Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    96s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2024, 05:29

General

  • Target

    afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

  • Size

    91KB

  • MD5

    b0fa0a9b8123ddaebdfbccaa15c812f0

  • SHA1

    4ecd5296b548cc2c03893bb59651ef39c9d5cae4

  • SHA256

    afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26

  • SHA512

    53f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e

  • SSDEEP

    1536:XJRtlEnBHHIgabuYotV/JbJCX5SBinJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQInvtYxOuYotvYQIE

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
    "C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5088
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:208
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5012
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3656
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3208
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1652
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:948
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    cc0fe2c4be06f1d50835f886ac701887

    SHA1

    464c6147f05a0e256de5294e514e46c509b61d9b

    SHA256

    3fc119f813ff4445a29e3e126205ff1178930ca299aa099bdc69156f065bafeb

    SHA512

    ef40a8657d68e4beeab24f834b63ffa40e085fbd1ad98b8eafd93192c30ad1196cc756232cc5259d54ab8c20d5cb7a1d786f4e997f334302420e679cfc8c780b

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    7e605b89aecfb053118f143d80f3a3ac

    SHA1

    35c365c0e5411970a2cbdb91b8d6b707c9543373

    SHA256

    fbb8cf88a4bc45c73be4910f3305118ddfadb03bae0eaae87b4a48d6393af54f

    SHA512

    5051c74534e6b204911350971461becc5383074a68e1e8fd5d80f6e8ddc39019d70716e3888990987552abdc668f225d26a13fb488e1a74103147d6b18e10120

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    9d48527e59ce5cd9dfd8c0e89a5b8b37

    SHA1

    f9a13772eedc8a8c54d5d592fe2e6e000e3cc089

    SHA256

    f659e19d5838855def7240a237cc5de5967dc932132c3f2e47a7b6ea08dcb6f9

    SHA512

    ee97850399117207ae5e5e8f101da606fc702d0cbe68685f8bfeb75cc760ab4f4331fcc32f59661fc04faf5702891a56c53af43ed894481e078eff1f4ce9b1f3

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    14ba81b1a50b44634711d02a799b18bd

    SHA1

    14133046740a03da68f717398da7b04935199900

    SHA256

    9497ca22fb40555b44565267945b4ad4fccd9a7a49aaac9b29bb78e3ac7fad08

    SHA512

    98e0f3d5b8d9e844b911fd56f6ebf952682945078a2d04901b45a2d8f10e81c13ec980db176fec298ac60796e2cd84416303515d83dc76ea4884b9ee3f94b8d3

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    6eea1f1a8c70f9b1e2f3b3482cd7f3cb

    SHA1

    0bb00724575c18c91375eaa6d279cae2195441d9

    SHA256

    a031362909d510f3af38cf8fb67eba52e9c13b30830bf6d19c677cdde6a3f708

    SHA512

    ffe0949aeee711a796a655f6fc5ee9f340a9ebbef920cb67af2442a0d5e84418231b1d5ac40a61db40546a854b73ce7ca3f72aff8fa6f18326cbe9c7158efab6

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    b0fa0a9b8123ddaebdfbccaa15c812f0

    SHA1

    4ecd5296b548cc2c03893bb59651ef39c9d5cae4

    SHA256

    afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26

    SHA512

    53f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    26e6409e6ad0ea77414daee19a59281f

    SHA1

    3f185ac2e3d8291d4435fc9302952c1e3a2f63b4

    SHA256

    f9efab8071c16548874d061741272fcb8a50f4d70b55fcaaa7e43361c5f58546

    SHA512

    e68f99bebea35dd8b813a9732db12e46d51b0f782b48fb12e9681addb5348521146d68c92d442b22b1e66ae7f7877fa613d29f27113e604006ca9c72215a56e8

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    932a6b27697795103e9bba753acfd46a

    SHA1

    a2a26dc46b816f67247fdb9d0e70ac0aef5ef6ca

    SHA256

    f11f63585439b3d1cae83115643f85aeb6ea0ea7d25b9aa1bf90c932aa066ef4

    SHA512

    6b59096a3ebcdeae0f139ca6b50dab4a11317b68df934545731e58b3926ba89a6f03a397352d2acd3b6c0549652a8e972b5daccb1e632e6f303c903f6d3a843b

  • memory/208-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/948-145-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1652-137-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3208-130-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3656-124-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3972-151-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/5012-118-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/5088-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/5088-153-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB