Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 23:33

General

  • Target

    3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe

  • Size

    19KB

  • MD5

    6103b71e8c01efb84c8673a6a83a6f20

  • SHA1

    bcf90b4b43c65198aa605e9bc9246658524e851e

  • SHA256

    3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491

  • SHA512

    384a2af86b12398f7d27cf2f312f106df0bc1d510d313774337b7d75ce311629f2a12aac90ae43c9184950558176ef0658f00543067b8988bab86ecefac088f6

  • SSDEEP

    384:g58AcUoUQKNRYELxQUHDvmk3E+KDvB77777J77c77c77c72qh5x5+gY7lAt7BDf8:g5BOFKksO1mE9B77777J77c77c77c71S

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe
    "C:\Users\Admin\AppData\Local\Temp\3a1024cabe4458b882d722ca9563f7b0551280d0a264bcfc4947f888d4f66491N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:788
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4316
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:972
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1456
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4600
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5048
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM services.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:612
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1148
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3292
    • C:\Windows\2774E5.exe
      C:\Windows\2774E5.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM services.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4220
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4792
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2148
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3180
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM services.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1860
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4692
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4616
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:872
      • C:\Windows\2774E5STTUQS.exe
        C:\Windows\2774E5STTUQS.exe
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1064
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4444
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM services.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1448
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4032
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2236
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2912
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3088
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:888
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM winlogon.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1308
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM services.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4836
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM lsass.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:868
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM csrss.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4808
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM smss.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2896
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM inetinfo.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3776
        • C:\Windows\SysWOW64\TASKKILL.exe
          TASKKILL /S COMPUTERNAME /F /IM svchost.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2120
        • C:\Windows\2774E5STTUQS.exe
          C:\Windows\2774E5STTUQS.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4172
        • C:\Windows\2774E5.exe
          C:\Windows\2774E5.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1284
      • C:\Windows\2774E5.exe
        C:\Windows\2774E5.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\2774E5.exe

    Filesize

    21KB

    MD5

    59c28beffe75d5ebf92d16bccd998dce

    SHA1

    37df342c00b4512196a7a5f360a0dfddee0be8d9

    SHA256

    1a85d766b69916732874647f546f68f1f91bca70b2b3bf15677b0f15dbab19aa

    SHA512

    a018bbec695477ec908bd4786eb477ed561631dfe6f3b22b75a50e2c44bd6e2299d543cec7aea609f5d83f5783d9aba16b5d547f4daa0c779dc94fe09877b987

  • C:\Windows\2774E5STTUQS.exe

    Filesize

    21KB

    MD5

    19ac4326320a8fb89eba3d2d6582efe0

    SHA1

    957cac537a49f4ec4183f7440d79409ba4603f35

    SHA256

    66dce0f1f2f992fd405dd784b30a339e831e66c9f23e088b6c9f39c7d1e53001

    SHA512

    ec785fd9141b05799d08a5cbd069d747529cc172c624f19004c29072cdaf478787b166bff6cf43294501d7457bd7c14dec03b33fe30510cc860f6e4331804a1f

  • memory/1064-51-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-53-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-59-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-57-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-55-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-47-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-37-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-49-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-39-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-45-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-41-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1064-43-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1284-27-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1772-33-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-52-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-50-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-44-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-48-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-38-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-42-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-36-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-40-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-46-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-58-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-54-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2212-56-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/4172-22-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/4508-35-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/4508-0-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB