Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b762c1ea72...0N.exe

windows7-x64

10

b762c1ea72...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b762c1ea72088d0fc76ba15ba88546b0N.exe

  • Size

    347KB

  • MD5

    b762c1ea72088d0fc76ba15ba88546b0

  • SHA1

    e237dce878e5150c6d280fe880013770a743f757

  • SHA256

    9af6ef03c826020df82ebfb87116061443ea027544fc5c352b7629e518a76ff1

  • SHA512

    cda6c555a9fa9fc5b1cbd6cad5ceb7b391100a199cd6e1e8011ceb380c95c83a450bc7695176cfb4f5298710943680ef412c31af35b4f5709ffa940d2b58d2a3

  • SSDEEP

    6144:CY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju49:xnWwvHpVmXpjJIUd2cUusvalx9

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 42 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b762c1ea72088d0fc76ba15ba88546b0N.exe
    "C:\Users\Admin\AppData\Local\Temp\b762c1ea72088d0fc76ba15ba88546b0N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
      "C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2444
    • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
      "C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2012
    • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
      "C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2188
    • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
      "C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2272
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Event Triggered Execution: Image File Execution Options Injection
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\RJP4C2J.exe
    Filesize

    347KB

    MD5

    c669cf93a6f5151580da8d8dfed7c511

    SHA1

    0e11d02a15b94068ab5b40fa9238e49f51c6f1ad

    SHA256

    ea022fdf72087203d8e4b88fb9658f6a9c1bea2a3683731950fb757f69dbcde7

    SHA512

    2e98fee2ba215aa8c7f7a0d2037d1551a43e9c7ac5d9f529bbd0b2f7681c48196c96e56c67e0ef3c0d58d9b95e00ebbd5c80b37630967b9bcb7b3717e11781fc

    Download Submit

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\RJP4C2J.exe
    Filesize

    347KB

    MD5

    3627930f5a4b22a08e5d896af3fbc4ef

    SHA1

    6497c0bc5c214b5090526547eb4d8fe2060893d6

    SHA256

    7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0

    SHA512

    0a18bfdba17d86912fa85b6699f206d49cbcac9a2fc5f94676eda6d9c5ca452d5e3bf2f1ea22ea40a34c723262d1e48ea2e786ac5c0c87ef8c4ed36c403498a7

    Download Submit

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\RJP4C2J.exe
    Filesize

    347KB

    MD5

    460c4033f717a9e978c1cec5d3deee75

    SHA1

    07506d04e614508f85c8b9b4ad2ec4b72213eee0

    SHA256

    bc734e90132da5e62405d170660ea3b4279d9d18e0fb1e31e703d9cea46e8f74

    SHA512

    2c2eaf3ff215984ede326d5ae5d95f2239326bbec8d609ab26d7e3e850ef3c7f1fb5c89623790dba68e9b3fd6d4a95f8b537758676948b0c1ce7381aaf77e47e

    Download Submit

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd
    Filesize

    347KB

    MD5

    ba8938674a8f6a01ba65592bbf8b224d

    SHA1

    8b9fa4ca362175bf800d77d4d9d88fda72549935

    SHA256

    e8fde4bd06e4b0f106a8cd3629c25c3e1df199b0054f953e4ca79d282e73ffe9

    SHA512

    7f686d8e4435657a22b04731e4ec0479c70affb687c614089c3e0595d5c22a08d19b9894290b0e2e1b589269417752075eac256f6efa2e29d249d4a54f0b1ec0

    Download Submit

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd
    Filesize

    347KB

    MD5

    b20e4853367fedb63654c52f20658acb

    SHA1

    c262be25d3f66eb59cad26562efd6b8c1ad1e765

    SHA256

    832aa4a2944cfaca082d5ad1ded7b718fa5442134530a4ebcb953ce75b4db0f4

    SHA512

    c903e54d0153de54adf4d5560cad98f96880e167fbaab70ff4859eb41c704a502659bfb79732650f499aa97575ee966d5b68bf531266fb7bf697278bfce33ade

    Download Submit

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
    Filesize

    347KB

    MD5

    7ad579795efecb8ec2f0be9a6f157d30

    SHA1

    f4b8ac4f1d0aabec22fd839fc4424517751c4f25

    SHA256

    db815568abe27cf11edab2670e5902f19eb82666fd9b46daf1aed97ec5fed5b7

    SHA512

    2f9c8ef8e1ad0925af9d9e68c05bd7a467b7a69cb6dba53ee3322d1f1ddcd65eb20e9aa0bd288fb113eb657fc1df59dbecd645fad4263b7672469ed01f7a67a3

    Download Submit

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
    Filesize

    347KB

    MD5

    bbe46041a0dc35166ddea0da4b86aefa

    SHA1

    af6374c3e0970d1b39ebdf014d9d9b40b2bab0eb

    SHA256

    b94f9d898813a40f2de0106bf8842e5bcd480291aa5ae83ae014c5a5d3afa1c8

    SHA512

    0be244e1b9fa061dc5d7f53fb36225d826760612523ad2119fffb018d517439194b36294b9ed76d6df50630c1ebbe20bd93de0a4ccf891f30a17cd25b1e1b75c

