Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 19:04

General

  • Target

    5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe

  • Size

    72KB

  • MD5

    1e4d9acc849b60a5088b65d115df1420

  • SHA1

    6a3eee5fba5f91d92e1c3a91a300706dfa16574c

  • SHA256

    5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644

  • SHA512

    4685a70343767dedc29d61d893304093c1e1093eaf55d8757c3decb7d93b3b94721d21c52f18fd50918d9efcdf53b639087608aece6967f133bfb0daab1de7e8

  • SSDEEP

    1536:x5FNAlTnd+5rO0PxfXZVBZq5qYXMEIcSg:XTAlOO0Pxfznq5zXug

Malware Config

Signatures

  • Windows security bypass 2 TTPs 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Modifies WinLogon 2 TTPs 5 IoCs
  • Drops file in System32 directory 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:640
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:3460
        • C:\Users\Admin\AppData\Local\Temp\5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe
          "C:\Users\Admin\AppData\Local\Temp\5bf49a2a344edb120b44ae6b0ad5891245e6a3c46189237b32c9f4b056fa5644N.exe"
          2⤵
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:428
          • C:\Windows\SysWOW64\uclivoaf-eagur.exe
            "C:\Windows\SysWOW64\uclivoaf-eagur.exe"
            3⤵
            • Windows security bypass
            • Boot or Logon Autostart Execution: Active Setup
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Windows security modification
            • Indicator Removal: Clear Persistence
            • Modifies WinLogon
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4904
            • C:\Windows\SysWOW64\uclivoaf-eagur.exe
              --k33p
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:2540

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\akgeaniv-oucac.exe

        Filesize

        73KB

        MD5

        c3fce884c66004baf3694f4b2ceff613

        SHA1

        f6feabb35317a70e8f15f8e292536728f133556f

        SHA256

        a0ece8b9654b5262cca389dcd53023a2223244d7e2c3fd584ddbf0cd32d0eb6a

        SHA512

        6bd309953ea74c87c733bcb7e0ae3b0ec32ba1aba7b5a09865ac0a9675ae5afcb2278a15e61adb0aedbc3e63e99bcde8d553fb6177ea5c8ddca426c65d2dfbfb

      • C:\Windows\SysWOW64\oucbifoor-idum.exe

        Filesize

        72KB

        MD5

        3e5c8e44141a30b2a4d4dd12ce53f174

        SHA1

        fa6b433711d20c629ebae35486bf0c5f46e676ae

        SHA256

        12a681e83c1b9760c0bc6e86e2337890ba573a479602dc24b6d97c7ce437ded5

        SHA512

        3fc64ca747067deba00a0db6b8b781a1ee42ed810ac1838847c904f559f220262b89a816999e10bb67cdb505c64a5b799de1df78caba8120904bc542ee71321a

      • C:\Windows\SysWOW64\uclivoaf-eagur.exe

        Filesize

        70KB

        MD5

        b8cc9fe7d1840ecd71fd24cfdda854bc

        SHA1

        935a1f04733722c3918810c5174b387f6beb1fec

        SHA256

        6b0f97eb129528df88d0c90ebaa572ad89111624142501ea72f19c6890032529

        SHA512

        379a3830b7b13655fab55836acc1de5cc5f33c64118d588a7936e6f4c40aae97d88760bbd1d0200228e6b2f135470bfe50bcecce95e34e8d21dff2cdfada1723

      • C:\Windows\SysWOW64\ulkeadak.dll

        Filesize

        5KB

        MD5

        f37b21c00fd81bd93c89ce741a88f183

        SHA1

        b2796500597c68e2f5638e1101b46eaf32676c1c

        SHA256

        76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

        SHA512

        252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

      • memory/428-4-0x0000000000400000-0x0000000000403000-memory.dmp

        Filesize

        12KB

      • memory/2540-45-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4904-44-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB