Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

a820b6e662...0N.exe

windows7-x64

10

a820b6e662...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a820b6e6627b7b71708ea1ac5897a090N.exe

  • Size

    91KB

  • MD5

    a820b6e6627b7b71708ea1ac5897a090

  • SHA1

    75eaef27c3836631848002fe2f9312aa81641e16

  • SHA256

    1ce962e3fb3c3b97e06c857a5067bc12fad67199ff549a6a3a7bc6124942ece4

  • SHA512

    c6973572c00b14d524a59204e9edadec5583c16f1baa9901c1be76dc90acedeeb73b15fe7f06833eac0515f52ff7be6a0e53f6cf0078b439ce140e09c8c52266

  • SSDEEP

    1536:XRsjdLaslqdBXvTUL0Hnouy8Vj2RsjdLaslqdBXvTUL0Hnouy8Vje:XOJKqsout92OJKqsout9e

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a820b6e6627b7b71708ea1ac5897a090N.exe
    "C:\Users\Admin\AppData\Local\Temp\a820b6e6627b7b71708ea1ac5897a090N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1924
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2656
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1288
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2072
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2080
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2904
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    3613de138a325771e1e37baedca023db

    SHA1

    996da10403fbc2cf57fb7cae5bdca9ed3c420d5c

    SHA256

    0300725de71ece68bd7f547b24fa39238e65332c2ca9e160399c8f9de695cd9d

    SHA512

    d270af5d8601eca7d29557ce46f6b84462c9c3bcc59b42ef604127016dae9875d7b30547abd8d8ad2827587933b6cc5f280b6bf6cfdf42e15b17c5d3823f5583

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    91KB

    MD5

    a820b6e6627b7b71708ea1ac5897a090

    SHA1

    75eaef27c3836631848002fe2f9312aa81641e16

    SHA256

    1ce962e3fb3c3b97e06c857a5067bc12fad67199ff549a6a3a7bc6124942ece4

    SHA512

    c6973572c00b14d524a59204e9edadec5583c16f1baa9901c1be76dc90acedeeb73b15fe7f06833eac0515f52ff7be6a0e53f6cf0078b439ce140e09c8c52266

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    5bcf89f6faa85cd74bff49bf0b510c25

    SHA1

    ec57ea1c469a2ead818e6debdc8563cbc5c037b5

    SHA256

    3cfc6ff7e1bdbcdb7fea28fd28b1e0a2587f93114a4ad79d7810fe32641ec529

    SHA512

    febfe91dacfb684e9a0d08cc32f65545e8171c3781b5d137c946fae8d488d0246632ab3c4144ef3648421c221afb293be1fb6cc52a22a9908d99a0e69ee67fe3

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    5a38c73f7cb271098374f65f8ffc7f9d

    SHA1

    9303bf62e0d89a4f7a87f6b14866ce135f8067ba

    SHA256

    d321bce66d0d1fd3b8fd68968f36530efeea1a2b2a0141c37a05887a65b686b9

    SHA512

    0f7dba7fb3402bd704bd4e119fa21c9d881b8183085919533fe433173daa71fadf77452355f572304294870a7136889bf92a486189aaff73164582feb8516ea4

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    9199faa84f9316dba1fae2a2cb19bf2a

    SHA1

    3cf845cdb1db9cd55f319f3c5b06116160f4ec6a

    SHA256

    ed59167b2987977f6771c10d514cc934197ecd7005c9f17db0de355bcfb0e5ca

    SHA512

    e10c8373964ba06d5d50b6f54bb882628cd28ba8844929fecb1cc0d3ae7c12f098141dbb422eed7ea30686c84ed11a202d0196b3c2b7c1449fd490a14b15f53c

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    e6416d1661155d42e7989d46976ce86a

    SHA1

    0a0a278139ee8928d59962dafd7732f6895f31be

    SHA256

    836501bb3b739dac823014c28c2b627dfc9f969b56e2a2982fda7e237cad50cd

    SHA512

    2a71602547fd0009d143bb3bd863d2f3c1132443591e60971b2de284775b09bac7f5ccb424255192554ae5bf54ae66fcb89d670660cfcd1f065717c0bb54cf33

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    87567623a481d25b359933d3f4065697

    SHA1

    5f55b108714c4e6f1c0dc7ed9bfdf8ce2fb3a76f

    SHA256

    c46a07c132372a6201fe7e0ad7e7a412ea999a922b86291d41a539816a0f3c9b

    SHA512

    2c69e431d419d9c770f369397292b8dbd7bcdb8c7f810ccacc174387b4227dc034c35da74d5bccaef5e1df4788eb34077c7464070e62a906b8e226f01e753346

    Download Submit

  • memory/540-181-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1288-133-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1924-163-0x00000000027F0000-0x000000000281F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1924-151-0x00000000027F0000-0x000000000281F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1924-136-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1924-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1924-177-0x00000000027F0000-0x000000000281F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1924-183-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2072-144-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2080-156-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2152-123-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2656-114-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2904-165-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2904-171-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download