Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8f5c02636a...0b.exe

windows7-x64

10

8f5c02636a...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b.exe

  • Size

    64KB

  • MD5

    d098ed5d12ec03c894ce42da6e38c2d6

  • SHA1

    2e2a54824aba72e90d634d255999b2eee9503306

  • SHA256

    8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b

  • SHA512

    5b9df34ad34cc2f9d46580654144008976124c00752c95d3adbe275159de1d06a4077658fc42846590511947d0fdef4f9372c36196eb2759b56891eaaa03842f

  • SSDEEP

    1536:9VB9ew1O/1hhDiZnHba3W74s3KdWGGZttlI6TRqnouy8hyG+jKY:9Ve1fh8nHbao6dWntI6TRyouthyLv

Score
10/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 10 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 3 IoCs
    evasion
  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b.exe
    "C:\Users\Admin\AppData\Local\Temp\8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Windows security bypass
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2328
    • C:\Program Files (x86)\Windows Media Player\svchost.exe
      "C:\Program Files (x86)\Windows Media Player\svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1860
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
      2⤵
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Program Files (x86)\Windows Media Player\wmpshare.exe
        "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2104
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "8f5c02636a6977ae7045a1325c005b8f76897678320dd84a2ea1d2458a5a530b.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Program Files (x86)\Windows Media Player\wmplayerc.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayerc.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Program Files (x86)\Windows Media Player\svchost.exe
        "C:\Program Files (x86)\Windows Media Player\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

8
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Windows Media Player\wmplayerc.exe
    Filesize

    64KB

    MD5

    584ce8bcd32e8151fdcef49313bf4403

    SHA1

    854a02c7ea29db78c3fd549777f491f2d6ea903a

    SHA256

    4ffc358c469505d71ff8256c5d3bb24a662a600bee8cc94dc04e4d80f74d0092

    SHA512

    1e2289922c5285b8ae954e62fa0bbd9bc163e4e766cc2d62149c2fcfd6a20c8f41cac0477547752c2a9a642fcac09b83f90e142ce63605254bf5f28663a8b1f6

    Download Submit

  • C:\RÊCYCLÊR\desktop.ini
    Filesize

    65B

    MD5

    ad0b0b4416f06af436328a3c12dc491b

    SHA1

    743c7ad130780de78ccbf75aa6f84298720ad3fa

    SHA256

    23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

    SHA512

    884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

    Download Submit

  • C:\RÊCYCLÊR\  .com
    Filesize

    64KB

    MD5

    0493e603218b3fbbeceaebc9867469f8

    SHA1

    17ae0c5609862becc7aded4acafef54ee28fc3cf

    SHA256

    c43c0fc797cbbe767318ac312b948ef4cf20588091289a546ed17dddbc049701

    SHA512

    4f41c68707cb4727479931c36060928e3e377baefdc31ef75889419f4e8305780ad79f55a23e2a52514349058c3117c2069ec6f33d212a5db3a93e1f5d863a2d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{3BA23399-FCC7-421D-837A-1CF325062197}.jpg
    Filesize

    23KB

    MD5

    fd5fd28e41676618aac733b243ad54db

    SHA1

    b2d69ad6a2e22c30ef1806ac4f990790c3b44763

    SHA256

    a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

    SHA512

    4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{E65DE84E-BC4D-46CB-BF30-0C193D543E51}.jpg
    Filesize

    22KB

    MD5

    35e787587cd3fa8ed360036c9fca3df2

    SHA1

    84c76a25c6fe336f6559c033917a4c327279886d

    SHA256

    98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

    SHA512

    aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\6ON6VS51.htm
    Filesize

    114B

    MD5

    e89f75f918dbdcee28604d4e09dd71d7

    SHA1

    f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

    SHA256

    6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

    SHA512

    8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

    Download Submit

  • C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg
    Filesize

    32KB

    MD5

    84bba83cfbc0233517407678bb842686

    SHA1

    1c617de788de380d28c52dc733ad580c3745a1c1

    SHA256

    6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

    SHA512

    a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

    Download Submit

  • \Program Files (x86)\Windows Media Player\svchost.exe
    Filesize

    9KB

    MD5

    a3565eec669697a3d6f7b35fb75fcb26

    SHA1

    6e81f83c057ff5da8f800a23f32f717a3e0ca2dc

    SHA256

    a7e6bd8d46e6eb541a071fb8a94b9567ecbb1c353764e36fae8b6f41b4a3d1d5

    SHA512

    0f815447afd11be56e49455bb4246b6e31063ae5f72743109a644d4d0fb0c79e78cf7b9bf17b19684fba25a72a66b2e4ad6a481871ae6792472a9e9942a20032

    Download Submit

  • memory/1832-125-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1860-145-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1860-12-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2132-117-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2132-156-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2328-127-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2328-9-0x0000000000510000-0x0000000000521000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2328-116-0x0000000002450000-0x0000000002494000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2328-0-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download