Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

6d35ee2023...0N.exe

windows7-x64

10

6d35ee2023...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    03/08/2024, 07:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d35ee202396f3c884f540485b431a20N.exe

  • Size

    33KB

  • MD5

    6d35ee202396f3c884f540485b431a20

  • SHA1

    a115ec49fece8efda40c2c7910eb17ec953c5d82

  • SHA256

    229849741b475b4aa52d42c61e8e11b580d36695cf190843ec2ab46f8351dfc5

  • SHA512

    e1ccbf974d7d6f6aedccd73f00ddc1a835b3ac2fdb73fb12ed53b21f665cbfc26c6302354cd284e4f16931883c703a797c3ed2f783a87d49c4add1fb8b2e02e9

  • SSDEEP

    768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewzKOm:QuQRylaUDTDxDXjy6AB7koYy2Tm

Score
10/10
defense_evasiondiscoveryevasionpersistencetrojanupx

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Modifies WinLogon 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:428
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1228
        • C:\Users\Admin\AppData\Local\Temp\6d35ee202396f3c884f540485b431a20N.exe
          "C:\Users\Admin\AppData\Local\Temp\6d35ee202396f3c884f540485b431a20N.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\eakmoodoab-ourac.exe
            "C:\Windows\system32\eakmoodoab-ourac.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\eakmoodoab-ourac.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2404

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\attoseav.exe
        Filesize

        36KB

        MD5

        449af745d2eb16086536e82e7d825823

        SHA1

        e86918ff0c0675c2071f5241d8f7a0aee850bbf5

        SHA256

        0f5a1b11154f34720983ba996184d69d26ce51e2097579b5711be0dc3923f496

        SHA512

        64145321b572326e4c50d6f599dcfb8a3ef86a7c6347816e64e0896ec223e1889c3c97732f99fb4effdc428375c7f122c03cefd776b3a9e505cfd1fc824a1087

        Download Submit

      • C:\Windows\SysWOW64\esteroag-ecoab.dll
        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

        Download Submit

      • C:\Windows\SysWOW64\idmeagat-acum.exe
        Filesize

        35KB

        MD5

        edf44fd1c290e2a3acc4ad2ec5458af1

        SHA1

        1a4850a1051973f06b22b8b56029021b702f7b55

        SHA256

        2b546f7fe500f0d8d639ffc47918be6f246d995cf00e24abb5e370c8fa492d33

        SHA512

        c51efb59319bd1878f36d30713b938e0ec93249fdf030a8997f2aa7e6c0bddab297cfc0f84a54dee27952a44a7f367eea4fa00dd2f39f03d56d49c6aeff821ba

        Download Submit

      • \Windows\SysWOW64\eakmoodoab-ourac.exe
        Filesize

        33KB

        MD5

        6d35ee202396f3c884f540485b431a20

        SHA1

        a115ec49fece8efda40c2c7910eb17ec953c5d82

        SHA256

        229849741b475b4aa52d42c61e8e11b580d36695cf190843ec2ab46f8351dfc5

        SHA512

        e1ccbf974d7d6f6aedccd73f00ddc1a835b3ac2fdb73fb12ed53b21f665cbfc26c6302354cd284e4f16931883c703a797c3ed2f783a87d49c4add1fb8b2e02e9

        Download Submit

      • memory/2404-25-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2404-60-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2648-0-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2648-11-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2700-22-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download

      • memory/2700-59-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

        Download