Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
24/08/2024, 02:15
General
-
Target
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
-
Size
91KB
-
MD5
b2e7729144512e4662ecdf17295b7d7e
-
SHA1
913a139a2c0d0d8c39de05ccb460c3138fdc6c2c
-
SHA256
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3
-
SHA512
50c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786
-
SSDEEP
1536:ERsjdf1aM67v32Z9x5nouy8VT9gRsjdf1aM67v32Z9x5nouy8VT+W:EOaHv3YpoutN+OaHv3YpoutN+W
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
-
Modifies system executable filetype association 2 TTPs 13 IoCs
-
UPX packed file 18 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe"C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD55d9bcc8e60b24b41deefdfd090f50eef
SHA1c56a5eec73c3eb812f45c500a0cc5afce2e2fd0f
SHA256ebe9ab4bb1bbe1c667ca49227dcfe6405adeba5c4faa8920ba18d0c9a2727ea8
SHA5128b8084e8c971e8217a60eb8072e8a4ca0e64589670ade9ff7b443c6001f5f38e7d2a099b2cba46b8ef27cc5663ae192cd530e6b59238b0fe4590e0d4c5d84cf7
-
Filesize
91KB
MD50d40541551f18fe9d0e5726b23487ae8
SHA18b8caed28243aa7b65c1682171e4f37c6ad32c3b
SHA256421c614b38ba694b5938c652a4450776115605aef0f6422eb5a7528b1c461f7c
SHA5120f8df740244bd474e6d7258376d286b944b33018191841fa93ae25f6a322a8ba926eb05f4c2a8142981996439f9b3351c23ebb49b7144712dff0d41ad4aae2b3
-
Filesize
91KB
MD5dd2fe9c169a58117163c5906e30fb168
SHA192d4b01b72db67c83d3329ad181a1d64b8d3e1e1
SHA2567fd52943af31ee03320f622044225ab6e2ba29b1eebe17462ad0616f91d1addf
SHA512890b4da8082c688acd6520173014f20c441c29e3ff6bafcec6918edd6ec6fdb6bc0ec23a64872fca2869cd26a65f65f181c71e9a72da1d49d92dd19eb446fdc1
-
Filesize
91KB
MD5cf99f989acdd07d63927baa632ab07bd
SHA1ee109db72ab5bdd44a6b9f6c33e76d95f498b63b
SHA2565965d9b14bdcd0c3457ab50815cc1119e8fc4b00da6f2293f7f28a7dda8b09b8
SHA512e5bdb87edca44193aff776a8b3276a4dffdaf0bc0392889bf9dcbd8851bfeed6e85aed862159c4e829fbf4183d41a3d27c9ab7e67d73b8dfc7922167a2aff1e3
-
Filesize
91KB
MD5d51ccf727a6e8d93341fd11a0349ea10
SHA13e1c947c199746991a9fb101d9984913bf754937
SHA256de490dff0895b2efa4ed540f0718a2c12dbe157fccc6f108d2794af56c95ff7b
SHA512187458c7cafc8b80366349522a5141e4caca097a9c30cc8ba37ad7e8570a44f05843b5104d616d7637c58acc245462e5dae05dc60d367b340b1796886ec89408
-
Filesize
91KB
MD5b2e7729144512e4662ecdf17295b7d7e
SHA1913a139a2c0d0d8c39de05ccb460c3138fdc6c2c
SHA256c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3
SHA51250c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786
-
Filesize
91KB
MD5182d9655c156c25df6e4988451917b05
SHA1b1d9ec5a96f55357899dc0bd6e0a8d5b51309641
SHA256752fdf8ded30bd5eb304bd18e96f7e79675ebc87e64700ca80f68082c0ab0d32
SHA512ee53738b9e9af20ece0f72b62cab6feeeab11b201c8ddf715782c3bc8da0898ebc7dab5fe003adf00232759cb89e2c2267f3e8e6b6c6a4ea00a2339118ce4e5d
-
Filesize
91KB
MD552c93006b1e164d65d56b1975c455ecd
SHA1d13609190774954949998cc4a82cf435fbae943d
SHA2563e3497f321f89306d4d00ad1b556f962cfa5a84b76519142b8eb1dfdd3affba8
SHA512bd7bbbce3ff541b8794bc5f7b69a036ef12464ae8845675a213cc6bbe434c5959c7f08da01bead89362cb4ee874c2610bccd5c8aa91f2a5176dac1b8745eda0b
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB