Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

d82a88a088...ce.exe

windows7-x64

10

d82a88a088...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d82a88a088d9c3cbb5b41372128941c44844053f04eb9419c86d293aa39964ce.exe

  • Size

    91KB

  • MD5

    682700d332bf2200df28b6374f61e070

  • SHA1

    da89ad07928f42ad417c02fec1babb103cce5a90

  • SHA256

    d82a88a088d9c3cbb5b41372128941c44844053f04eb9419c86d293aa39964ce

  • SHA512

    adbfd9cdecf78846b93145f3c604e7a208fefaedbaa6be00a308c2a16936d880cd4964a2ee03ab44926f92322e96aba1a7b05030aeed30c6e4140d83816fe782

  • SSDEEP

    1536:XJRtlEnBHHIgabuYotV/JbJCX5SBisbJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIWvtYxOuYotvYQIE

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 24 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • UPX packed file 34 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d82a88a088d9c3cbb5b41372128941c44844053f04eb9419c86d293aa39964ce.exe
    "C:\Users\Admin\AppData\Local\Temp\d82a88a088d9c3cbb5b41372128941c44844053f04eb9419c86d293aa39964ce.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1960
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:668
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1124
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2928
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2784
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:752
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2980
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1052
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1744
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1540
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2792
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2348
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2316
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1176
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    fe46ebf021f6c6ffd07865ea5200aeb4

    SHA1

    476e217291a3a8044d134712e6df11706886793c

    SHA256

    4fbd7c234527fc2a4ed955ec63559ee557440eb2ceec926ab3d69a5ac465fcc3

    SHA512

    803962f09516ca7f6663557e6fb4ff26714b5e0579d2094fd9d6336b05b75b22c60ad1d1c02f940e408a173509510c00451e3332b52d5ec106aa885c56680160

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    450dc9b2e91bf920b41c01fdfc4bf270

    SHA1

    fd454a92c122596fffd1e7882288992a913b68a8

    SHA256

    31ea4badd12a26c6f0ebd9b46bac2e4cde299256bcca589d642f081e10e66d70

    SHA512

    77932acc5a404dcf13158f621d9bc832f7ebf7a7152cd4b40b3ee7b13c0a89bf241bde9ff804884ce589935d28687dffaa76bb516a1edc662f1076eaad5ca5b6

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    682700d332bf2200df28b6374f61e070

    SHA1

    da89ad07928f42ad417c02fec1babb103cce5a90

    SHA256

    d82a88a088d9c3cbb5b41372128941c44844053f04eb9419c86d293aa39964ce

    SHA512

    adbfd9cdecf78846b93145f3c604e7a208fefaedbaa6be00a308c2a16936d880cd4964a2ee03ab44926f92322e96aba1a7b05030aeed30c6e4140d83816fe782

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    3bcda66381627f74c024f76f701573f0

    SHA1

    02aa30fd3a324c3fbb95df0df7070ed448fc49f3

    SHA256

    9fdaec6c6afbd8e4863658edfdd6eb90df3d8aa12b7d7171658a9f0c68f1dee1

    SHA512

    628cf758d3490e67a411888246b33730ae1c44eb0859b9c045d2fe223be4767e28ff1613871959423b8297821b1a2a881b5e035ecef5a3cb1c14f68e2006a264

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    872afa7206e71fa52582a6e51d11ebe2

    SHA1

    bdd9c852ca253ea136b613da7e183ec63c09c51e

    SHA256

    d279c6f87d5cf162ca4ad4b5bc2322b35acf7c7a64dc2b5afb1e21a798e44b43

    SHA512

    230a46d03a8b3826784a2561ca4c647941a85e9551f33f5e8e221a98c9b2d1546448ff72299214a6be9e20bbc003f22cb02d6a93eb99b3bd774cfe0c6bd71634

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    f31d4ed7afd3cd1ef5e3f522868aa734

    SHA1

    ab99a10bd4b0261ef5f77e68bb5c1394a6ffbc91

    SHA256

    b9f2e121d678d9700268c497db3770c3f7d792ef2b51d569514a7c9fe670b68f

    SHA512

    41aeb78eb5fd586a579d30a13c79ac2f550171ef8a4dc565c63a64bf14c767cdac1fbff8b6be4c0e7ebe0e19a9b3b3f7e2791088c3f9173f26b25338a2eab247

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    452967dbb117500440f51fbdc89bdcf6

    SHA1

    1ef3d14184ace37c33cac268719a15b7b6146bcb

    SHA256

    18f574025eab2dfb9e8af15c31ccbb0287a61ac983bd01742378841b72cad0dc

    SHA512

    7b0647432689a6ffcc57774daf68637cec48e4b9ea4b68f39045bc48c05dd9b2ce7414d119fe893ef5a51340410c44ce06f45e7dd5ebca938a8fe64d6777d47d

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    fff5f078bfb2b812cace1b135ecffa75

