Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 02:15

General

  • Target

    c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

  • Size

    91KB

  • MD5

    b2e7729144512e4662ecdf17295b7d7e

  • SHA1

    913a139a2c0d0d8c39de05ccb460c3138fdc6c2c

  • SHA256

    c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3

  • SHA512

    50c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786

  • SSDEEP

    1536:ERsjdf1aM67v32Z9x5nouy8VT9gRsjdf1aM67v32Z9x5nouy8VT+W:EOaHv3YpoutN+OaHv3YpoutN+W

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
    "C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4480
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2736
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2800
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2408
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2124
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:432
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4860
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    5d9bcc8e60b24b41deefdfd090f50eef

    SHA1

    c56a5eec73c3eb812f45c500a0cc5afce2e2fd0f

    SHA256

    ebe9ab4bb1bbe1c667ca49227dcfe6405adeba5c4faa8920ba18d0c9a2727ea8

    SHA512

    8b8084e8c971e8217a60eb8072e8a4ca0e64589670ade9ff7b443c6001f5f38e7d2a099b2cba46b8ef27cc5663ae192cd530e6b59238b0fe4590e0d4c5d84cf7

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    0d40541551f18fe9d0e5726b23487ae8

    SHA1

    8b8caed28243aa7b65c1682171e4f37c6ad32c3b

    SHA256

    421c614b38ba694b5938c652a4450776115605aef0f6422eb5a7528b1c461f7c

    SHA512

    0f8df740244bd474e6d7258376d286b944b33018191841fa93ae25f6a322a8ba926eb05f4c2a8142981996439f9b3351c23ebb49b7144712dff0d41ad4aae2b3

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    dd2fe9c169a58117163c5906e30fb168

    SHA1

    92d4b01b72db67c83d3329ad181a1d64b8d3e1e1

    SHA256

    7fd52943af31ee03320f622044225ab6e2ba29b1eebe17462ad0616f91d1addf

    SHA512

    890b4da8082c688acd6520173014f20c441c29e3ff6bafcec6918edd6ec6fdb6bc0ec23a64872fca2869cd26a65f65f181c71e9a72da1d49d92dd19eb446fdc1

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    cf99f989acdd07d63927baa632ab07bd

    SHA1

    ee109db72ab5bdd44a6b9f6c33e76d95f498b63b

    SHA256

    5965d9b14bdcd0c3457ab50815cc1119e8fc4b00da6f2293f7f28a7dda8b09b8

    SHA512

    e5bdb87edca44193aff776a8b3276a4dffdaf0bc0392889bf9dcbd8851bfeed6e85aed862159c4e829fbf4183d41a3d27c9ab7e67d73b8dfc7922167a2aff1e3

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    d51ccf727a6e8d93341fd11a0349ea10

    SHA1

    3e1c947c199746991a9fb101d9984913bf754937

    SHA256

    de490dff0895b2efa4ed540f0718a2c12dbe157fccc6f108d2794af56c95ff7b

    SHA512

    187458c7cafc8b80366349522a5141e4caca097a9c30cc8ba37ad7e8570a44f05843b5104d616d7637c58acc245462e5dae05dc60d367b340b1796886ec89408

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    b2e7729144512e4662ecdf17295b7d7e

    SHA1

    913a139a2c0d0d8c39de05ccb460c3138fdc6c2c

    SHA256

    c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3

    SHA512

    50c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    182d9655c156c25df6e4988451917b05

    SHA1

    b1d9ec5a96f55357899dc0bd6e0a8d5b51309641

    SHA256

    752fdf8ded30bd5eb304bd18e96f7e79675ebc87e64700ca80f68082c0ab0d32

    SHA512

    ee53738b9e9af20ece0f72b62cab6feeeab11b201c8ddf715782c3bc8da0898ebc7dab5fe003adf00232759cb89e2c2267f3e8e6b6c6a4ea00a2339118ce4e5d

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    52c93006b1e164d65d56b1975c455ecd

    SHA1

    d13609190774954949998cc4a82cf435fbae943d

    SHA256

    3e3497f321f89306d4d00ad1b556f962cfa5a84b76519142b8eb1dfdd3affba8

    SHA512

    bd7bbbce3ff541b8794bc5f7b69a036ef12464ae8845675a213cc6bbe434c5959c7f08da01bead89362cb4ee874c2610bccd5c8aa91f2a5176dac1b8745eda0b

  • memory/432-142-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/432-136-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2124-132-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2408-125-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2736-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2800-118-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3828-153-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4480-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4480-155-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4860-147-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB