Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 03:17

General

  • Target

    fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

  • Size

    91KB

  • MD5

    3eaf8b7ea476ae26323ed3333383ad2f

  • SHA1

    57e394fc84a3d3d70a58db1f2760280ee9048e2f

  • SHA256

    fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54

  • SHA512

    e1a280bed7cef19988cb4c1517c185ae7328855a728f35f68de8419e6ee5a16b8770f29a951f5706c95d81f60c4fcc9692220e2d8cacfabc284cdfd950c9b3c9

  • SSDEEP

    1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiBJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIBvtYxOuYotvYQIE

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
    "C:\Users\Admin\AppData\Local\Temp\fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1924
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2668
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1784
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2940
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2948
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    efadeff9131f76076a13dcb235af0d30

    SHA1

    73299f58a4157db9fd02e948d0f10877451b33f9

    SHA256

    dc98a35c91e9a5f1c01e4610c7d30757134d78d1b4cdc763f68fc504b432155e

    SHA512

    804fb38aee91cc7752302227e0903a6a73aaa90d1a76f84ed7aa02488c2f7fa6df32a7b392d33ad5ea7eb87804288e08703baf418278fbefdc0a627069b4defb

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    9989b853aa5a5b1590304018f6849fb4

    SHA1

    d8181dc831568a90aeaab574464a8e88ad9340f1

    SHA256

    1f1656e7a88079756bc870c197c64f2f4ac24878e566cf83f0e5255a3c5f5243

    SHA512

    27c91c0c4927e01000e60cb7473d5799a3c4be31f6bdf480863692283819d4970f1f53bd834a5d4e26c431563918ac1c661fa4157adbe4b4b93ced43c1b4911a

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    3eaf8b7ea476ae26323ed3333383ad2f

    SHA1

    57e394fc84a3d3d70a58db1f2760280ee9048e2f

    SHA256

    fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54

    SHA512

    e1a280bed7cef19988cb4c1517c185ae7328855a728f35f68de8419e6ee5a16b8770f29a951f5706c95d81f60c4fcc9692220e2d8cacfabc284cdfd950c9b3c9

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    33267445f07449106782cc622b45f20b

    SHA1

    6e7aa67999694aca7c8b8f31d1b52f58722157df

    SHA256

    52bb5dc70848b6a60a57542eb9cc149fa187ad333427c4de7ea405f180bc0475

    SHA512

    c34df3d2a78e8b85d8e2d1c4440055822376b602790f557e8a6d28a40c887d00fecf73e2d8c769953837d2b4645408a6d097f1bf538f25f9a702779abd7f9496

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    53af78369dcc3f4c3b2c14bd1cedd896

    SHA1

    2295abcf7c240bc8bb02abf75c1eabfd9849984c

    SHA256

    77f36e6795b9a470dd8b2cd1fe0407992d43fad6898dfca269cfdf776407c861

    SHA512

    ebec093ed2fcbccdcc9d989f4a5fbdf6317ecbefe03f6a5d5c077c38fa26315beef506a2a8f6ce24ce206d9c814e49f26c3ba8b25e771d77ecc3782cdd52b354

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    e8a2dd69912eaa9757cb481715be751d

    SHA1

    42eb2805396356c8d6eac27dd3ffee385e4dc885

    SHA256

    5abf53d06f2467fe7fbc784065111240ace239cbfb27b38b27f3b66d5c74e8fd

    SHA512

    0834672580e969fb9ec7084b2a7b849f6b3e85679bf1c31ca8260e27a211e25b3131b654016e46fed0ab5bfc35c36ccf0e30804c1306d57d261c0a4f87db7e90

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    a49ee5c28beac75ec4d9d23f4f1b5438

    SHA1

    e30d7add247112da70f797860be636e170222d7f

    SHA256

    48577eab8e4e20f5bd35948c86484401fdf3dee38d4395f725ff02013ddd6d3b

    SHA512

    c31b06feca6e012723d3ed155b2dbe7d65e452cb4188eeddcc0c40fb364849641db284f54dbb952e97baa7c12124bf9e222f161fa4cebe952f9754b913dfa6b3

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    5c3e91d31c8387ec02e7b6c3bbeb4054

    SHA1

    5ebfad0808cf6945dd53c245953332a216bfd487

    SHA256

    6baa698aae9ffa8c5232f9627cf9e5fc5b3c9d9f95cfb02670ac8df792076078

    SHA512

    757f2d817d27f346d728d4232d8da61f79741223a2abe93517ad558ab64f6df9487e9269a1e640924794de184a1c963ffefbcf316a46d9f1ade30086a0f0b963

  • memory/772-188-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1152-155-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1784-141-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1924-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1924-109-0x0000000002850000-0x000000000287F000-memory.dmp

    Filesize

    188KB

  • memory/1924-190-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1924-124-0x0000000002850000-0x000000000287F000-memory.dmp

    Filesize

    188KB

  • memory/1924-138-0x0000000002850000-0x000000000287F000-memory.dmp

    Filesize

    188KB

  • memory/1924-149-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1924-137-0x0000000002850000-0x000000000287F000-memory.dmp

    Filesize

    188KB

  • memory/1924-184-0x0000000002850000-0x000000000287F000-memory.dmp

    Filesize

    188KB

  • memory/1924-172-0x0000000002850000-0x000000000287F000-memory.dmp

    Filesize

    188KB

  • memory/1924-110-0x0000000002850000-0x000000000287F000-memory.dmp

    Filesize

    188KB

  • memory/2164-125-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2164-135-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2668-123-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2668-112-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2940-170-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2948-176-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB