Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

414c8dd00b...0N.exe

windows7-x64

10

414c8dd00b...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    414c8dd00b2ebfa8c70704e99a2789b0N.exe

  • Size

    79KB

  • MD5

    414c8dd00b2ebfa8c70704e99a2789b0

  • SHA1

    ab539564dcf19f06f43cc2735b5296ccd1dbb652

  • SHA256

    b92084c33bd7423c42f756717d2bf8fca3d20ec1b2af0f0fefcecffc9e8be13e

  • SHA512

    078daae503d5d80f7ea773b583ccb0199a55763c4b57ca723aa6ec412b447ff7fe0dbb70b6e1781d9d02345ce483f1af9b80de3ef81f1e8f2001d68c65ff6e55

  • SSDEEP

    1536:f++SLuEx8vhe9cyqjdSsaW8nzektcSsz35LNfLg+:CLmvyqBSFnjtS35LJ

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 64 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 27 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\414c8dd00b2ebfa8c70704e99a2789b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\414c8dd00b2ebfa8c70704e99a2789b0N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\414c8dd00b2ebfa8c70704e99a2789b0N.exe
      "C:\Users\Admin\AppData\Local\Temp\414c8dd00b2ebfa8c70704e99a2789b0N.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Windows security bypass
      • Drops startup file
      • Loads dropped DLL
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2404
      • C:\Users\Admin\faiwoed\deowiaf.exe
        "C:\Users\Admin\faiwoed\deowiaf.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Users\Admin\faiwoed\deowiaf.exe
          "C:\Users\Admin\faiwoed\deowiaf.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Windows security bypass
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Windows security modification
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Maps connected drives based on registry
          • Drops autorun.inf file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:2984
      • C:\Windows\SysWOW64\PhotoScreensaver.scr
        "C:\Windows\System32\PhotoScreensaver.scr" /S
        3⤵
          PID:2540

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Replication Through Removable Media

    1
    T1091

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    3
    T1562.001

    Modify Registry

    6
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Replication Through Removable Media

    1
    T1091

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      eb10d046c29b9dd9719efeb2c2abb061

      SHA1

      2d9bec184b81049b07d7545cd8601551deeafc82

      SHA256

      affc60e837fc1016ae1628a0632e0b2bdf6dcbbdb7705854b957ec8a7c50c8a2

      SHA512

      d2cd6542426d3608843ae2bc64a00f2903a9b02aa9ed8b6d9aeef1fd43ae5af41a74a00ca315ec9cc75c8ac1057935473f8d1891191242625b75837c845f8c7d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      1d0cb150212cce1bda932ea7bf27502f

      SHA1

      1758f9c553c5badbf65c0e743025f5e838bca51e

      SHA256

      cc6406acbf96fc26aeddeccc41dd76e2722f14002068d9824cec75a02416fa5a

      SHA512

      cf993d521bfc8ce3c26315a288cb70f22b338e6d366caf65ae52ecab57782d89504b6747c6d319f838bee3c9502ad69151fc69d323db8cfd883eedfd9118b2ad

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      28ad3597c8b8d62c800bf64c595f3cdf

      SHA1

      744da1de322fb6c502397a46caa4698dc4f68632

      SHA256

      02293f8385da69dced519318602efe09eae4f5b53f2437053c8afaa086dfff34

      SHA512

      b859e13d47b483f52f8ac3a37b2383fdf0f02e6c1a055fb35f41894bca0362a8741a804ec0bca1ff4d868b7d7a9d5441abf29994c0bc5220bb7f735773a48d2c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      5edd958fba4b58077073b0cf824d679e

      SHA1

      38d89c848ceb01705520e80a4c037f7c4ba6b7c5

      SHA256

      1a2b951636fce2c98027e2fbaf9cd32123f7ed90c64d491c316d60afecdd55a6

      SHA512

      2fee36b969861128dbe14e06d9d314bd6e48dc873a951a48d06512357eea9c2ca4152257637da998b18099fd9e6d927ad76548afb3aec28a4cca946c8060f581

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      5a2b24a481a6e2a6a4ad1e163057ff86

      SHA1

      97dfc7451883acda793a6842583c3c2db9914edf

      SHA256

      19344d381459dd22c798fa372872d5a16da2d0f32046062481c60b5b52350f82

      SHA512

      566d3b5655b480da56bf685d2d15ebdadbf7fe820e2a7a1277cd498923f82f82322c6c290ef43eac566e8aaaadc563e37d766cc446648338e4a44e02e82a575f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      6b88d2b80197880357b06d27b0ced70d

      SHA1

      8a84c226c89c69e8d90ccbf3caa641179e6929f3

      SHA256

      7b15df41b87276a6c57d65715c9456a5852e16d5d6e2aa0d95bae108545fe9ff

      SHA512

      bbe05acc3044bf3cff17e72812e6ecbeb513a4e7a46c011eefe37ad567c09f09617a8c2100b07397a86a876f3faf3dfaab2f7db87561a9f5aeea80aac83d1477

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      996aaa1f64d1994c324f45bdf9487ac7

      SHA1

      1e5c8f34c1631a298cd50c2fea1c6085325d1d90

      SHA256

      2a2af60308eb6f33ce3f8319c762482525ae7d72d130d11048f1de6fa154f0ad

      SHA512

      2d99fd575f8796e7791ef36d1b35710908cb0c2577d06781b9d2d0456e4dd69a8708597f54af5dfc80370a9222964b8d6e5e955cba6067dbb7e8a5cfef18c9c8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      cf146e5b044624268e5eb6c33e89377a

      SHA1

      e26df8a0675b4644baa94303a15bf1df0a483b1d

      SHA256

      84326fa27df0d4cadddb81f7ac2372c7e557a60fe067c2252ebcf91bb2598a1d

      SHA512

      4a7406825fdd3d133ace55aabcfac2dbd2ab1b1c78d54b75fc8d21157aa1147510d934e1f29d3c95bc8f1883e02779ff9185459e091a57577c52a6f5c20fac10

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      58e1cff48363acdc63c4b9ca234075df

      SHA1

      ede51cacbd8d941be8d44280dccd94c3834c6f76

      SHA256

      f815b43f6b82d74e01976c4bf622e6c78857499a0d32a56a6c7387bc22c36851

      SHA512

      1c9a3024ed19549ff8176c26ec2a546f738355710457a87737122490284dd61207e590433890a04d8ee2fb54ac6923f70e97c3d94383b8b346c6be8876e974d0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      16006307a512dadbb7ff1b26116eea14

      SHA1

      8c22efbcea9fdc49f7574c0bc168b55e15aae0c8

      SHA256

      d112200d394456c9910b97c653aa5c1483ee5103271d3da792edecd6904b5777

      SHA512

      62fe4b1543091675195b8b598ebb380c87385405e57294858edd346a6b1b0f4f0bc8544e57c20ec3624a2f10cc5c1698a3d428ef5975b58bb6bff7e57c74e162

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      b6f18792c985797269e7de1f12741c95

      SHA1

      849ad658e2d29949cc92d1d0c5062a0d51258ee2

      SHA256

      d9be3c5d367628cc836460f61e6c47b938431980d0112a7c95938a6bff15e490

      SHA512

      64a2ec596208db9f0724798e173f0c7b19f05b0d908bf2f135baa9882a740107bdd476cf9db376e6047e18c0419b78943e4d59e62d7c4b1a296a6b0823309aad

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      933e16956992c2b0999484ee983b9db4

      SHA1

      52f95474d07dbee3372de374f35a602d33c3c0fe

      SHA256

      2034004ce7b348331a193ef265c3774546ff21fd63d43958a0a68b7d443aec99

      SHA512

      5cdca8dd4553add19d690f2dc4b0309e2d51dfd8065b9e6fa12b235ab40cfc5dff79d45f2d4f13a6b3f56ebfa782ff6324e497be29a20c85d2a9a595910377d5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      1fa5da6ef6d6fb62a7bb931dc8f5ffc9

