Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

3

k1XJSSO.exe

windows7-x64

k1XJSSO.exe

windows10-2004-x64

Analysis

  • max time kernel
    23s
  • max time network
    25s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 08:59

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    k1XJSSO.exe

  • Size

    90KB

  • MD5

    1c7f572b36e436360fcbf142aad58689

  • SHA1

    bf60b1168ad8aa921501fa37b3a66edbc6ef5936

  • SHA256

    22e2f0cb23c47b359f8eca3872596e6d4c67033568bba09ac0043bf1f5b1a314

  • SHA512

    9596c7c534ede05082bd80245116df7ba0f4d0d88465ebd3d83579d7dbfdddf72ecad01ea19c1795fda089aeb070a58adf8883f5d7a72bb9144edf0930323a2a

  • SSDEEP

    1536:H7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfvwoOl:b7DhdC6kzWypvaQ0FxyNTBfvo

Score
1/10

Malware Config

Signatures

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\k1XJSSO.exe
    "C:\Users\Admin\AppData\Local\Temp\k1XJSSO.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AA2A.tmp\AA2B.tmp\AA2C.bat C:\Users\Admin\AppData\Local\Temp\k1XJSSO.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\system32\timeout.exe
        timeout /t 20
        3⤵
        • Delays execution with timeout.exe
        PID:412
      • C:\Windows\system32\shutdown.exe
        shutdown /s /t 0 /f
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3488
      • C:\Windows\system32\tasklist.exe
        tasklist /FI "WINDOWTITLE eq Recursive File Renamer and Fake Ransomware"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\system32\find.exe
        find /I /N "cmd.exe"
        3⤵
          PID:2004
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39b0855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:5016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AA2A.tmp\AA2B.tmp\AA2C.bat
      Filesize

      1KB

      MD5

      b6e1919a9ca970827428552753afb18c

      SHA1

      1838733ac35d669133de530f4a007b3e07bf52ad

      SHA256

      a5e9d19b518f9ff6c1b7921cc1d36af8aef7ca7c14c996a11a8fc337f9c277da

      SHA512

      e8ca15278f02086594b1ad134bbd09a7f101bda9f908f028e4585382a6d4ae04e202f3773fec8a88f8fd7f66b45f21b462e4b7e053b2301145c84f0cee64c26b

      Download Submit