    SHA1

    13ca12c5d353ca18cd6e039d275ebd071fe731e3

    SHA256

    635eb62b130517d878094c816741c4360a4f2c7efd75ccc4b9f8eda1bae9406f

    SHA512

    3941e4594895eab0d8ddc1c55302f2b31377614a5443dc8cb8f3b72d239d206eb4a90b4ec51a52e6d1a4d5722465bb21d34903f653a4f7cdaacbc94acd1e1c84

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    0f33c7fb89ac936a9d533b4fbcdfacbc

    SHA1

    af1a61697ebf1ddd387baafc35b9c112809f8086

    SHA256

    5ef308090de8b1fdd84d553abe68a77866201e57805b3e6de4b2988ba82b981d

    SHA512

    3d497c29b21fba1ef7f2e8d50a12cb19834f07221dff1b8bdf19eb1ff422ac4107e430dcfc6cfdc7aba64e91ed212fbd639d9ae7fcb24c2cfc60cc5f1a4ed33f

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    cfdcc0d35fa2cfee9ab6fa444feb71a9

    SHA1

    1557264dd2b417439a1e248d6ed020b4ac51cd76

    SHA256

    56ae41d9867b6e34468c5da1052d78c5195e679b185c44b4462c88acb3a80128

    SHA512

    e455f66a03de189796867029c88ec5fe1c81d91c3fb8417a3e9274fdce98c52753d17479a06b65556cd10f17f1d015324823306723b51b631ae8ee3ebb64a33e

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    382c4c913d0a63d2eb057cd7ccc3f0c2

    SHA1

    5c8576be7ade900ad2f9569bd8ce775b746c8d5e

    SHA256

    4fc938337fb0355d3e4aeec5731bf67021d4d3394ccd1682630fd9f56c9cd92b

    SHA512

    3a31c250c1f22754342ee82ccceb415a26c3c7fbbb7626d6f1d16d2f08d2c37f01ebab660221c6685f0abcfe249d2993db33f65602933525503fc7e2bd7e62b2

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    1fa09fb619051bc9f23bf1f7347bf27d

    SHA1

    a8086fe0d37e07273344fc61cae044bbf4383b69

    SHA256

    f1d327bb805f02c80900f11aef3412e41070043327a6dd234096d8547dd8bed7

    SHA512

    b7927b2890049e0487f88e10730955dda2863a4aff2f4000b08a1f481831c880e90e1f817b85416f78ff3dc0d38696945c284c410977b7b7a486d73bb2ad0cfc

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    182761296bbe0d1552792dbd08e75f09

    SHA1

    abf9cda2150923094515cbfb3dfbc83f2d85e859

    SHA256

    643eb08d47883e7b5f8943751528a5e325f9b5fee9fe252824edab41f3402252

    SHA512

    c016d5978f9c2c3da3ba0c8d71539a04198e6fd7996135bbe8df5fb4399164174f9701fb5b0a807eddd3a4dfe33fbce31f4699fa2614677fe610e6d13301ac12

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    540dd6caeed8b60a11fa149a404d9e6b

    SHA1

    4f810dbd7a1fbf1657a60b33594d2e1836533fe6

    SHA256

    ae1bca02561c1f55c76076f05c1503addc121115f96287953995f0d4eedf702b

    SHA512

    4a47897deecf173bf29d7205f7acd41b796e6fa94e338a482ba19f4a51e955bdcfa677a6eda7bf5ef1bf6381b231f4c3a4489bf3d4fd40cc38aafbf6c80fc15a

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    d23bdafb8ae49f234d0048166bff090f

    SHA1

    168c4ce2f99cc7e6da98f6347521ad637bd9714d

    SHA256

    240874f4f0ec8b41705b89ea457e56c8d638fd25639f0b7a1a892670b8a3a7cf

    SHA512

    89598bb1b25aa35f657850689128699b87aa69516359d3ffc1edcc4c74007a2145ecceed8e4f461d74bfd270623fcf669daf4c1257bb793d6733ee53042fe94c

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    393e0d380f8d0c585aa8bda9e8821071

    SHA1

    88c26c35f46a11fa5657736a8e32133f8712707b

    SHA256

    dff9437837d4b32fdd24d66f8a3935abd5e5f6942bf638569306d0c963dc5f83

    SHA512

    04f235650f2d482219fcbd9095d5c4fa42b83f86df82b57b9c002222604150a4a9d3648ee9c26fb69ec375ffcdd19c0824743e01d797cdc12379948d8400a73a

    Download Submit

  • memory/668-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/668-114-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/752-173-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/760-148-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1124-125-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1176-311-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1540-267-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1540-262-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1744-265-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-170-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-240-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-263-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-122-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-275-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-461-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-109-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-164-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-155-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1960-132-0x0000000001E10000-0x0000000001E3F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2316-302-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2784-157-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2784-161-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2792-285-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2928-139-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2964-336-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2980-202-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download