Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

2dda7d6491...5f.exe

windows7-x64

10

2dda7d6491...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2022, 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2dda7d6491fd1ad5bf4065f523e5c44d2978a940d2865b31a4e364675fe64a5f.exe

  • Size

    255KB

  • MD5

    739c0bcdcb87e2e7f1cb3bf84b04ff60

  • SHA1

    ae809db1099c94a66d5edffc0353a35a700d5c29

  • SHA256

    2dda7d6491fd1ad5bf4065f523e5c44d2978a940d2865b31a4e364675fe64a5f

  • SHA512

    a815bceabbc34c79ae2764de7a463831d46f1cd74fa8d8f1d482b4eb404fad3a4796021cb3475fff3ec4c33d0a8851c5240e208b1e9325dc13a7392414b19b14

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6Y:Plf5j6zCNa0xeE3mt

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dda7d6491fd1ad5bf4065f523e5c44d2978a940d2865b31a4e364675fe64a5f.exe
    "C:\Users\Admin\AppData\Local\Temp\2dda7d6491fd1ad5bf4065f523e5c44d2978a940d2865b31a4e364675fe64a5f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\SysWOW64\llnyxbogxr.exe
      llnyxbogxr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\SysWOW64\xlsexpej.exe
        C:\Windows\system32\xlsexpej.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1396
    • C:\Windows\SysWOW64\nqmsoluizmubigm.exe
      nqmsoluizmubigm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1088
    • C:\Windows\SysWOW64\xlsexpej.exe
      xlsexpej.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2028
    • C:\Windows\SysWOW64\yaysxxccskmzp.exe
      yaysxxccskmzp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:336
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:440

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      c231a125eb5b0d074250dee2ae55c897

      SHA1

      40ef643d760174db15f52e759eac4e9e75e6fbba

      SHA256

      0b369cba0b3f2756a404ceb9af47c760ee18ec27c16a943c7fa8cba2748df439

      SHA512

      0d50d2b854f5c1454e28435b76d957065a216dcba052114a53afca31413b312b24a3cdd7792df6f86f3abf7d58affc9dbb8a395903d07984d0b5a8440af8b9c0

      Download Submit

    • C:\Users\Admin\Desktop\WaitUndo.doc.exe
      Filesize

      255KB

      MD5

      ea40cd5e23c0124f5686906e0f8b7e19

      SHA1

      aede34744278acd5a509ecd56ea0c517f791ae02

      SHA256

      4cb6e8a2464aa5e1f8a8986fe35a49c61d92dee5ba137d3f31cf5bcda92b161f

      SHA512

      03425d50ea07cc8b1f0105f7f8fb54ddcabac4cc37d79b76d296d0ccbe4cebcba6309835b8587b12d9b5676770438a7869c960561125b891289d2989013eb44d

      Download Submit

    • C:\Windows\SysWOW64\llnyxbogxr.exe
      Filesize

      255KB

      MD5

      75f3e67bde2f5edf6cbadfa9613b5576

      SHA1

      44e53cabc9296e334a19ec09eceb646d9ecf5337

      SHA256

      e8a628923690840c1882c1e9f393a77047f11fc4d70da15a058a7f439c354074

      SHA512

      fa4a539540b00fb28f2d797b03d8f2304baeb2759d2ac1d2aaac6880fddbaae11a5f9402059617436ddcc2a841478c4c24f98f2c69498c17bd5c3a5ff683619c

      Download Submit

    • C:\Windows\SysWOW64\llnyxbogxr.exe
      Filesize

      255KB

      MD5

      75f3e67bde2f5edf6cbadfa9613b5576

      SHA1

      44e53cabc9296e334a19ec09eceb646d9ecf5337

      SHA256

      e8a628923690840c1882c1e9f393a77047f11fc4d70da15a058a7f439c354074

      SHA512

      fa4a539540b00fb28f2d797b03d8f2304baeb2759d2ac1d2aaac6880fddbaae11a5f9402059617436ddcc2a841478c4c24f98f2c69498c17bd5c3a5ff683619c

      Download Submit

    • C:\Windows\SysWOW64\nqmsoluizmubigm.exe
      Filesize

      255KB

      MD5

      720eba2be3a5f3908a5826104b314d7b

      SHA1

      533f961f6f329b87abacaf27ebc057d5d321a159

      SHA256

      970379c98aeb8a080008f553de212de1d6d086f3b03efb58c737cf18b9c7f067

      SHA512

      5e6c5a50174d006fc8346b253054241e490aa6b91fc7dfe798a317f02c1115d4167e36995a0dc4ff92ea53d1a332e86351c142ef5a8c6c78bb7bb5d7832d353c

      Download Submit

    • C:\Windows\SysWOW64\nqmsoluizmubigm.exe
      Filesize

      255KB

      MD5

      720eba2be3a5f3908a5826104b314d7b

      SHA1

      533f961f6f329b87abacaf27ebc057d5d321a159

      SHA256

      970379c98aeb8a080008f553de212de1d6d086f3b03efb58c737cf18b9c7f067

      SHA512

      5e6c5a50174d006fc8346b253054241e490aa6b91fc7dfe798a317f02c1115d4167e36995a0dc4ff92ea53d1a332e86351c142ef5a8c6c78bb7bb5d7832d353c

      Download Submit

    • C:\Windows\SysWOW64\xlsexpej.exe
      Filesize

      255KB

      MD5

      47a170f01523a5effeeb2c3bc7f4bdfb

      SHA1

      9c1ba5a275fc75f999882c032b0b53675a99423f

      SHA256

      6bea4ef864d3fc1953d46c84dbac37161041b6230f94459a30f901bc8952726e

      SHA512

      2aa84126495c55d205e29ffad577bf4ff6a306220904bd5203068332b61c1f2b2fb4ed6d2c97aa5c7f90bf8cd6e74fba27bd23ce9a9c42cf4dc300a2e5e14b45

      Download Submit

    • C:\Windows\SysWOW64\xlsexpej.exe
      Filesize

      255KB

      MD5

      47a170f01523a5effeeb2c3bc7f4bdfb

      SHA1

      9c1ba5a275fc75f999882c032b0b53675a99423f

      SHA256

      6bea4ef864d3fc1953d46c84dbac37161041b6230f94459a30f901bc8952726e

      SHA512

      2aa84126495c55d205e29ffad577bf4ff6a306220904bd5203068332b61c1f2b2fb4ed6d2c97aa5c7f90bf8cd6e74fba27bd23ce9a9c42cf4dc300a2e5e14b45

      Download Submit

    • C:\Windows\SysWOW64\xlsexpej.exe
      Filesize

      255KB

      MD5

      47a170f01523a5effeeb2c3bc7f4bdfb

      SHA1

      9c1ba5a275fc75f999882c032b0b53675a99423f

      SHA256

      6bea4ef864d3fc1953d46c84dbac37161041b6230f94459a30f901bc8952726e

      SHA512

      2aa84126495c55d205e29ffad577bf4ff6a306220904bd5203068332b61c1f2b2fb4ed6d2c97aa5c7f90bf8cd6e74fba27bd23ce9a9c42cf4dc300a2e5e14b45

      Download Submit

    • C:\Windows\SysWOW64\yaysxxccskmzp.exe
      Filesize

      255KB

      MD5

      a3b08b4cfe58defa0d4f36fba8b2e609

      SHA1

      a3a94e7658700ff81d872a241fd9a4d096dcb819

      SHA256

      a37a955b57f210d2cb4bacd985c7ac45079019db8b2fa47f2d85234bc5a315a6

      SHA512

      dbe6462482b969c40e622666041ad60e2bb0485f6aa5c7e096a507a13ff4e5c8eebe5f1aad1764d6f35ebbd4d2bf9b1f708359fcb77b85a32cd4771b017b4a10

      Download Submit

    • C:\Windows\SysWOW64\yaysxxccskmzp.exe
      Filesize

      255KB

      MD5

      a3b08b4cfe58defa0d4f36fba8b2e609

      SHA1

      a3a94e7658700ff81d872a241fd9a4d096dcb819

      SHA256

      a37a955b57f210d2cb4bacd985c7ac45079019db8b2fa47f2d85234bc5a315a6

      SHA512

      dbe6462482b969c40e622666041ad60e2bb0485f6aa5c7e096a507a13ff4e5c8eebe5f1aad1764d6f35ebbd4d2bf9b1f708359fcb77b85a32cd4771b017b4a10

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      c231a125eb5b0d074250dee2ae55c897

      SHA1

      40ef643d760174db15f52e759eac4e9e75e6fbba

      SHA256

      0b369cba0b3f2756a404ceb9af47c760ee18ec27c16a943c7fa8cba2748df439

      SHA512

      0d50d2b854f5c1454e28435b76d957065a216dcba052114a53afca31413b312b24a3cdd7792df6f86f3abf7d58affc9dbb8a395903d07984d0b5a8440af8b9c0

