Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

4467692df3...0N.exe

windows7-x64

10

4467692df3...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/09/2024, 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4467692df3f5ba1aff4f51d021a5f5a0N.exe

  • Size

    63KB

  • MD5

    4467692df3f5ba1aff4f51d021a5f5a0

  • SHA1

    658810d6c85ca812be6be2b4001d6aeeab8d6c1d

  • SHA256

    acb398338145f18f11ebb57b8a3480369f0a9838cab3b2b6e5befa2a76d75c20

  • SHA512

    16670cbbd831ea7d011db0f3c3984dfcf46504981fde029a5a970a992b5fd7ed1af467492eedc73e2be9e93adf880d3500b3d6d49a7f9b30ab58ce1374e237df

  • SSDEEP

    768:jSxam3Usjr3REXXr8yxFChMp7v9DLKrzCnbcuyD7UVeQI5noPNcAvcV4RP0U+t6:jRsjdEIUFC2p79OCnouy8VDaAG4RsfU

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4467692df3f5ba1aff4f51d021a5f5a0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4467692df3f5ba1aff4f51d021a5f5a0N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3280
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1400
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2064
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4692
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3276
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2732
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    63KB

    MD5

    b811e37786bdb2103d70bcb11bc2949f

    SHA1

    11c91560cdadfec75f08dc0e92f837fc21e5b413

    SHA256

    79864b7d4d8872d31d4729aec24622b3aeb03dd539d46f5649c67f7fa59e6922

    SHA512

    cff13d4c173cc59c7c093f1eb2c9e77acd4916f706cb76608b38184269949305c4f083e51ecaf29f592bc97aa182f32289c6c4079279b42ca75fca6e8bf4f94f

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    63KB

    MD5

    939ab1f5a0b68753babf6b0bc178d5f7

    SHA1

    0a961c987fc1c60d3c3386c7f5862d5e261b76a1

    SHA256

    ef233cbb7aa81ed8df83fa95eab394b718a226eac45d252019d80ee500e66bc5

    SHA512

    db38aa452c5386b65d2c9d8a9b7a235d9df66257e5ea80b8f67d36955bf87ba9d49802da322dd2f19ce358b946e5a34f8bc7c3272eae57177728627c294c0bf6

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    63KB

    MD5

    084ee45cc30b8b17096008c4dfe13b64

    SHA1

    764ff2573fc3ad0b06d1610c393400396a485ef5

    SHA256

    a9f24fc338ef858a698b1ef2899cb849577a16e9adf3d3c9b363aca1bf09e9da

    SHA512

    97e82026ad288a7b5684d98103486dd783030c55bc84f122ec6a2662f9530c9f2598e24306ffb3437c656254c48aae4f12a7ae43f6fe891bcfd53da9e143c720

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    63KB

    MD5

    88295edb85e305f997e343b052558c15

    SHA1

    bb00bdf5d90896313d73042e1dca453a44410a8e

    SHA256

    8252cc4f26cc7bdad90f1228ed3e86214ab414cc30842a325237cf579c0bfa23

    SHA512

    a199106c224e9e521c844c83c37a9e3ef17c2d30b7039225f92d3eb5f097c1885eb6c87982395f5d15d70eff49c7c69a6613dcf12f5b57fc39ab96275a081453

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    63KB

    MD5

    4467692df3f5ba1aff4f51d021a5f5a0

    SHA1

    658810d6c85ca812be6be2b4001d6aeeab8d6c1d

    SHA256

    acb398338145f18f11ebb57b8a3480369f0a9838cab3b2b6e5befa2a76d75c20

    SHA512

    16670cbbd831ea7d011db0f3c3984dfcf46504981fde029a5a970a992b5fd7ed1af467492eedc73e2be9e93adf880d3500b3d6d49a7f9b30ab58ce1374e237df

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    63KB

    MD5

    f2bf2350d953609d6f70f25bb6c26d49

    SHA1

    b41574432594c6849bbe8190889ab2a218c6b6fe

    SHA256

    c72afff21d3511a960deec3c4fc3f5c7e9c2a02ac044313170502507e19faef9

    SHA512

    f9b2fbce7f377a6f3f0a238e0903da0f3aaa5f824466819a7e896d35f0054da0bc400b98b0f856f271483f79ab14fb990ad77d7850c062d77cbb70c491d4569d

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    63KB

    MD5

    0a4f4c58e582c92fb41e002d582541b1

    SHA1

    8f7030887296672dc593bf71baf6dfe72b971ffa

    SHA256

    da22e1bd531cffc036b68a4c8c1e692b0651e10520049922fcbbc53d0292a80d

    SHA512

    6a82ae6844a9992b1352dbf8c360ceb12630e00e3da7f59d24b870c63b1c5c0e9cfb6b8a2a3157bfb50ba014314322238838fdcdeed897e64f474db4f5b08d3f

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    63KB

    MD5

    d827ea1aea0d4aed3303b3a931d3ffbe

    SHA1

    e69b48dc0c13e56b2bedabf7d3580bdae0c69e25

    SHA256

    03f4f85dfff45a33cd4b4def4f04683692ee9adc12b00bd683535a5a6230128c

    SHA512

    4588d3c358be1a6af1b25fc28592e96108a5577969648f6d010e18fc0e95ec58a15b8b7627c848c850e5759c65a9f353003d51e35a5bddedc8b5872d03114b53

    Download Submit

  • memory/1400-112-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2064-119-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2732-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3052-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3276-131-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3280-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3280-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4692-125-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4832-147-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download