Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

01f3c0412d...0N.exe

windows7-x64

10

01f3c0412d...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    18s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01f3c0412dccc0b72ee4060d3a45d350N.exe

  • Size

    45KB

  • MD5

    01f3c0412dccc0b72ee4060d3a45d350

  • SHA1

    6c9e1e21f3c408c5a03ad93b706fdc1c079c6587

  • SHA256

    08b9cc436ad26a14d42dbba3593cc54d8a501a0074aa2089bf50ad1b07b27e89

  • SHA512

    630b84b4581deb76a6bba97aad119ce93301ce43df28cc39bb39da4837e4c2e86de83d8eb1c6ce9e467e5bd2abd6641b611afbc72972f8f20edbd2d46b5a63ca

  • SSDEEP

    768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nE4B:FAwEmBGz1lNNqDaG0PoxhlzmC

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\01f3c0412dccc0b72ee4060d3a45d350N.exe
    "C:\Users\Admin\AppData\Local\Temp\01f3c0412dccc0b72ee4060d3a45d350N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2368
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2128
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1972
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2432
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2052
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2672
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1996
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    45KB

    MD5

    01f3c0412dccc0b72ee4060d3a45d350

    SHA1

    6c9e1e21f3c408c5a03ad93b706fdc1c079c6587

    SHA256

    08b9cc436ad26a14d42dbba3593cc54d8a501a0074aa2089bf50ad1b07b27e89

    SHA512

    630b84b4581deb76a6bba97aad119ce93301ce43df28cc39bb39da4837e4c2e86de83d8eb1c6ce9e467e5bd2abd6641b611afbc72972f8f20edbd2d46b5a63ca

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    d2b37b2931c36c65952dc081c3dd82d1

    SHA1

    d2cf64e4ff9e8e36724da9a55015bd4e2569beab

    SHA256

    4bc5defeadef6d7b1aee65e5bbcb3227e0168014bad56fe46f620dd0ff5ac3b0

    SHA512

    b43e1923b9ad4ee2109b6567b9651331ed220f8fd3d81a7637e2a6a766681a261454ddde7f08f6d49d364bc0203cb49d7fb2ec7649ff3e78b87d95c002aa636a

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    05cf21675ff0d45b8dfb3d436b236f86

    SHA1

    6d4d4b7f6a3ea8e5472d35a279d3c878044bcbb3

    SHA256

    1d0bc6293e225288103d744866ab0e9454860ed33592179cf746c0b680b192bb

    SHA512

    e8da5bd5a38748abc4d14166ca409802339b7868282535040098e4e243e44d110bd07e6ebb7081c090a4893632e2fdc8283fffedfeb4ce99ec96d952e8c9757d

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    17970e279bb468fb71afac16a8637ba4

    SHA1

    3eeac121254767010cd80250687ad12313df5e3e

    SHA256

    bdb3ca7c8def6710a9ee8443adae8bc8448243113543f28cdaa33394ce81812d

    SHA512

    1834d8be17b6be0180d93c81802392585453dbd586ad10dcac8049ef0b4ecba05f3da0f346a02ee941cedbb5fa17a69cd502aac76e79a3a21e76ad97805d6035

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    fa14f915eed4da37f87bbba2e1d98865

    SHA1

    04c77548b0bda5ebcb7948b6d917f65d03f9d67a

    SHA256

    4f804c3a544978f88dafe8544f887c1f0f7124241474b6e2afba5acd25c6f6e7

    SHA512

    46cc787e8046162469273a8a5b766d323a0a46dc76c1d3353b8ed6cdb44ba00050486d1d9d0a2bd2d331e5fcfce36a8282bd76b55020d7c1348075afc6fe758b

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    78cc20cf6c22c866b38edcb2c01eb639

    SHA1

    5ce48d236b5ebe23208b8f647b94870e5354a747

    SHA256

    d98d12d531e716533da025f3f45069faaf3747947ec5ff3799736e28d50c05d8

    SHA512

    308aa69188268fc37dabd59299961acee2fb3e478eee04312115f71af5f2e2f141b017b58a4a9cee92b4464814553d4896522de35602b744f0ee51e7d029cb78

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    f2126247487322a3752c1df4b02f930b

    SHA1

    2aa38ed4918b1c08ca3608a6b72d2e7431610b75

    SHA256

    8b2b484bb8a34ae0109de245d88fe512b32a46ff16087aef6da96d5ae535ea4f

    SHA512

    fb8101748acc39b9c6b9ede86c53d21a89290504f71442f45886f825121b4cdf173cde79eca0e2fff4facb7cedb9e5a2bf82b1225cad7344b58646998a4cad2a

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    83af5304844ae6f5ed49498beccbd821

    SHA1

    8f8b9b17ff28098f990108eaf89bcbb0f1162bfd

    SHA256

    79c4a2f0a789e24abb7e417ed4fc7af30278dd77528c003263e015c6a7c2865a

    SHA512

    875bfa84457ebeb9162ad0dd30f5f4b82b9e7e68c1d6cc16b002c5ec398252bddaffe6fb6d3cd5aaa857aef20ca70c96d28e4f6ff7df0e3f47fddd7a8fa5b2c3

    Download Submit

  • memory/1420-185-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1972-122-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1972-125-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1996-172-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2052-150-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2128-121-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-140-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-108-0x0000000002470000-0x000000000249E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-145-0x0000000002470000-0x000000000249E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-153-0x0000000002470000-0x000000000249E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-168-0x0000000002470000-0x000000000249E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-109-0x0000000002470000-0x000000000249E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-175-0x0000000002470000-0x000000000249E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-132-0x0000000002470000-0x000000000249E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2368-186-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2432-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download