      Download Submit

    • \Windows\SysWOW64\llnyxbogxr.exe
      Filesize

      255KB

      MD5

      75f3e67bde2f5edf6cbadfa9613b5576

      SHA1

      44e53cabc9296e334a19ec09eceb646d9ecf5337

      SHA256

      e8a628923690840c1882c1e9f393a77047f11fc4d70da15a058a7f439c354074

      SHA512

      fa4a539540b00fb28f2d797b03d8f2304baeb2759d2ac1d2aaac6880fddbaae11a5f9402059617436ddcc2a841478c4c24f98f2c69498c17bd5c3a5ff683619c

      Download Submit

    • \Windows\SysWOW64\nqmsoluizmubigm.exe
      Filesize

      255KB

      MD5

      720eba2be3a5f3908a5826104b314d7b

      SHA1

      533f961f6f329b87abacaf27ebc057d5d321a159

      SHA256

      970379c98aeb8a080008f553de212de1d6d086f3b03efb58c737cf18b9c7f067

      SHA512

      5e6c5a50174d006fc8346b253054241e490aa6b91fc7dfe798a317f02c1115d4167e36995a0dc4ff92ea53d1a332e86351c142ef5a8c6c78bb7bb5d7832d353c

      Download Submit

    • \Windows\SysWOW64\xlsexpej.exe
      Filesize

      255KB

      MD5

      47a170f01523a5effeeb2c3bc7f4bdfb

      SHA1

      9c1ba5a275fc75f999882c032b0b53675a99423f

      SHA256

      6bea4ef864d3fc1953d46c84dbac37161041b6230f94459a30f901bc8952726e

      SHA512

      2aa84126495c55d205e29ffad577bf4ff6a306220904bd5203068332b61c1f2b2fb4ed6d2c97aa5c7f90bf8cd6e74fba27bd23ce9a9c42cf4dc300a2e5e14b45

      Download Submit

    • \Windows\SysWOW64\xlsexpej.exe
      Filesize

      255KB

      MD5

      47a170f01523a5effeeb2c3bc7f4bdfb

      SHA1

      9c1ba5a275fc75f999882c032b0b53675a99423f

      SHA256

      6bea4ef864d3fc1953d46c84dbac37161041b6230f94459a30f901bc8952726e

      SHA512

      2aa84126495c55d205e29ffad577bf4ff6a306220904bd5203068332b61c1f2b2fb4ed6d2c97aa5c7f90bf8cd6e74fba27bd23ce9a9c42cf4dc300a2e5e14b45

      Download Submit

    • \Windows\SysWOW64\yaysxxccskmzp.exe
      Filesize

      255KB

      MD5

      a3b08b4cfe58defa0d4f36fba8b2e609

      SHA1

      a3a94e7658700ff81d872a241fd9a4d096dcb819

      SHA256

      a37a955b57f210d2cb4bacd985c7ac45079019db8b2fa47f2d85234bc5a315a6

      SHA512

      dbe6462482b969c40e622666041ad60e2bb0485f6aa5c7e096a507a13ff4e5c8eebe5f1aad1764d6f35ebbd4d2bf9b1f708359fcb77b85a32cd4771b017b4a10

      Download Submit

    • memory/288-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/288-80-0x00000000033E0000-0x0000000003480000-memory.dmp

      Filesize

      640KB

      Download

    • memory/288-54-0x0000000075771000-0x0000000075773000-memory.dmp

      Filesize

      8KB

      Download

    • memory/288-82-0x00000000033E0000-0x0000000003480000-memory.dmp

      Filesize

      640KB

      Download

    • memory/288-88-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/336-85-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/336-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/440-103-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/836-89-0x0000000071FF1000-0x0000000071FF4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/836-90-0x000000006FA71000-0x000000006FA73000-memory.dmp

      Filesize

      8KB

      Download

    • memory/836-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/836-94-0x0000000070A5D000-0x0000000070A68000-memory.dmp

      Filesize

      44KB

      Download

    • memory/836-106-0x0000000070A5D000-0x0000000070A68000-memory.dmp

      Filesize

      44KB

      Download

    • memory/836-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/956-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/956-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1088-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1088-83-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1396-99-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1396-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2028-97-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2028-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download