    Download Submit

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
    Filesize

    347KB

    MD5

    0566ed39e835332465c6216310803a36

    SHA1

    0cd61285ede79f5a9028aea6f48d0fa3214588a1

    SHA256

    15fe4127a6aab6ac9dd6dd756c416928e95d560f44b1fabf6b81b7df2b0c7d3d

    SHA512

    e60eb3a6d804cb5a2350d2a4c420871bca984992a8918ca838db5ff4009ce458429dea7c90a3d5563244f0740e5a2cfd3a726bc85fbfb8bb25a28e6bdf35c5f5

    Download Submit

  • C:\Windows\INU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
    Filesize

    347KB

    MD5

    b762c1ea72088d0fc76ba15ba88546b0

    SHA1

    e237dce878e5150c6d280fe880013770a743f757

    SHA256

    9af6ef03c826020df82ebfb87116061443ea027544fc5c352b7629e518a76ff1

    SHA512

    cda6c555a9fa9fc5b1cbd6cad5ceb7b391100a199cd6e1e8011ceb380c95c83a450bc7695176cfb4f5298710943680ef412c31af35b4f5709ffa940d2b58d2a3

    Download Submit

  • C:\Windows\KMW5H7N.exe
    Filesize

    347KB

    MD5

    9c1dd080a93d797645ba68fcd9cb4d3b

    SHA1

    992ea8e4133bb17b920c071d44a730e926cfc332

    SHA256

    777bf4b3b983d239e55957d74993aaae5cd0ac40730b599a0ae8df554c2e1472

    SHA512

    7cf5d5bf186330de0dc7fc4116139b1e9bcac0ebdc85e77ee4b185815efeadbe102d3dadb0e33be15f0e545b9921b0cbd1cceb3f64b75e015d43c3a721fd231b

    Download Submit

  • C:\Windows\SysWOW64\LDE6I7R\TOM1T6P.cmd
    Filesize

    347KB

    MD5

    16462e112c76609eab6d850edac4f202

    SHA1

    b8838d22ba4e19fe9aea01d72271112fa87f611b

    SHA256

    9855b722d83aed9c10129f75d4a05440266f183189f53d22754d90cad1696a88

    SHA512

    6e6ecc9bce8e9d89bcf8199ec759e8e224f74ed736732c65c3db72c4222e5cf2452dd781cca631b3fea2350e0498468a96f6d204e04276d4ec85e9613106b2dc

    Download Submit

  • C:\Windows\SysWOW64\TOM1T6PPUG0C0X.exe
    Filesize

    347KB

    MD5

    825a3bd77419defcd3b2ce6ae043c3e3

    SHA1

    5c51de48d5d343155544d916a8870a14ac8152c5

    SHA256

    e060cd41bdb365a4a52cb04b1b3e0e0992fdf4fff622a8268deb6a9a3a404187

    SHA512

    bafbc317667c90d04e935212a82475554f254e9ae5ea9b7a7032963f1dfd4caea23505a41da559224eb73f64bf266f5e7078852166bc9badfc92d2b0af7309d4

    Download Submit

  • C:\Windows\SysWOW64\WVC4H3R.exe
    Filesize

    347KB

    MD5

    7c4cb0972918ab733bf6f32af49c2bf2

    SHA1

    7ae7316a5a3d85da50919ffb08b291a7d14fd802

    SHA256

    c3458bd2a9eb4e827a62ac677d3cca6545b1ff24c3f831905e4178241dd3d419

    SHA512

    00ac36bb55444d7f45c2ee5a98371c7165f5a4a6fd6a66faaad0dd439a8a483aa1c300f8405cfe3c6065597912935f260aaa7341fc8f16c15935a7dbe200d492

    Download Submit

  • C:\Windows\SysWOW64\systear.dll
    Filesize

    127B

    MD5

    e43c11a82729630cc7c9df986e01aabf

    SHA1

    c737ccef9b90bdca30e4cf1cb2e82c914c4843f4

    SHA256

    68f1dd4e3100cedfa4b892361875ddb98ba0ef3903e39283684a49a9842c3218

    SHA512

    53e88c39a5fb3d438123bbaa7f19bbe0974b8ee772f65fb52866310b70a501760b2046715645c6999cbfe35a7ab3520092770f815fa5f3b3c07975e400669c3f

    Download Submit

  • C:\Windows\SysWOW64\systear.dll
    Filesize

    141B

    MD5

    20dd434a6ab6995f96ac46f411ebde24

    SHA1

    e4c48d9db1143b22203cbf8e2a1bb659a5f1abf0

    SHA256

    d37c2c7e4533cb42f846d8b336ee19d741e49af53bae5fc1494863be06b47292

    SHA512

    80c6043ae7d27acbc33feedca1d8ac2e17c83cd1cf51c03ee4047ac94f899b517b128ed944bb2ceb1ea94dd91c5503dde1ceb6ebcf62568ad44402a507fcc8b7

