Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b505a14159...a7.exe

windows7-x64

10

b505a14159...a7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe

  • Size

    1016KB

  • MD5

    ee47200f60aa0ffe7e554db291da8a8f

  • SHA1

    a2ab0c657b6045b98aca1befb1fe2ce02ca0ae9e

  • SHA256

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7

  • SHA512

    02512eaff12cf835116833bead2006aa14e4f86e65f0225887e5d9e2b7a199849222bd15d50bf269e23646192f7cde45f9cb3746964bb6d3e6d325b4d250d478

  • SSDEEP

    6144:GIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUM:GIXsgtvm1De5YlOx6lzBH46UM

Score
10/10
defense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 26 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
    defense_evasion
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

    defense_evasionpersistenceprivilege_escalation
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 37 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe
    "C:\Users\Admin\AppData\Local\Temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\cnrfakasmxb.exe
      "C:\Users\Admin\AppData\Local\Temp\cnrfakasmxb.exe" "c:\users\admin\appdata\local\temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\lmxcgo.exe
        "C:\Users\Admin\AppData\Local\Temp\lmxcgo.exe" "-C:\Users\Admin\AppData\Local\Temp\xidsgyojtvlunncx.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2236
      • C:\Users\Admin\AppData\Local\Temp\lmxcgo.exe
        "C:\Users\Admin\AppData\Local\Temp\lmxcgo.exe" "-C:\Users\Admin\AppData\Local\Temp\xidsgyojtvlunncx.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:3000
    • C:\Users\Admin\AppData\Local\Temp\cnrfakasmxb.exe
      "C:\Users\Admin\AppData\Local\Temp\cnrfakasmxb.exe" "c:\users\admin\appdata\local\temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hijack Execution Flow

1
T1574

Executable Installer File Permissions Weakness

1
T1574.005

Impair Defenses

2
T1562

Disable or Modify Tools

1
T1562.001

Safe Mode Boot

1
T1562.009

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\kiqstybjgvyuanpxhjhprsxai.uxt
    Filesize

    280B

    MD5

    d8a580e0c4fcffed6b6b97c782779d57

    SHA1

    9bbdbad358814acb8397b85a0889196d06b80e6e

    SHA256

    a940ea30627371c1602fbf3193c0e0a053e6c94892ca7faa1aa1934da857f058

    SHA512

    d5a9f79ec6537543d0d882f5c5666579c602e5d4ee3ca3c0fee199b2750e075c5446e0641f9f26ecb51d099e6fc80691dd7450864c0302be5ca8d6d2065ba2fd

    Download Submit

  • C:\Program Files (x86)\kiqstybjgvyuanpxhjhprsxai.uxt
    Filesize

    280B

    MD5

    8a336946dad8824d03d4ee871a62d4af

    SHA1

    d1df7c6c7fbf41e7bff0636c3d164221fef32b4f

    SHA256

    cd965d31a2c8b7962177af5797a2437f1d40d629811519e7db8a9c439428370f

    SHA512

    f263cb5214392dcf39bc1e6bc7a37c0e37ae4e0ff36fac1037bc94aea5c56d5556fd9e9f5f0ffb24f1a465113ba2ee35a9840ea0db79fbbbb92de54b1c1c2b3c

    Download Submit

  • C:\Users\Admin\AppData\Local\kiqstybjgvyuanpxhjhprsxai.uxt
    Filesize

    280B

    MD5

    a34709c2932b5b49fe48e8bfc0c6f76f

    SHA1

    e1a33ca70387901127c1e9341b3131afdd20dd56

    SHA256

    4e23331d6e688679e409d44b2feffaaa2269511b78a49db244c5ca0cdfc9c439

    SHA512

    6ef84d8ed066cef16dc5b7246924cb68860d4503e72f1d3b94a8ec55578bebc8186e9dd9f7e940d2770d3371c72a72af060ffa0ca06e6db518dbb391369bd30b

