Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2022, 08:17

General

  • Target

    61355aa34d9454f597770e7bd8fdfe93fe71a2edc663853b4e1a862268a3bee0.exe

  • Size

    255KB

  • MD5

    d1dd2cf7a5d0dd9ef6f0fa84c9c7a635

  • SHA1

    2ce8f163dc431940a3455a38d1e66acbfa247a7b

  • SHA256

    61355aa34d9454f597770e7bd8fdfe93fe71a2edc663853b4e1a862268a3bee0

  • SHA512

    63a4db03256fb326da8e3453e24fb16181fbfd097bef30dd97da47e0cb1379093f3ff904ce9dae4eb8d60dfda0897cd454df2fb554aaaf06992bffe195139542

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJz:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI0

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61355aa34d9454f597770e7bd8fdfe93fe71a2edc663853b4e1a862268a3bee0.exe
    "C:\Users\Admin\AppData\Local\Temp\61355aa34d9454f597770e7bd8fdfe93fe71a2edc663853b4e1a862268a3bee0.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\zwygyeprrr.exe
      zwygyeprrr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:604
      • C:\Windows\SysWOW64\zxxdnaub.exe
        C:\Windows\system32\zxxdnaub.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:560
    • C:\Windows\SysWOW64\zxxdnaub.exe
      zxxdnaub.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1900
    • C:\Windows\SysWOW64\lgpkvlxnygrxb.exe
      lgpkvlxnygrxb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:948
    • C:\Windows\SysWOW64\vehtvxcpfpscinw.exe
      vehtvxcpfpscinw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:744
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:880

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      255KB

      MD5

      52c6a0f21b3ca0db8ecf14f067729c08

      SHA1

      3155005048356c12d3ed9215559e49bb2a01261b

      SHA256

      8b6e6bd6ff369b586dfd062638caa63082fbf5f794cad8c4f740b29ff16ed903

      SHA512

      662ee2200ad5eee95c0f9b6d8104a3381e2b961fabf3ca2d9ba57f4ad1745718e6aadb70ef09de5c5a87b1cd04f5f2a28fe61d346c6e3fc2a138c4e77d392fab

    • C:\Users\Admin\Downloads\ReceiveEnable.doc.exe

      Filesize

      255KB

      MD5

      b7fb67c63f6d0cbb65d846a79d5acbdb

      SHA1

      2a506ec0e38c9eae08ff1014180273cd8c590cf6

      SHA256

      3d8b2345fff63f4e669503ad87591fa90d2c81670f3c5cf47f25c2c2e08af7ce

      SHA512

      4f88b7e8b8ecc4b1953463227e56dcc85e97a54c7f8425990ff48d321f244558338cb118745d2e91079b9c416096683ae2d34bc721c4c54c1cf749f053ca6c4a

    • C:\Windows\SysWOW64\lgpkvlxnygrxb.exe

      Filesize

      255KB

      MD5

      2a543568bd21eee480fd5dadfdd9e75f

      SHA1

      afa357ab4f4e9d7b57849aeb72e9affcf3983658

      SHA256

      32381892c5712fd811107107b53bff243127748ab3f7307646c739eaa78607e1

      SHA512

      3d00e3be69455d8408d1a5f1dd54a4b23ef481fa249d717faec5c7fd948f70eb9e98c893c7c77e38d70a6fcfd61b2a854e7d03d52a904244b50b93c0d591171d

    • C:\Windows\SysWOW64\lgpkvlxnygrxb.exe

      Filesize

      255KB

      MD5

      2a543568bd21eee480fd5dadfdd9e75f

      SHA1

      afa357ab4f4e9d7b57849aeb72e9affcf3983658

      SHA256

      32381892c5712fd811107107b53bff243127748ab3f7307646c739eaa78607e1

      SHA512

      3d00e3be69455d8408d1a5f1dd54a4b23ef481fa249d717faec5c7fd948f70eb9e98c893c7c77e38d70a6fcfd61b2a854e7d03d52a904244b50b93c0d591171d

    • C:\Windows\SysWOW64\vehtvxcpfpscinw.exe

      Filesize

      255KB

      MD5

      92a6bf0b05c08f1705b2027f56a9b47d

      SHA1

      25084f4a29222134ae4d809633188b0907b64ddf

      SHA256

      3a47f03691ec4500e4f8428201071457656f4e5a661b7acb92806d397de58df2

      SHA512

      10c664a4b0e9abfb591f174075a660760d68d1366da528ea05c1e2103b9bf2c22e2016c1b45b5275002ac43f2f3d11d41e73dbcee89e1128da9cfd85966029ee

    • C:\Windows\SysWOW64\vehtvxcpfpscinw.exe

      Filesize

      255KB

      MD5

      92a6bf0b05c08f1705b2027f56a9b47d

      SHA1

      25084f4a29222134ae4d809633188b0907b64ddf

      SHA256

      3a47f03691ec4500e4f8428201071457656f4e5a661b7acb92806d397de58df2

      SHA512

      10c664a4b0e9abfb591f174075a660760d68d1366da528ea05c1e2103b9bf2c22e2016c1b45b5275002ac43f2f3d11d41e73dbcee89e1128da9cfd85966029ee

    • C:\Windows\SysWOW64\zwygyeprrr.exe

      Filesize

      255KB

      MD5

      f067cc90f3f64f29616a0fbedfdfe5cf

      SHA1

      8e3bdf89622871a2f08cc906de6db0a7c7267014

      SHA256

      9afd312367f216480450eeea99197354292aa3741fb7f56201426c201c327ee3

      SHA512

      fc959a52ca18cdc4a88a3b3405db01316267be980565402b052f743531b34d6259e478bda953be5b63399cc63bdf2feb2cbe936c465b13fa8adbd79dc184de44

    • C:\Windows\SysWOW64\zwygyeprrr.exe

      Filesize

      255KB

      MD5

      f067cc90f3f64f29616a0fbedfdfe5cf

      SHA1

      8e3bdf89622871a2f08cc906de6db0a7c7267014

      SHA256

      9afd312367f216480450eeea99197354292aa3741fb7f56201426c201c327ee3

      SHA512

      fc959a52ca18cdc4a88a3b3405db01316267be980565402b052f743531b34d6259e478bda953be5b63399cc63bdf2feb2cbe936c465b13fa8adbd79dc184de44

    • C:\Windows\SysWOW64\zxxdnaub.exe

      Filesize

      255KB

      MD5

      5887860d43918b468642288782da9606

      SHA1

      1bfce9ee7dc5784efcf0fc89870296c84fa9ba4e

      SHA256

      a1a8c3af8b254d82e74e7a809d306db112c9d552786d6f5cf1b3231e6b7159fd

      SHA512

      f634f779e62b375ce10c050df61d05d6f7eb02affd1772daff5d91f3a2986fd2b569b598d23589033f77d08aa91898d6ebd5055241b504ae6c80c506cfbf20ab

    • C:\Windows\SysWOW64\zxxdnaub.exe

      Filesize

      255KB

      MD5

      5887860d43918b468642288782da9606

      SHA1

      1bfce9ee7dc5784efcf0fc89870296c84fa9ba4e

      SHA256

      a1a8c3af8b254d82e74e7a809d306db112c9d552786d6f5cf1b3231e6b7159fd

      SHA512

      f634f779e62b375ce10c050df61d05d6f7eb02affd1772daff5d91f3a2986fd2b569b598d23589033f77d08aa91898d6ebd5055241b504ae6c80c506cfbf20ab

    • C:\Windows\SysWOW64\zxxdnaub.exe

      Filesize

      255KB

      MD5

      5887860d43918b468642288782da9606

      SHA1

      1bfce9ee7dc5784efcf0fc89870296c84fa9ba4e

      SHA256

      a1a8c3af8b254d82e74e7a809d306db112c9d552786d6f5cf1b3231e6b7159fd

      SHA512

      f634f779e62b375ce10c050df61d05d6f7eb02affd1772daff5d91f3a2986fd2b569b598d23589033f77d08aa91898d6ebd5055241b504ae6c80c506cfbf20ab

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      255KB

      MD5

      f5ade7e6aa55a45485eb24ff046f05b0

      SHA1

      f23907e8ef2e3ab71a077903be326b3c4e993c6e

      SHA256

      dba925b7d01404cdbb500a3574ddf8cbb1322b3cfeeb6c36b3e348e8545ce49b

      SHA512

      7f350782213a3cb65cbfe883e8fd09b8be72ba18463932356347388adbe284cf0d7cc52d1628641551589bd4ef653aa57bfcfb8b917b86d1afa1d8c80d2d80df

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      255KB

      MD5

      f5ade7e6aa55a45485eb24ff046f05b0

      SHA1

      f23907e8ef2e3ab71a077903be326b3c4e993c6e

      SHA256

      dba925b7d01404cdbb500a3574ddf8cbb1322b3cfeeb6c36b3e348e8545ce49b

      SHA512

      7f350782213a3cb65cbfe883e8fd09b8be72ba18463932356347388adbe284cf0d7cc52d1628641551589bd4ef653aa57bfcfb8b917b86d1afa1d8c80d2d80df

    • \Windows\SysWOW64\lgpkvlxnygrxb.exe

      Filesize

      255KB

      MD5

      2a543568bd21eee480fd5dadfdd9e75f

      SHA1

      afa357ab4f4e9d7b57849aeb72e9affcf3983658

      SHA256

      32381892c5712fd811107107b53bff243127748ab3f7307646c739eaa78607e1

      SHA512

      3d00e3be69455d8408d1a5f1dd54a4b23ef481fa249d717faec5c7fd948f70eb9e98c893c7c77e38d70a6fcfd61b2a854e7d03d52a904244b50b93c0d591171d

    • \Windows\SysWOW64\vehtvxcpfpscinw.exe

      Filesize

      255KB

      MD5

      92a6bf0b05c08f1705b2027f56a9b47d

      SHA1

      25084f4a29222134ae4d809633188b0907b64ddf

      SHA256

      3a47f03691ec4500e4f8428201071457656f4e5a661b7acb92806d397de58df2

      SHA512

      10c664a4b0e9abfb591f174075a660760d68d1366da528ea05c1e2103b9bf2c22e2016c1b45b5275002ac43f2f3d11d41e73dbcee89e1128da9cfd85966029ee

    • \Windows\SysWOW64\zwygyeprrr.exe

      Filesize

      255KB

      MD5

      f067cc90f3f64f29616a0fbedfdfe5cf

      SHA1

      8e3bdf89622871a2f08cc906de6db0a7c7267014

      SHA256

      9afd312367f216480450eeea99197354292aa3741fb7f56201426c201c327ee3

      SHA512

      fc959a52ca18cdc4a88a3b3405db01316267be980565402b052f743531b34d6259e478bda953be5b63399cc63bdf2feb2cbe936c465b13fa8adbd79dc184de44

    • \Windows\SysWOW64\zxxdnaub.exe

      Filesize

      255KB

      MD5

      5887860d43918b468642288782da9606

      SHA1

      1bfce9ee7dc5784efcf0fc89870296c84fa9ba4e

      SHA256

      a1a8c3af8b254d82e74e7a809d306db112c9d552786d6f5cf1b3231e6b7159fd

      SHA512

      f634f779e62b375ce10c050df61d05d6f7eb02affd1772daff5d91f3a2986fd2b569b598d23589033f77d08aa91898d6ebd5055241b504ae6c80c506cfbf20ab

    • \Windows\SysWOW64\zxxdnaub.exe

      Filesize

      255KB

      MD5

      5887860d43918b468642288782da9606

      SHA1

      1bfce9ee7dc5784efcf0fc89870296c84fa9ba4e

      SHA256

      a1a8c3af8b254d82e74e7a809d306db112c9d552786d6f5cf1b3231e6b7159fd

      SHA512

      f634f779e62b375ce10c050df61d05d6f7eb02affd1772daff5d91f3a2986fd2b569b598d23589033f77d08aa91898d6ebd5055241b504ae6c80c506cfbf20ab

    • memory/560-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/560-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/604-77-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/604-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/744-79-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/744-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/880-105-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

      Filesize

      8KB

    • memory/948-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/948-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1900-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1900-80-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1948-100-0x0000000070F1D000-0x0000000070F28000-memory.dmp

      Filesize

      44KB

    • memory/1948-96-0x0000000070F1D000-0x0000000070F28000-memory.dmp

      Filesize

      44KB

    • memory/1948-90-0x000000006FF31000-0x000000006FF33000-memory.dmp

      Filesize

      8KB

    • memory/1948-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1948-89-0x00000000724B1000-0x00000000724B4000-memory.dmp

      Filesize

      12KB

    • memory/1948-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1948-108-0x0000000070F1D000-0x0000000070F28000-memory.dmp

      Filesize

      44KB

    • memory/2020-88-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp

      Filesize

      8KB

    • memory/2020-57-0x0000000002FD0000-0x0000000003070000-memory.dmp

      Filesize

      640KB

    • memory/2020-78-0x0000000002FD0000-0x0000000003070000-memory.dmp

      Filesize

      640KB

    • memory/2020-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB