Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
9s -
max time network
11s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/07/2024, 14:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Trojan.exe
Resource
win11-20240709-en
windows11-21h2-x64
9 signatures
150 seconds
Errors
Reason
Machine shutdown
General
-
Target
Trojan.exe
-
Size
436KB
-
MD5
3f69b5cf8a01c9839289d345f8a24ad3
-
SHA1
19c097f5644e8defd173f85e1dae9d811cb01cef
-
SHA256
154875dd285cbcd33ef3ed7910d2baceb11f119dd2b32e54c81bbfa7270f17df
-
SHA512
b4d8ae174f787ca3b06a2ddf0ff52f76db7d363239d629edd017ced62e1937b333bb4445982552c597c265f2dd0fbe70e350f3dbc44b0032e7a4690ddc9d11a8
-
SSDEEP
12288:7MSU4joci8M6PW1GVFeFd60DFUyhetYM:ASUCpM2W1Gvgmyetv
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe" Trojan.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe" Trojan.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "158" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1210443139-7911939-2760828654-1000\{2F7DB299-58FD-4FD4-AD68-F8E21F004B5B} explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeShutdownPrivilege 4588 explorer.exe Token: SeCreatePagefilePrivilege 4588 explorer.exe Token: SeShutdownPrivilege 4588 explorer.exe Token: SeCreatePagefilePrivilege 4588 explorer.exe Token: SeShutdownPrivilege 1712 Trojan.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe 1712 Trojan.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4756 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1712
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a0f855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1