cb9c0ac56597de591fb227b399a9e96dbef6ae6269a35070d9fc1f9e16fb5358 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

WinLock.exe

windows7-x64

WinLock.exe

windows10-2004-x64

Sharing

General

Target

WinLock.exe
Size

487KB
Sample

240824-1bwssa1ale
MD5

9f97b58176f9f5139929bcc9b292d776
SHA1

cc7409a6a026177a47804ea44aa9cc83007d0747
SHA256

cb9c0ac56597de591fb227b399a9e96dbef6ae6269a35070d9fc1f9e16fb5358
SHA512

ed2afb424ab8499b71f1ad1dc9ac2e8db040a9afd9664b0145c16ffc426ea461db8b885907ace2146348bedb776a3c4cfce4f0c0fdb980ee99a17cd7ed488e34
SSDEEP

12288:+R/y00bzAlvpYq1orkEHck8IzDqY33k0ero5lr:+fMgsvqY3Croj

Score

10^/10

discovery evasion execution persistence trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

WinLock.exe

Resource

win7-20240704-en

discovery evasion execution persistence trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

WinLock.exe

Resource

win10v2004-20240802-en

discovery evasion execution persistence trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  WinLock.exe
- Size
  
  487KB
- MD5
  
  9f97b58176f9f5139929bcc9b292d776
- SHA1
  
  cc7409a6a026177a47804ea44aa9cc83007d0747
- SHA256
  
  cb9c0ac56597de591fb227b399a9e96dbef6ae6269a35070d9fc1f9e16fb5358
- SHA512
  
  ed2afb424ab8499b71f1ad1dc9ac2e8db040a9afd9664b0145c16ffc426ea461db8b885907ace2146348bedb776a3c4cfce4f0c0fdb980ee99a17cd7ed488e34
- SSDEEP
  
  12288:+R/y00bzAlvpYq1orkEHck8IzDqY33k0ero5lr:+fMgsvqY3Croj
Score

10^/10

discovery evasion execution persistence trojan upx
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Image File Execution Options Injection

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Image File Execution Options Injection

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionexecutionpersistencetrojanupx

behavioral2

discoveryevasionexecutionpersistencetrojanupx

© 2018-2025

Terms | Privacy