ec064d6f54c4
SHA512ffcdfe662f87d2ae54d55cc90f40c8550e7daa7967fd4a2d4e9fece42cf2ddfad7aee2a04d04c30e1e1490d994179871ee6a9230f5700d7ff09ec77b9efdccf7
-
Filesize
459KB
MD5716d733e1bf0a533129a80ab91348178
SHA1ce8a67a121bf1144b6b41b714aefc6f66b4942d6
SHA256bff31b4b7563000615131784cf059d7e7abaa693b7ca01ad6ff43446ba1aa647
SHA512fbf6f49fc8fd2c40b4c92dca7eb4c084bc0b94b8fd4ee44015ee23179382e90a4ac08316c76c96b566defa1bca89217690f016788bb98d1e735689886be578dc
-
Filesize
459KB
MD55f805cbbee230620302508f257490483
SHA1750b42b61b4dc24104553977305609412140d40a
SHA2567959fb4e24fbb799e343996e11f9e8244486f5a022362edaba605d1ff23c11f6
SHA512eeccf6572de810d780483275329fd3b31d103bf74f3a115bfe0b65500ed5482b0fe81b059fa2dc465ea742fc2649098a869e1bd8b0c7e50fdebc7f726ab262b5
-
Filesize
127B
MD5ec2c662da18d9ef47f82cf0a45185864
SHA19ecae7a2a7cef9dc645622d379af21f76ee13d03
SHA25692d6e70679cc79038144eb56bf2f1420868e9d474d3479dd22905b3c4bb6e205
SHA5121ec5953c70630a7998fb7cf72ec9ae6a616ac5ddae896cd29ee9ad572603c5b8c9c057df9a4393b534308fc5fc3e3539cd934e11d75bfece2859aeedf10a0977
-
Filesize
141B
MD54fbfedfb920495cf36d49b03495e52b8
SHA14bd5598e406be2a3ea9b5a37c3b70b7e001e6224
SHA2564a4c0696e6d5dc4646aa62a90296dcbb14f14fd6752a337d7441b20352a5b559
SHA512a49fdfc96beffff1fac7bdcd0e74189c337034b52f90208d8108f0b3aff0ed23085b06c3e7733863daa75d3247fada5364be8de976fd3aac4bbd7662294f7427
-
Filesize
459KB
MD572ab3f264137afe93ce5b00511f59e92
SHA159e9280f83fc2d33c7b788d8fcc2f8db1ef848e8
SHA25642fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e
SHA512c65e52d572dd8e1736af032aabc42c42ff228c2eb394d43906a5c677e3160e89862e2a47b0d47f3440c7704b925355f848b1d2cecb369cc61a6631e5a52aee10
-
Filesize
361KB
MD5743f8e737976b7b58abd2acf2f1082c6
SHA15b023c812e28f2b0cf442edc7cb558376c3a67c2
SHA256192d6a279fbc68fb01b483ea03197ec79e8b8289da57cd0f9aead7a6dbb4e7aa
SHA512342fcb283694c0fdfb348ccba711c5dc714cd93d875f1e997bc0e853017b80a0d836e2958eff8ece0717246c0781ba93508f4399530965cfa7e010a364129c34
-
Filesize
361KB
MD5bb3c024a20350fd9f1f31ae8dce3ec0e
SHA129e02419ed33c771c3bfe255d41007af9795ab25
SHA2563d6dc948c793598e28de3bbe9345e9f891c1a6371c2a0e0444475a56b05c0439
SHA51285cc23c8f2b31c284f17e6a3faf91e5d50dea9a9495f7a04623de06d3b218c3f2f2d623911987f4d2a4755762b317ee55e5aede5362b308b7fc4ed68d17f6fdb
-
Filesize
459KB
MD5c05172666fbfc34bd0b2e5b5c11db010
SHA1ca0fb551a366d6620b7297d6fda38647117cb025
SHA256fac81e1d241a3d04f95c24a841864ea13691e236290259377164e1694a9a2309
SHA5122664ba9a094da9e159562dd8b1192c0d107a4ae6535df4694cb67033c7d5c24570b804a7a325323f2d39d53204aa5297a7cfccc74410317c71791f0c9f69e1bf
-
Filesize
459KB
MD586c1efb3175516c804a7f205cfbdd15e
SHA1df67c229782c01839773f34ad728555729b8f2b0
SHA256e3ca3711f6dded65f883ee337aa877c7180d4058fd47d8398bee011ed8f4a2ac
SHA51294e6eaac186ea233776d7959912a369897820cf46f68db3fde096aebe3991e03d50ab7c818a40078eba83d61ffd93f406db307ad0f0f135622e45e5dd1732095
-
Filesize
65KB
MD5c55534452c57efa04f4109310f71ccca
SHA1b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA2564cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.4MB
MD5220cd5b36a14cfc83715839698aeaaa8
SHA1e2957eb14abffa17ad61b7555221803444f92288
SHA256eb319cc5c5e432b3f111b185fa12e1410b43d90b81b4bd8d7f007c860256b4b1
SHA51265f4473e6f2f6af2c9197fb25955b58f1f2504b3cf364e6e6f41b9e1ba9fb6a80613797a0b4b24b41ce88b1f2afbb52cc3efcc5a362c4f54f2beb745028a9441
-
Filesize
1.4MB
MD5faccb368f1c32d9466d95f537be6983d
SHA14d34d1bf813a86bf952a6aab00cd79853bf6f109
SHA256c91e9718a7ddf97a0a3006751af147415b1cc97e037d908d9d883b3942187a1a
SHA5128f4a76f4ca840f833774b1cd7dfd7b96e992d7ac33c9f5750656ffaa9f74b6c3cfe876d09d2c2bb7fb4c04b47e9dde8d3fff9fdb3aea8e948d52d3f7a2b00b37
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
468KB
-
Filesize
460KB
-
Filesize
468KB
-
Filesize
460KB
-
Filesize
460KB