Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

01f3c0412d...0N.exe

windows7-x64

10

01f3c0412d...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01f3c0412dccc0b72ee4060d3a45d350N.exe

  • Size

    45KB

  • MD5

    01f3c0412dccc0b72ee4060d3a45d350

  • SHA1

    6c9e1e21f3c408c5a03ad93b706fdc1c079c6587

  • SHA256

    08b9cc436ad26a14d42dbba3593cc54d8a501a0074aa2089bf50ad1b07b27e89

  • SHA512

    630b84b4581deb76a6bba97aad119ce93301ce43df28cc39bb39da4837e4c2e86de83d8eb1c6ce9e467e5bd2abd6641b611afbc72972f8f20edbd2d46b5a63ca

  • SSDEEP

    768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nE4B:FAwEmBGz1lNNqDaG0PoxhlzmC

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\01f3c0412dccc0b72ee4060d3a45d350N.exe
    "C:\Users\Admin\AppData\Local\Temp\01f3c0412dccc0b72ee4060d3a45d350N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3744
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1084
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2744
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4576
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:224
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4232
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3488
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    c019db8f7c8d172f8e26bd8b2306bcf3

    SHA1

    1a6269106564e2f369dc712f3f4fe6dc1f274bb0

    SHA256

    dfd4139f760a6f851b1e1b7a13bc174283169de30cb320da973830438dbb9648

    SHA512

    61562dbc38bcb13828dc9c50f9ac6280b17d019500ca65a79e235b5cb6f7cb9d95de7e4be228d65d10bdb9631df9761d9145124adb9a834f78b6c336fea13180

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    7fd83153ae4d48f29ad823c60529c993

    SHA1

    ba20c14683d816a48dee608d57479581782d01f8

    SHA256

    542ce93dd3d3b9122dea684e1f7c98bb018275337d956745d164dba396e2e88d

    SHA512

    59f96aec064001f096b09e6fad703fadb1c0c0b2323e82aaa009d1d39c448d5d6d7f3f5dd87d6afd5289aa7b3bb0cfa6b57ef900c03cae5c95a70d975d491849

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    cdf061714f3274fb822cd24276ad549b

    SHA1

    f940d7cd4734790e20f736cc6346eee73d3dba76

    SHA256

    c0ee7c97b186bc68746f050e738bca514a7b92208e70ebf67f89511498369b47

    SHA512

    396678c0b859121978f5c303de59e96c368ae242cc79d1eba8baecdadc95a286815e97b57bb78e6aa5eda21ba577b9717d17238bcd892f3be83555e88b9b5416

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    0aa04d1107f4f169491caa96080bbd10

    SHA1

    32e7a799452a7c99b47f9ca4d7b255257cf2185d

    SHA256

    e6eb5cc1d2fe7ead54b9b17e9918146c7d0e5da928ceecb7072edd11a37cacc4

    SHA512

    a2cc6bc681fc463d2c05e0897024701095d09d63379f59d4899695a82c6027994bc9f944412035667b211a4e1adb5bcca53d02971d072d197948f951046437bd

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    45KB

    MD5

    01f3c0412dccc0b72ee4060d3a45d350

    SHA1

    6c9e1e21f3c408c5a03ad93b706fdc1c079c6587

    SHA256

    08b9cc436ad26a14d42dbba3593cc54d8a501a0074aa2089bf50ad1b07b27e89

    SHA512

    630b84b4581deb76a6bba97aad119ce93301ce43df28cc39bb39da4837e4c2e86de83d8eb1c6ce9e467e5bd2abd6641b611afbc72972f8f20edbd2d46b5a63ca

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    c4b403281f815e801e792ab2bcb0ae87

    SHA1

    18235f6f8ea91cecdfd59c6882019aa6547eb17a

    SHA256

    160ba4022081bce0554feeb6b31c6e0e2c6c10a636b2ad7c2c6cc77a5d10ed9a

    SHA512

    7cfff9c0bcf0d67a6056f1c33ecaaebea2d275c4041a15d03b54970abc76270df0baf4d56467b53fba041f791380e863b9f44418474455ce8123bb5a7db37a21

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    b3a98f6d829a96a7ce87429188ac2131

    SHA1

    a0d0954e134d8ded588c63794a3db47f31099f52

    SHA256

    0e0c7479b0237093dcff7cb3bdcc75c29193531342d2ad9919a69a9fc33e8873

    SHA512

    223e0774821aee355f0724e3260a78d2484823542296d7404c5d97de416ebb8190dcc17974d858118910b0f10c9c9cf4779ad2170a4bd2ae71023523f377d750

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    550055c1b98520e512baf7b56bc025ae

    SHA1

    3c846a6d3c676d5514ac6ae0833f0060c9ec8004

    SHA256

    b92f5ec749740fabab482a029800259c2c6d2f00f355d402a1e8acaeb9af6ac5

    SHA512

    b91915038555c2a0a66f4b2c68cb2c9ea2765e42904f6f9a19cffd32195b83300e716129adf496e8602f98775f51919e7e96c85b2a45f1fafcc4a89808a3948c

    Download Submit

  • memory/224-132-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1084-113-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1284-152-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2744-118-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3488-145-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3744-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3744-153-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4232-140-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4576-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download