Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 04:33

General

  • Target

    f735bc5eab79e5dc0b6e78184ab5f62d2710ea5a4664d82bc7c11a8e2a2b5839.exe

  • Size

    91KB

  • MD5

    99583bad9b5a5a950f175e054b42d4b3

  • SHA1

    0179a7e86748547d6460ec0c4b1c5e094fe7d03b

  • SHA256

    f735bc5eab79e5dc0b6e78184ab5f62d2710ea5a4664d82bc7c11a8e2a2b5839

  • SHA512

    5394a66293cc54ee93315d09c1d7ba6b5c948a47ddd958ef773dbee25e05d3c2d35d9d41de8fa5274b0ed155bf5c1b2b48aacd72b1e966e87ca6fb694848b624

  • SSDEEP

    1536:XJRtlEnBHHIgabuYotV/JbJCX5SBixJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIxvtYxOuYotvYQIE

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f735bc5eab79e5dc0b6e78184ab5f62d2710ea5a4664d82bc7c11a8e2a2b5839.exe
    "C:\Users\Admin\AppData\Local\Temp\f735bc5eab79e5dc0b6e78184ab5f62d2710ea5a4664d82bc7c11a8e2a2b5839.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1684
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1188
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1396
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1776
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2908
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1436
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3136
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    2b7b1f31bbd5a517bbe1030e45d1176f

    SHA1

    c30540f0e4477d67ce893e2e23e3ded67de3e7fb

    SHA256

    5810b86f33d0f38dc8d3a05ca3df38f7c229adc101f4b9ecab8c92571a818f30

    SHA512

    7adbf57a24b4f3230088ad43966a295f4a6351f1c39803020c93fa436da21c14bfcbbc33a62815fef2722652f9b860301e1ab26643c4094496250ad5d98a02cb

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    9458152757f809bdc2aeeab7eddcc1b7

    SHA1

    f12e911ac0a6d96d038309aeb36fbd3075a13d69

    SHA256

    4e335c7664067e76d64de73dd3994f1d0930ea44c86dd31036237af12ff70422

    SHA512

    18da6b90b81019b5fb9f3465598eb4d474caef4d305e9a22ae7818ccbf19f73bb85f4477991e90e6bcf75bd2a07b751b3ae31b72f17754c47f90af08efa973d9

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    99583bad9b5a5a950f175e054b42d4b3

    SHA1

    0179a7e86748547d6460ec0c4b1c5e094fe7d03b

    SHA256

    f735bc5eab79e5dc0b6e78184ab5f62d2710ea5a4664d82bc7c11a8e2a2b5839

    SHA512

    5394a66293cc54ee93315d09c1d7ba6b5c948a47ddd958ef773dbee25e05d3c2d35d9d41de8fa5274b0ed155bf5c1b2b48aacd72b1e966e87ca6fb694848b624

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    8536214f787878274fd3bde6af32580f

    SHA1

    1dbe2885b436ba0c3b4fe1319ee9926c8fd75aae

    SHA256

    27563dceb5cbf8286dbaaffa2b780f0ee9344ed059407d7401d1afb848913aed

    SHA512

    fe6102561362ccf65825d0b15cffc618cc0370f38011502e127a15f96787609cb2f1db81eab6d70afafdd37b92325691f06d33cb798ae55fa3b60b0072b6343c

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    ca703dae516a27e4bbf822b18b37e001

    SHA1

    ee5588e3655c9c9d4cf453d8cabdfdf872cfb164

    SHA256

    eca89348fcd55bb6ca5f394426e6bbe481db64674d39a35c53ead1f3d73a5359

    SHA512

    abe456755fa539c99bb6b22b8e3bb4abdacf30e5cc79049e6556111f6aa90d15dab20d5133e147cff4c6ffd77c7cbdbf5eb9a87946b9fe3e6257700d755ca0ff

  • memory/1188-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1396-119-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1436-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1684-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1684-153-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1776-124-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2908-131-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3136-145-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3528-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB