Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 00:32 UTC

General

  • Target

    01f3c0412dccc0b72ee4060d3a45d350N.exe

  • Size

    45KB

  • MD5

    01f3c0412dccc0b72ee4060d3a45d350

  • SHA1

    6c9e1e21f3c408c5a03ad93b706fdc1c079c6587

  • SHA256

    08b9cc436ad26a14d42dbba3593cc54d8a501a0074aa2089bf50ad1b07b27e89

  • SHA512

    630b84b4581deb76a6bba97aad119ce93301ce43df28cc39bb39da4837e4c2e86de83d8eb1c6ce9e467e5bd2abd6641b611afbc72972f8f20edbd2d46b5a63ca

  • SSDEEP

    768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nE4B:FAwEmBGz1lNNqDaG0PoxhlzmC

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01f3c0412dccc0b72ee4060d3a45d350N.exe
    "C:\Users\Admin\AppData\Local\Temp\01f3c0412dccc0b72ee4060d3a45d350N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3744
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1084
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2744
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4576
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:224
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4232
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3488
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1284

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    25.140.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.140.123.92.in-addr.arpa
    IN PTR
    Response
    25.140.123.92.in-addr.arpa
    IN PTR
    a92-123-140-25deploystaticakamaitechnologiescom
  • flag-us
    DNS
    240.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.143.123.92.in-addr.arpa
    IN PTR
    Response
    240.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-240deploystaticakamaitechnologiescom
No results found
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    146 B
    147 B
    2
    1

    DNS Request

    196.249.167.52.in-addr.arpa

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    25.140.123.92.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    25.140.123.92.in-addr.arpa

  • 8.8.8.8:53
    240.143.123.92.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    240.143.123.92.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    45KB

    MD5

    c019db8f7c8d172f8e26bd8b2306bcf3

    SHA1

    1a6269106564e2f369dc712f3f4fe6dc1f274bb0

    SHA256

    dfd4139f760a6f851b1e1b7a13bc174283169de30cb320da973830438dbb9648

    SHA512

    61562dbc38bcb13828dc9c50f9ac6280b17d019500ca65a79e235b5cb6f7cb9d95de7e4be228d65d10bdb9631df9761d9145124adb9a834f78b6c336fea13180

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    45KB

    MD5

    7fd83153ae4d48f29ad823c60529c993

    SHA1

    ba20c14683d816a48dee608d57479581782d01f8

    SHA256

    542ce93dd3d3b9122dea684e1f7c98bb018275337d956745d164dba396e2e88d

    SHA512

    59f96aec064001f096b09e6fad703fadb1c0c0b2323e82aaa009d1d39c448d5d6d7f3f5dd87d6afd5289aa7b3bb0cfa6b57ef900c03cae5c95a70d975d491849

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    45KB

    MD5

    cdf061714f3274fb822cd24276ad549b

    SHA1

    f940d7cd4734790e20f736cc6346eee73d3dba76

    SHA256

    c0ee7c97b186bc68746f050e738bca514a7b92208e70ebf67f89511498369b47

    SHA512

    396678c0b859121978f5c303de59e96c368ae242cc79d1eba8baecdadc95a286815e97b57bb78e6aa5eda21ba577b9717d17238bcd892f3be83555e88b9b5416

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    45KB

    MD5

    0aa04d1107f4f169491caa96080bbd10

    SHA1

    32e7a799452a7c99b47f9ca4d7b255257cf2185d

    SHA256

    e6eb5cc1d2fe7ead54b9b17e9918146c7d0e5da928ceecb7072edd11a37cacc4

    SHA512

    a2cc6bc681fc463d2c05e0897024701095d09d63379f59d4899695a82c6027994bc9f944412035667b211a4e1adb5bcca53d02971d072d197948f951046437bd

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    01f3c0412dccc0b72ee4060d3a45d350

    SHA1

    6c9e1e21f3c408c5a03ad93b706fdc1c079c6587

    SHA256

    08b9cc436ad26a14d42dbba3593cc54d8a501a0074aa2089bf50ad1b07b27e89

    SHA512

    630b84b4581deb76a6bba97aad119ce93301ce43df28cc39bb39da4837e4c2e86de83d8eb1c6ce9e467e5bd2abd6641b611afbc72972f8f20edbd2d46b5a63ca

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

    Filesize

    45KB

    MD5

    c4b403281f815e801e792ab2bcb0ae87

    SHA1

    18235f6f8ea91cecdfd59c6882019aa6547eb17a

    SHA256

    160ba4022081bce0554feeb6b31c6e0e2c6c10a636b2ad7c2c6cc77a5d10ed9a

    SHA512

    7cfff9c0bcf0d67a6056f1c33ecaaebea2d275c4041a15d03b54970abc76270df0baf4d56467b53fba041f791380e863b9f44418474455ce8123bb5a7db37a21

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    b3a98f6d829a96a7ce87429188ac2131

    SHA1

    a0d0954e134d8ded588c63794a3db47f31099f52

    SHA256

    0e0c7479b0237093dcff7cb3bdcc75c29193531342d2ad9919a69a9fc33e8873

    SHA512

    223e0774821aee355f0724e3260a78d2484823542296d7404c5d97de416ebb8190dcc17974d858118910b0f10c9c9cf4779ad2170a4bd2ae71023523f377d750

  • C:\Windows\xk.exe

    Filesize

    45KB

    MD5

    550055c1b98520e512baf7b56bc025ae

    SHA1

    3c846a6d3c676d5514ac6ae0833f0060c9ec8004

    SHA256

    b92f5ec749740fabab482a029800259c2c6d2f00f355d402a1e8acaeb9af6ac5

    SHA512

    b91915038555c2a0a66f4b2c68cb2c9ea2765e42904f6f9a19cffd32195b83300e716129adf496e8602f98775f51919e7e96c85b2a45f1fafcc4a89808a3948c

  • memory/224-132-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1084-113-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1284-152-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2744-118-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3488-145-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3744-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3744-153-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/4232-140-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/4576-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.