    Download Submit

  • C:\Users\Admin\AppData\Local\kiqstybjgvyuanpxhjhprsxai.uxt
    Filesize

    280B

    MD5

    3f1ab9cc381c43aac4b510acf6e387f9

    SHA1

    46cf09339f1e5d9b06639d43e1ec97141b21622f

    SHA256

    da1bf4606fed6c78bf8b61b707a0f2308c3266fc58679544a52303bfedeaa6f7

    SHA512

    4ad41f59a7e95f28be872081036886d48970e625819f12eb696ddc8273d62f98a945476ee08b14359353c9908e1a7e41ec495b41a0d4fd1c772dd4e54f9d45b8

    Download Submit

  • C:\Users\Admin\AppData\Local\kiqstybjgvyuanpxhjhprsxai.uxt
    Filesize

    280B

    MD5

    da82fdfec9ce8915d30f8eca2852716c

    SHA1

    7731bd901d24638c0d755f5e9da99a77231fb96e

    SHA256

    5239cce2d52069daff3435a3c4600c21f12f916d190e8a3c37e93b6874528015

    SHA512

    3d3f5d7fab52e77b3811b8555864c3ea2691a14286e2527ce0555e169aab3a94babbb7a9e1de9834212c0f2b696401fe5fee236675a6ad54e96a6de342e07ffb

    Download Submit

  • C:\Users\Admin\AppData\Local\pyreqgunvvjqhfslgtcviukyrzznuljwpkxg.myo
    Filesize

    4KB

    MD5

    e637b263af7977209db69cf46607af73

    SHA1

    e06c3ab858c1945e977c8634835d5bb80eefa323

    SHA256

    e47336a9b3f503e05636e0d63c8a86cc4a2e7ac86e01466bb523e55711e11ff8

    SHA512

    f62f516f1e9758dcdc4075b139c77064ea891eedeb5967c544b6c4c67d7036db19f65f5230234f2a7ccfd37a98f163308797e6d32bfc8747706d50dbd406b694

    Download Submit

  • C:\Windows\SysWOW64\naxoeyqnzdvgbdurqh.exe
    Filesize

    1016KB

    MD5

    ee47200f60aa0ffe7e554db291da8a8f

    SHA1

    a2ab0c657b6045b98aca1befb1fe2ce02ca0ae9e

    SHA256

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7

    SHA512

    02512eaff12cf835116833bead2006aa14e4f86e65f0225887e5d9e2b7a199849222bd15d50bf269e23646192f7cde45f9cb3746964bb6d3e6d325b4d250d478

    Download Submit

  • C:\yamsxgn.bat
    Filesize

    544KB

    MD5

    4a4a2c83059d4094657c3af4a562be0e

    SHA1

    7148c7a5e67cad8dfe972c49f4f694e67d83fefc

    SHA256

    8160e5defad5b538c4096d3bfe2d38dad468cd725e7ff993a7ac7fae4d20fb97

    SHA512

    ab10677e97374fdf4e1e2c9681fdc1085a4716f01289d4fda24714c367cc4bf06ab3e1c7a9054cf75f2c7996d8aaac6a98cb18a41fb95c27fce5e17f4d40c9aa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\cnrfakasmxb.exe
    Filesize

    320KB

    MD5

    1fa6b18a54e9d48d0c2934d9c3537fc1

    SHA1

    ccbb3c67581a3eaca3eddd89ee6c60080dcd6ab1

    SHA256

    6b39f39fd546a299caabde08224d29ab0e02c0aa52170493c6c5fa4c31adaf76

    SHA512

    a5a51cf03ad3f2fed708ee84ff017a87eaa1b1ea6b6c556fba7519508e1865dcad511d9f5245ea8d0b40ce588c7d1376a9613a41f3bbf63606e7fde1a3e26d43

    Download Submit

  • \Users\Admin\AppData\Local\Temp\lmxcgo.exe
    Filesize

    736KB

    MD5

    6156cffaa33f0ec2da64f97ce5116a79

    SHA1

    ff2b223f3da9597bb3c55d9e19c74da522c8b4d2

    SHA256

    fa88e012ef861299a664ee33c51ab95ebf16c3f2a41c8832adb5686a5d2f8425

    SHA512

    98c37c6672a28e85bb706c1c10f7ccdd0e5bc8ac09c677f6df3e15256b8b93956e3392bff4e1b9c68d779ce383d631f33c18dc18d3387d4f11c121a15278ec55

    Download Submit