Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

02b6675eed...6N.exe

windows7-x64

02b6675eed...6N.exe

windows10-2004-x64

Analysis

  • max time kernel
    38s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2024, 22:35

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    02b6675eedc6f5f6fa88bae5e331131c6900501e5b543ff16f839320f6d33cb6N.exe

  • Size

    234KB

  • MD5

    52388efef65151557e386d2829247b20

  • SHA1

    3258e556cd6e3b6a7941dbe3494c060b63448557

  • SHA256

    02b6675eedc6f5f6fa88bae5e331131c6900501e5b543ff16f839320f6d33cb6

  • SHA512

    dc829f5cdc3a8bf618aade862a3920bfc2e88146dd3d85d76e5cf4d36331ac43c6fc7944bd17178fc48fc97c013f9d1eb46c4e9a375c3b2f0708341e9cf4ee6f

  • SSDEEP

    384:PJG14lR/NpKAN+UJfo8vJh/7neuwyv3ZUKcreuDreuwyv3ZUKcreuDj:RFtFe8vJtDeunUreufeunUreuP

Score
10/10
defense_evasiondiscoveryevasionpersistence

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\02b6675eedc6f5f6fa88bae5e331131c6900501e5b543ff16f839320f6d33cb6N.exe
    "C:\Users\Admin\AppData\Local\Temp\02b6675eedc6f5f6fa88bae5e331131c6900501e5b543ff16f839320f6d33cb6N.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2792
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +s "C:\Windows\system32\winsock.exe"
        3⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3004
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +s "C:\Windows\system32\winkernel32.exe"
        3⤵
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2752
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c shutdown -r
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown -r
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2660
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:580
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2824

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\winsock.exe
        Filesize

        258KB

        MD5

        f2e15b52a3cdc16e2e0a241e7b7af12b

        SHA1

        5fc354c6e2199d8178a7512ef16c56d2b87be372

        SHA256

        93becf493f79d3a981b1ecdb6d4cf8bd13dcf980ebc6a2dc8e4a27e01c2e8c1f

        SHA512

        61a155f138106fab98110fd8e204b9f33898fb25f32e46e1e60512a2a2a79fe5ce078f798db39db7ced47bfa411d681a7847768ab39a132ccaefd44d0786a740

        Download Submit

      • memory/580-8-0x0000000002D90000-0x0000000002D91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2792-4-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download