Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

a820b6e662...0N.exe

windows7-x64

10

a820b6e662...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a820b6e6627b7b71708ea1ac5897a090N.exe

  • Size

    91KB

  • MD5

    a820b6e6627b7b71708ea1ac5897a090

  • SHA1

    75eaef27c3836631848002fe2f9312aa81641e16

  • SHA256

    1ce962e3fb3c3b97e06c857a5067bc12fad67199ff549a6a3a7bc6124942ece4

  • SHA512

    c6973572c00b14d524a59204e9edadec5583c16f1baa9901c1be76dc90acedeeb73b15fe7f06833eac0515f52ff7be6a0e53f6cf0078b439ce140e09c8c52266

  • SSDEEP

    1536:XRsjdLaslqdBXvTUL0Hnouy8Vj2RsjdLaslqdBXvTUL0Hnouy8Vje:XOJKqsout92OJKqsout9e

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a820b6e6627b7b71708ea1ac5897a090N.exe
    "C:\Users\Admin\AppData\Local\Temp\a820b6e6627b7b71708ea1ac5897a090N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3844
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3916
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4584
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2092
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2840
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2324
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3052
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    b3fac552d43a2c4083c1386d5f00e28e

    SHA1

    ecc5b0292c5c52461e19e278b1bce9fe65223e33

    SHA256

    e5133c27c82fa68bbb36c4454cae7e00e854d12abf85100a6a3a0cbb6dd4ebad

    SHA512

    f65a745000ff2aff293c5d34b8fc10f39c5b21aee0ee798a06e813581da9229d031196787e620e57fa5f2a9738c1772525872d1c34a65620d0c38293d4891ded

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    a51939e8be8aeac08abb4398f759bd04

    SHA1

    1d7ec62f135f34eba02427d851c2ef9d03c4a712

    SHA256

    adb41fb723e10c6be4c8fa459e0e0db0cd4318d03a71773864380699cd8f4b97

    SHA512

    acff40683f2fd92ac45c67cbf104d0caebcd9336353c314d0e9804483d23b443063dc88717cc9054b035f29538759cbb425c546f85fdad18eeb77202b8484302

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    cd9e1c96d91384fe88c836b29f64a4d2

    SHA1

    b63dbcc8688fbf7530aee986a0a9996dd9862b57

    SHA256

    586beb4680de49c9fc1eece3dcf86eadac571ac4dc3ea443552cf4d73789c754

    SHA512

    92db53c7fd48a68626b41e5a7f538b34e362f1eab4411554876bdf99c729e4908b1ccb774a67747f98a995794bbe9d2e64ba8ee0873518b4343af19796220f84

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    e45192af4c7a0e980a35cbac9d9b81c8

    SHA1

    12cd8dd38bfc6f2cb6dd7cd8fa601995681a6451

    SHA256

    18c366ed2a5aaa9d7566d2383dc1278bb8468254448002cc734e9f508398d6aa

    SHA512

    be215ce9d5f72bd6ac4787873f33a52cfa32018942e4c0fee4c4e4e45f8619a9a4c838d652802d6a058cbc174b164e21201515eb85930d8088a391e76bde076d

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    a820b6e6627b7b71708ea1ac5897a090

    SHA1

    75eaef27c3836631848002fe2f9312aa81641e16

    SHA256

    1ce962e3fb3c3b97e06c857a5067bc12fad67199ff549a6a3a7bc6124942ece4

    SHA512

    c6973572c00b14d524a59204e9edadec5583c16f1baa9901c1be76dc90acedeeb73b15fe7f06833eac0515f52ff7be6a0e53f6cf0078b439ce140e09c8c52266

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    a7622f5f51bf2bee1f2fa55b831eec57

    SHA1

    e4e82c90d3ceee2121fbbcaedaba1b224d95339a

    SHA256

    0625270228048f1ab23483744213612b595337e05cea97cb22a45349dae9275c

    SHA512

    6897acfa80f3db4bcf69c209df22714a74ad078a3adf7a850b38c2580bd728bebe5ab260eda43df36f85a8803a76e956d6935e3844de618f795f3f6b48864fc0

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    3e38ca5f3b00f7b91a30cd8c69183eb2

    SHA1

    3a8cd86c6113bb85407c26822604f696d9b7b344

    SHA256

    1e59ad9adb2d54c31d4ad4d7b7d5de31b7e746dabed599c25466c5b1957c29dc

    SHA512

    c216853b92d976a21f9b8ae2536bb71f8f41748c3ab4ad0a8cd20fc35005043d2f26f5581ffb406a3dc29216f74181915923ea399ff5a44ec071537539bbecfc

    Download Submit

  • memory/2092-125-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2324-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2840-131-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3052-145-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3844-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3844-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3916-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4584-119-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4584-115-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4744-151-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download