Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

499497eb0b...0N.exe

windows7-x64

10

499497eb0b...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2024, 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    499497eb0b313f9acc8c6b5f0d493d00N.exe

  • Size

    196KB

  • MD5

    499497eb0b313f9acc8c6b5f0d493d00

  • SHA1

    98524b17547455f007eda62522841433b43060af

  • SHA256

    e90d30455cb81e4e9c86efc71795ea8d0515ba3ca09db7fc772370b80ad3c499

  • SHA512

    0345157e3a68b25aa2cae46c05e2df24e8c4c0afb06d4d2eb5d28a99e528eb3a93def313a264b9feb93691d7cf0092f051aa1c83bbbcebccae8fad2128d5a5c7

  • SSDEEP

    3072:ZOgUXoutNAxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoS2RARoYlld9n2Qpmx

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\499497eb0b313f9acc8c6b5f0d493d00N.exe
    "C:\Users\Admin\AppData\Local\Temp\499497eb0b313f9acc8c6b5f0d493d00N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4856
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3416
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2132
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4144
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4224
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1068
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4784
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    e5984b301478cddbfbe0d170d52c6ea6

    SHA1

    b08b149a29c06f5a6f437de2b5671016785c4e6b

    SHA256

    3019dee4dd7f18916b73cae18f8cb66fda5b2d395c8b101317a1167c8da0ad4f

    SHA512

    1065f35eb1f3e7eadefa84d66e7b8c633c6697e4b936adf820b54b4e15cae374765b2876e581909b64af0d2775b21f818a297a7caec570ad3be8077703590c3c

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    f2e011b564be0198ca3077a402da34fc

    SHA1

    5d80a01912edb21197263d564eaadced8081ddee

    SHA256

    fd19be39e909716b7e006b11b1ca9fc040ba5a62c963adecbf3a0266731d4853

    SHA512

    e54c971f01e165eb5c9c456db3f80083153909de532b8b3bb9dce7d3d439d5da1b40111e9e6252042f9130fc3982d4328859e961cecd05269186d04bbbbe4a4f

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    e5fbca8e18660a277490e121c10537ce

    SHA1

    6a63f11c9f174d3f4c5537bfd403bd6aba7e7d6e

    SHA256

    a7bdc012ed376d234e438b145d5501e84fa82a79db521d1701a9494c900fb789

    SHA512

    4ea9deb350d145dc6672d979c097f7a037f2cb95ece2eeb84b563ffcb9b0a6ecd54878ef3343181918936d7e0a67d33b5277c0f1978f673961739b763b33e85e

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    6e24a16fc6bc1239de1c20e041423c40

    SHA1

    1aa795448885812851b6f1ebf769cd05206ef2c3

    SHA256

    ee5312d4ba8ebcd784d7d709b8dde20264a0be3f9de52955c6efe35896ffde75

    SHA512

    33faaff0c784afbc048951fbf6a55e3ca070b725644b8565b1799f265ad0f38bb354d4c36989446cf0bc6dd59db360f049fc2a9c524cb698269ca5c0211a146d

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    31a6bc56203bf507851dae68579b2b03

    SHA1

    9e20f005455ce4d4d08b56f25e9ac8bd1e7ce49c

    SHA256

    828e0c39b9f76570785233f07f84d5e84c5673450cfcf908870cc1cfeb1cd978

    SHA512

    df9ac7638c8dfc4a081e9182fed28d5b0e684669fd1ce06a7df06f413a4a20ed1b657f286f6b3f6d157b49e244c1a72fbdf6c81c13193d65e5b0ca594e4c8459

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    196KB

    MD5

    499497eb0b313f9acc8c6b5f0d493d00

    SHA1

    98524b17547455f007eda62522841433b43060af

    SHA256

    e90d30455cb81e4e9c86efc71795ea8d0515ba3ca09db7fc772370b80ad3c499

    SHA512

    0345157e3a68b25aa2cae46c05e2df24e8c4c0afb06d4d2eb5d28a99e528eb3a93def313a264b9feb93691d7cf0092f051aa1c83bbbcebccae8fad2128d5a5c7

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    1d4820be14c27663f97bf3da4542473d

    SHA1

    5addc86e4e15a73ecec8b562fb601e146fb56e8e

    SHA256

    94325898bd2c123094d5569e570f7815c80deb00939facb72c2dc0d7dc959589

    SHA512

    9515345288ebbabc26ed7cac30bb08c4a52b5f3305c66980f1726a4ee24f4a068bfd5cd96527e0673328fe586dcf81bd5861f568aec8a3e6a47583e8f900a681

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    d2fc78a77b465838a54fa5ff01dd3646

    SHA1

    4639db8aa1cd1e128246e5ee4c3a78181561718c

    SHA256

    fb7c614267f27481a301d36110a7e3d9d96f7adc6342f3b15959715c025bd68d

    SHA512

    9f37835e6a7cbe6b7795ac6e3e9840fc8d2cb6eb956cf0bdac99a12e70e59edeabad3479bf84560438e91267b72407228234ef80bd7526d4f8adc0706688a506

    Download Submit

  • memory/1068-141-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2132-116-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2808-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3416-112-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4144-120-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4144-124-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4224-129-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4224-132-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4784-146-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4856-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4856-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download