    Download Submit

  • C:\Windows\cypreg.dll
    Filesize

    361KB

    MD5

    e71a648cdcb5daf91ea7790f951c1aa2

    SHA1

    fecd858e0d9b196a3073aea7f212cd0324d21e57

    SHA256

    3d7c897675b467acf98a32c206d1a49fedad54868d6d302aad08c47347c7ef60

    SHA512

    e627a8336ccc6dc0f91dedf6455b8e41646d7aeee3d9ebe2139ef1dea6dd48c7802cd9823c635b00168d5bf632b9a4bf49260e84a0681263a90a24def1cadac0

    Download Submit

  • C:\Windows\cypreg.dll
    Filesize

    361KB

    MD5

    1e1e0ba48fa72dc5e7b482afd9d3a7e0

    SHA1

    2a930121ef6839a0905d253ddeae565b45a95782

    SHA256

    94ca13a7007fb2c1db881f79c436a1b392e7a41ff8e126f5d3b4f32cfe2183c9

    SHA512

    70e0886004a164817cad5829d588fda560527579842d4fed654a2bfbe2999e473aebd8f67ac733362c107c5c40245cbf58906e7934e6138e43ce630c850fcc7d

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    347KB

    MD5

    fe8a3a62fb8cae0657e65a72134e2539

    SHA1

    37b1b477bf1f1a949b633853c4a9f37a849a24dc

    SHA256

    9ff9223aecc28137839fbd9dca5794d1c0f66506b2ec2866298cd928f54bdde0

    SHA512

    61b91d712a5dedebd411749222a8cc33e26d6483ea04e9971f421c0b59583f4fa6cf54bb3a7da05732df37525893c92e6fc4ed914f9c00f7567aa56c2df6b4e5

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    347KB

    MD5

    cc9356d0cf093ca83abdf6a430e37913

    SHA1

    f28ecbcba0eb90d65ef4a4eea4ccaef8d6b2a0d9

    SHA256

    f20cb382d39a4c8cad770aae66e76ae2c9a40034a0c1afe6cd0f44fb12051d6c

    SHA512

    75d0993673997300cbb7c6ab25e77e4e77c396bf51eca07652763de1c32f5945a1116e4fe1aab67233ce0f6719122b1c0f1ccb4d44a503cd4c2a74e13c73a84b

    Download Submit

  • C:\Windows\moonlight.dll
    Filesize

    65KB

    MD5

    c55534452c57efa04f4109310f71ccca

    SHA1

    b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

    SHA256

    4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

    SHA512

    ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

    Download Submit

  • C:\Windows\onceinabluemoon.mid
    Filesize

    8KB

    MD5

    0e528d000aad58b255c1cf8fd0bb1089

    SHA1

    2445d2cc0921aea9ae53b8920d048d6537940ec6

    SHA256

    c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

    SHA512

    89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

    Download Submit

  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.4MB

    MD5

    9a9f3b124d45dc37a7f7ea0d56a2ce77

    SHA1

    0040ee250be20db1c54f20538422950f967a999c

    SHA256

    18109fcda7b887d3462aea4c31baf1772ae0926ff1b13835f9ad7c24c3225b32

    SHA512

    b20973d37eb109537c5889f8deb5b0da3ff3d89d11e2ce8bad0ed7b8627a539e22f9579c8913e51f24891892be9aff62b4ba99b9f51de717136c565aa21e4eaa

    Download Submit

  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.4MB

    MD5

    220cd5b36a14cfc83715839698aeaaa8

    SHA1

    e2957eb14abffa17ad61b7555221803444f92288

    SHA256

    eb319cc5c5e432b3f111b185fa12e1410b43d90b81b4bd8d7f007c860256b4b1

    SHA512

    65f4473e6f2f6af2c9197fb25955b58f1f2504b3cf364e6e6f41b9e1ba9fb6a80613797a0b4b24b41ce88b1f2afbb52cc3efcc5a362c4f54f2beb745028a9441

    Download Submit

  • C:\error.exe
    Filesize

    347KB

    MD5

    1f32aa83293e4e7b868a3b4ef3e0f943

    SHA1

    bdf2a0687ece85267e1c7726c7eafa69de12686d

    SHA256

    acd28d44fea6ff68ea131d19a94a49ceb30f20ef2a6878417e57dc6866314b8d

    SHA512

    a9b9d7dfa4b2574bcc908882a92eb628504814df15a46225b7267cb2af72128905ce4682fa1e053cbdb9d5c7f46c7120af57b35147f636e21c30f3f73137ea77

    Download Submit

  • memory/828-0-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/828-282-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2012-76-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2012-309-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2188-310-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2188-87-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2188-314-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download

  • memory/2188-330-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download

  • memory/2272-311-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2444-308-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2444-64-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3476-312-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3476-281-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download