      SHA1

      70c056f6f49e0b05c1ebec1f799ef7578b20003e

      SHA256

      426069b2f86f10826f0dadfaa852585df273e33bd1cdc6258210511a6081e866

      SHA512

      cf852d7394ea579a57b6385ff87c599cbc46ea0fbdd24d42067fdcda614807dbfad0a8964a96beeea74198468b601ca659b26349418e1f2b5d011482f5584999

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      42d12aee41a132a69a185d81e9b6acab

      SHA1

      93897a822e087c49e49d309741a37c748e6fb200

      SHA256

      58f90a6815157b3a4057a18c389a766b30cf7cb2d54803655ed569c4c8cb5a79

      SHA512

      d1bd529431f27908f98661985e06e2d0c491d2beed9380c74e7dc360ecb07bcc9a724b55458ecd66fd54e62bdadb2e0e89682aea9cc4c9b80f189f05fb17d856

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      fcdce3ac6d3be17929760223bdfbaf23

      SHA1

      39a5e07b05935b9a64bd2ca5fe89960e1ceb0301

      SHA256

      1583d324504ee515dc3de3648f70e9fb08cf8cb61953393616023c36d9597d48

      SHA512

      8177086e5209b9f0709c94fdeb7521b266e16860d98ec4ae7ab3c9208995618812447996b1be475959f0e867569b620c874ebd44eedfb77b5239ad275fc32280

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\deowiaf.lnk
      Filesize

      845B

      MD5

      c36f33725095e7601b8f7d789ccfc808

      SHA1

      8a4b4711a9a38bcb8d8bf181d1771e5378f34b40

      SHA256

      212aba879e56edc23e1c2b7020d35d90c28be1d3a4adb830810233ad5ddf240d

      SHA512

      6f33f29d3c67fc4c3ff94e2674cf4da8d89a2ce5502a745b5905ca2a28ec91c0239968c73cc0833312041cb33d58793f6467202c820e6a4ebf43e7a86680c796

      Download Submit

    • \Users\Admin\faiwoed\deowiaf.exe
      Filesize

      79KB

      MD5

      414c8dd00b2ebfa8c70704e99a2789b0

      SHA1

      ab539564dcf19f06f43cc2735b5296ccd1dbb652

      SHA256

      b92084c33bd7423c42f756717d2bf8fca3d20ec1b2af0f0fefcecffc9e8be13e

      SHA512

      078daae503d5d80f7ea773b583ccb0199a55763c4b57ca723aa6ec412b447ff7fe0dbb70b6e1781d9d02345ce483f1af9b80de3ef81f1e8f2001d68c65ff6e55

      Download Submit

    • memory/1996-9-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1996-0-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/1996-7-0x0000000000230000-0x000000000024B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2216-38-0x0000000000400000-0x000000000041B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2404-217-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-178-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-5-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-8-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-3-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-259-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-22-0x00000000029A0000-0x00000000029BB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2404-21-0x00000000029A0000-0x00000000029BB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2404-30-0x00000000029A0000-0x00000000029B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2404-31-0x0000000002F50000-0x0000000003A0A000-memory.dmp

      Filesize

      10.7MB

      Download

    • memory/2404-231-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-45-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-49-0x00000000029A0000-0x00000000029BB000-memory.dmp

      Filesize

      108KB

      Download

    • memory/2404-124-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-55-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2404-62-0x00000000029A0000-0x00000000029B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2404-150-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-114-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-227-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-169-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-67-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-196-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-199-0x0000000001D90000-0x0000000001DA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-142-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-59-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-129-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-212-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-51-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-71-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-112-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-173-0x0000000001D90000-0x0000000001DA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-107-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-44-0x00000000002A0000-0x00000000002B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-35-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-241-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-108-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-98-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-254-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-95-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-90-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-82-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-81-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2984-78-0x0000000001DF0000-0x0000000001E00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-70-0x00000000002A0000-0x00000000002B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2984-270-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

      Download