Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
07/09/2024, 23:04
General
-
Target
4bf50a3b9a2de2fd3e7a07c9a1381800N.exe
-
Size
384KB
-
MD5
4bf50a3b9a2de2fd3e7a07c9a1381800
-
SHA1
88acc805347ad6856b34e0b21cad63ecdf93ee0e
-
SHA256
f97932bb8d75d8239edadd768fa301261a246d5f19edcd3b879a1dc6237627a1
-
SHA512
e3a16a13609e6b2d80a6ff429b857b77c68e9e56fa8cd8a47efda5ab26bcae7199e79a8503988ca3f4569ef6e3b35cf1180ef294e6647c5d0fb0f01c4c6a56db
-
SSDEEP
6144:V/OZplJ/OZplP/OZplx/OZpl7/OZplx/OZpl4/OZplpBE/OZ8:V/MJ/MP/Mx/M7/Mx/M4/MpBE/h
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
-
Disables RegEdit via registry modification 3 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 3 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 3 IoCs
-
Modifies system executable filetype association 2 TTPs 35 IoCs
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Modifies WinLogon 2 TTPs 9 IoCs
-
Drops file in System32 directory 8 IoCs
-
Drops file in Windows directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 27 IoCs
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Modifies Internet Explorer start page 1 TTPs 3 IoCs
-
Modifies registry class 55 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
System policy modification 1 TTPs 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bf50a3b9a2de2fd3e7a07c9a1381800N.exe"C:\Users\Admin\AppData\Local\Temp\4bf50a3b9a2de2fd3e7a07c9a1381800N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD508b5e6e5c97c7ac51110ccd2798ed5f3
SHA1c4eb00e1e32b8202cbcc4a52b83819a7d914c3d0
SHA2565d65423c210f515d8b1fd86458a02a254676cf41bb751a71806d307a6571d101
SHA5127ed4d2e8e24a44be324e2cad2960101ce770d5f447d54ca088a511731915b8ca7acb513fdc48c0ee4752af518fd64ffd773993f307946855547770348a4f2198
-
Filesize
45KB
MD525c1b9b895ed5ef98227f76d46c3eb09
SHA12d96360f7d3836284c0e916453af5f2af891ef27
SHA256d7c4649e56ce3e75a9bb404a700be799adfb5defa35a53fcfbd87d146f6d3eb5
SHA512ed6be809b96964db0be7714a108cfe862702b870cc0efa6f6be0980d1bebdce708e4238bdd2322e7c3b64c51331fc35df9a4ee46dd66ce5db9922a1379434446
-
Filesize
384KB
MD5b6ad5612716fea7cdf4ff2a69d1a1824
SHA1e4f7d8ea44dc9a6773eab8c88e7cdf6b9c5f3ff4
SHA2564343a234cbbd175bee1ca187ffc428250c390394979e0da77e478933a95c9adf
SHA512f664ef617f05fcafed6d8940a0ce84088f4cde7966dadf10c2d87c1a3a7660a62e2f4c986281e3db50936d21532e9a17c59bec017cba23e3b04bd1caeab11907
-
Filesize
384KB
MD5f927a8cab0db60398c058182d37b6b10
SHA1dc8505ba82988b9662b011b7bf3eb96281970b2b
SHA256dbb77f0d9d9dee44f44bed62bf11b799a98ba1ac6f1afd7693fb7ec31f52c91d
SHA5127162b4ff5d7454e6aca2bb7d96e103bd88572888e5dc5404e6acac7c549d428e32b01bf246a4f3844628acf1cd0b66f46988ff16ec6b8453cd07921dddaa73c6
-
Filesize
384KB
MD50a168578702ba2f6822d7ceb022684e3
SHA1464b20f9e94fb6617a5bb6669e290aed2932d645
SHA2567d865b8b680e3a66fa95f942ed5b1eaa445f44a072b9c70ff7fca8514de1367e
SHA5124905e0490404c68d97d9454aefa342ad10fb9304db3dee736fbb1c7e2a09c956c6a3019f8cf9026d374831a248f972ba1fd486fba73da64172428bd9a32df9b7
-
Filesize
384KB
MD51d9c71c6cfa3c172d75539de2dab71dc
SHA1c8844eb03ce930540aaf57405c1cd77ca9b3e189
SHA256f585bad83c2b60edf980c9213e10069fd05243270e679aa45f95588617d61140
SHA51211b6e0d818b358eadb5f5864c05da2abb9af4a2c2753c257717033d5bd70aaecf64e61f8e4c2a83356ce821214cbe18b4f39187e31d6841307995821aebe76f3
-
Filesize
45KB
MD5c1668d2b4328fa8b7afb6bf6261be1b5
SHA1a40783e087df0d079e2cef55261e4213ee56062d
SHA256ad084af23a412d1a65ecb5e897e229f93997ace61b8729bd24ece1af5e557718
SHA512789cb3c3332217de085187a7da7dbc32670e7baaa27f6a6a4c66a07285dc75a24ffa0a6e666af7b21ef61a7bab76518f7ac66a5ffeb670dc37be39092cb4de03
-
Filesize
45KB
MD5593346605bd1191981aaf732fc4405be
SHA1a39022e0118f62bb3358b9dd2342516f5b418bb9
SHA2562de85d2c8ba20580627ee7dad20ca0b48a6863954bc9884946c13de64a7d3967
SHA51252b3ad7dae3934311ea882fff7332146a30ba538233014c08bbb6101b96f172f8fdfceb4c25ee7fe2038bcad00c64d8cd892d7ef04429de56535966fc73e53a1
-
Filesize
45KB
MD5fbc202a44b0295a9a8312bbcd049de50
SHA15e70503db7e1b5a4f8bdd0215fe1f46d131298b1
SHA25607d65daa9b0087e23b88504f946b4c5cb0717b81e13f126e530bda3b6f5eec1b
SHA512f371bfbe06732286ed9906c82edb85a5b8225c88b46afba4be38c28fad5f4457a909c1a19c34658b6cd1cd41b8ef9ef5af26bcca570560ca8da9226a8ef1c062
-
Filesize
384KB
MD57791172444de66630081aed02f6205fa
SHA1cfcd31ecc85651d374916ef1492b0176d55dd960
SHA256f277bcb497dff8e6dc058b8e0ca812b5165d36861f1319ab591faeee3bbeacbc
SHA512e205ee2f5be293707c3af751b6ef27e5795abe319faa366af8be9c1f3d8964522ed3249608a216e517ccc125bc702603e5fc656b9dadded806ed335c341a665f
-
Filesize
384KB
MD564d3ac3d3ee152a063d6e58c645642b5
SHA153247c21dd18b4aa901ed10b00e9116994ed2e8e
SHA2568854b76695ad695fe98a9aaa24d67164f7c3124a3133b769497a72499c075f25
SHA51219cb8b7040529cde66c2fb0d09b4e49334e5f567d9df9c580af8619c872ebef8abe303b24e2cbdbfedad724b39a5de4a902e8b0a8ffddbc754ba847d0973f7ae
-
Filesize
384KB
MD51e73571a3620e150150a9fe7f62c292d
SHA104eb82077ef419370ea4c3ed26484daa5e31d9de
SHA2563e5b19f402e7eb91fa5e19ede8610d5d178b433832f3817e1a5ce18ea74405a0
SHA512266a06f7fe34230c6a6ed41401ba3b9c9cc57616e3c9d101a2928f54e7309b774d2f2c3d0bfe2bf73c5f0ef9cf582377a9481430b0753fbea8dd2f4bc172c4a1
-
Filesize
384KB
MD50f54c26bb9a6ae772a84a0607f7902fb
SHA12ed3cce86cd81da5d7cfb22209c5afd79a3dfed4
SHA25616a74fc0da3f848bb38a73a6f9a55c69c05bf32691af7b25843b5e199b3cc786
SHA512ef0c82f2904c332801a45c90a25e460d4ae12cdb76050945ac41a0dee32be42ed0aa7d329c0b8374cb0a8df5ae12e157ebc9626538d952dc3d6020170cd7de7e
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
384KB
MD579383a6384af205838647340b34874aa
SHA1ccd057b8f2c3979c8f89533792df3e812404007c
SHA256d5de07fd7691c73dfec258ca7a1f595b891fe271128b66e94bdd98ea84ebb3ac
SHA512104c02779275254a4d033e561d4b7159e4dec93feb9fcf83f0b81672186c25f3410e77036363c41bf4eb0b1baa237bbfee9125557c248b908c149743de3a3058
-
Filesize
384KB
MD5981f5649f7dddf2db1fd6bddf3ebeb23
SHA19fd0e59d08aaa3f199b15be56e278a57434aa751
SHA25680d51d26ce7d2e75f72f84cf3713cfbb3fdfc9058b1bb8271cf1b811fe46fdbb
SHA512c4ce6bd17d0b239ecb276092ff0eb4aadc673f86c6cac0933eb669c9c459eebe040beac5ae0cdd6f72fbd9b282b70ee8f153a45a3f3d69e17b9433a73c26d79c
-
Filesize
384KB
MD54bf50a3b9a2de2fd3e7a07c9a1381800
SHA188acc805347ad6856b34e0b21cad63ecdf93ee0e
SHA256f97932bb8d75d8239edadd768fa301261a246d5f19edcd3b879a1dc6237627a1
SHA512e3a16a13609e6b2d80a6ff429b857b77c68e9e56fa8cd8a47efda5ab26bcae7199e79a8503988ca3f4569ef6e3b35cf1180ef294e6647c5d0fb0f01c4c6a56db
-
Filesize
384KB
MD5a25413975635a40d9848dc3753ee09a7
SHA187b938f6088143e78f39303ca78977414cc2e229
SHA256be7568633a1dea1d67f91246e446b8d3be534f03c9193738813e365c8bf12629
SHA5123cd75a1bc9cea41984f9ebb1387bfbaf574801836841171f722f51138f6635ff1d31b26105b4da230c652914c2933871e4ede8ad89134b2edb52b8eb07ee25b6
-
Filesize
384KB
MD5634b660e63ef2ea1fe037a24126d5d80
SHA17e8854c2ab711e5164bdecc0c10148080ee71e12
SHA2560f29bcc988c8c0fbb757724da65385349270a639891a823fd8671a334a2a26fe
SHA5121eaba844dff8cea536f104e4c756c199cc082660366c41dccc6f4bf3ad357b4e19175bc8c12188c7b963a6e25ab76d21cbb58753fc5c3adfdac4e3cf18282e49
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
384KB
MD582497af673e5b3d112ce04dfabc750e0
SHA1f23be830f35a79ac8cc21c81c9556eb91f217529
SHA25647b62b7eca73d9a7eaaa396113bc4c316445256778a286ab14b2c02017ddac70
SHA5121ea23994be00b7391374f8a4b0da1291f055bfb56a5003c0d88aef159f61a2a4e04dbb8e705d007498d320a1311fcd69cea94b648e0729d859a063427c571ed1
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB