Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 00:42

General

  • Target

    b35035bbd115f5f28813d27c854f5bf0N.exe

  • Size

    33KB

  • MD5

    b35035bbd115f5f28813d27c854f5bf0

  • SHA1

    14a3982401ea7bb7070763854fa3f26165b0364d

  • SHA256

    693219a75775769bc379b9179c3e7e87fe9058d9e10acf15372657a37df7f3f1

  • SHA512

    aaf62b99ad99ee085f62b172588354ba33abddc3bbf32c2d3e4c3211aa848fbe1de1631425074bb4178d2a77e9d77d0c0878f0f27ecf14f75a2655a144287b3b

  • SSDEEP

    768:tQbuQRy2UjmUndnlTttxDn+3jiSkjRY6AB7kKfYoJ+ifBEewzKO5/V:QuQRylaUDTDxDXjy6AB7koYy2T/

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Windows security modification 2 TTPs 4 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1184
        • C:\Users\Admin\AppData\Local\Temp\b35035bbd115f5f28813d27c854f5bf0N.exe
          "C:\Users\Admin\AppData\Local\Temp\b35035bbd115f5f28813d27c854f5bf0N.exe"
          2⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Windows\SysWOW64\obxetok-osor.exe
            "C:\Windows\system32\obxetok-osor.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Windows\SysWOW64\obxetok-osor.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3040

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\arxoopid-adoab.exe

        Filesize

        36KB

        MD5

        162c2143e7bd3e1ac69cc4624c1b47aa

        SHA1

        49c0a079e5cb5620a6974661d7e16f4ed3475209

        SHA256

        39751381133b5b7a4175678d2afa57ea7f40054171951de243afb5364592b837

        SHA512

        92a2b478e5059da3ae048e6e67bf082fbeea08eff11a335ad2c2a61b4348ca31321df9edffd2969ce077bbc597cb821693737f8fe5a7b1ef4c56efc55f0215a1

      • C:\Windows\SysWOW64\bvufuc-ucom.exe

        Filesize

        37KB

        MD5

        076294d9a243534fb89d8b8f075b4949

        SHA1

        b12b9b2d405c623e85b8002d099e6224413d0644

        SHA256

        11bcd3a748d6784ba41656104f85e337125a9d8a47836ba5d0e1c09217581bd6

        SHA512

        415e00e62dfa92f35ab2721296570b0ffde099805618d4144654499c844cc49d4d78de2540340f47429c81542e46dc69d44b0b9c7cdd6fff6ee264153e2f2275

      • C:\Windows\SysWOW64\ohpifec-ubac.dll

        Filesize

        5KB

        MD5

        c8521a5fdd1c9387d536f599d850b195

        SHA1

        a543080665107b7e32bcc1ed19dbfbc1d2931356

        SHA256

        fa8f77b6daf775d66de9d27c1d896168a792057358e518c00e72b8964b966ca5

        SHA512

        541500e2cd502852a007d29badc1a1848d187245f78ec272281bab290cc6e308f0ae6d1b96863e0c30a176b16c6cf7e63e08a8de81a84615e4710e7164a805cd

      • \Windows\SysWOW64\obxetok-osor.exe

        Filesize

        33KB

        MD5

        b35035bbd115f5f28813d27c854f5bf0

        SHA1

        14a3982401ea7bb7070763854fa3f26165b0364d

        SHA256

        693219a75775769bc379b9179c3e7e87fe9058d9e10acf15372657a37df7f3f1

        SHA512

        aaf62b99ad99ee085f62b172588354ba33abddc3bbf32c2d3e4c3211aa848fbe1de1631425074bb4178d2a77e9d77d0c0878f0f27ecf14f75a2655a144287b3b

      • memory/2096-24-0x0000000000320000-0x0000000000337000-memory.dmp

        Filesize

        92KB

      • memory/2096-44-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

      • memory/2096-51-0x0000000000320000-0x0000000000337000-memory.dmp

        Filesize

        92KB

      • memory/2976-0-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

      • memory/2976-11-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB

      • memory/3040-25-0x0000000000400000-0x0000000000417000-memory.dmp

        Filesize

        92KB