Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 16:07

General

  • Target

    8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe

  • Size

    512KB

  • MD5

    0e63f45c2d3ab50c8a0048077bcc7260

  • SHA1

    410c56790d05f4743f7fb98c86b5d36601d4f41c

  • SHA256

    8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739

  • SHA512

    689f6501d5cd44d6ec9f313417cc8ed9a05c5d0cc60a1b46c7f9ff642d5325b35e1c7b0e8c95d1826bd8bc6722bd49767f18cc78bdd24509d386885673039596

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 26 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe
    "C:\Users\Admin\AppData\Local\Temp\8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\SysWOW64\rvfadgwnkr.exe
      rvfadgwnkr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWOW64\hbfzgvve.exe
        C:\Windows\system32\hbfzgvve.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2032
    • C:\Windows\SysWOW64\vpodhoetlylzfwd.exe
      vpodhoetlylzfwd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c sulhwtpcrfcml.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\SysWOW64\sulhwtpcrfcml.exe
          sulhwtpcrfcml.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:632
    • C:\Windows\SysWOW64\hbfzgvve.exe
      hbfzgvve.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:1020
    • C:\Windows\SysWOW64\sulhwtpcrfcml.exe
      sulhwtpcrfcml.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1468
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1156
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:656
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x598
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1988
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1544

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    ee80af2f28984ee6706cc44b3c4934de

    SHA1

    6b4b1ce8b99b943e4e2a0f57a2307638e4969a28

    SHA256

    1ef1e83892406d5b7fbcf48f9f65f30efa911fedd70330bfcd109647805f041c

    SHA512

    3414c44ca8ddac283175cbcdefd4f3efa7705b587783c3e5e041a8eb0f1dc3fc0b5125e9151b30c2dd16ec58435649fe172dbd2c39e7385b055bd58beef3827f

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    502a78dea33de1b7021b5fe1cd0f97c2

    SHA1

    12003137f85f751b8c359f2e497f745662cbc24e

    SHA256

    df234ffcc36abca9baee2299ac41296ab1d6a7e54e06359ea00d48091bdbff81

    SHA512

    48e8bff7a267f62cad241336daedc0c6a1cee0704115ef64213ed507e2387e80aed165afebc42e44f5bece835825dab21a2302ef7269253101bed58e5ea20f37

  • C:\Program Files\SubmitExpand.doc.exe

    Filesize

    512KB

    MD5

    026e1f9b3a4b5ca0b7e8684189332456

    SHA1

    4b00bc722848e457454c7eb444eb50f70d20099c

    SHA256

    51a72a9b2577fda31297f7d1ec7b8958b53a3393f343ad9ccd8e13c59b53e92f

    SHA512

    3cb084a4d7bc95aa079c6b4c1e7559b80994e185f2c6ba1a5e18119ec182aa4c48145b2813a96e6daf667e9361b31de6600da7a8a6447443fe3af65cc6ef6869

  • C:\Users\Admin\Documents\ExportUnregister.doc.exe

    Filesize

    512KB

    MD5

    1540fcab07a37be400c08db6e81cff3e

    SHA1

    e08a6f161a2ba165957ddbe2d3a6243679f8ff1b

    SHA256

    1f5446c8a90cc15810989d63689cfaf6625a5aca63af285e5f519e0b469fc635

    SHA512

    9e075202d3882464eab05e33020ae62cdcec03b16d1c69b25781699e13b7a5d39b5b1c06dd4b2c72e302988839056ea693c46ed9fa94591946205e05e644942a

  • C:\Users\Admin\Documents\PublishGet.doc.exe

    Filesize

    512KB

    MD5

    c3102e204cb3684f65a4ebc6de0788aa

    SHA1

    5ed10d4c6d2bb3eb6c38422e9fe8e581c185b39c

    SHA256

    df4115a935d5a92c55ed4d8b3c64aed5d675c02234cfefc54fbaa83ffc44296d

    SHA512

    38f3d6d262e07551a1f9b260f1ad048b4eef2cf8dd509bed653bd96c577a7b4d6a8377a642af5aa5e61cad451ce26893a56c2e6c8b3eb2a10f3adafc5c4c8568

  • C:\Users\Admin\Music\DenyUnprotect.doc.exe

    Filesize

    512KB

    MD5

    854c1cc0045f1b27e52f5aa10f9c32c6

    SHA1

    d37b8258dfc3fa66696d7e6ed717bf2fb884e811

    SHA256

    1a9eb23287288e2dd45ac26d0d61a7cc900ec905d767386ff67b0170f7e9ef54

    SHA512

    7570b2c5878c584b356200c1d55d392fd0e06e9e429d8feaea2552dcf433eb4c3033aeda218b6b979e748ed3b3e67899a10ca1c1200ead7c2d707e4f392badd4

  • C:\Users\Admin\Music\DenyUnprotect.doc.exe

    Filesize

    512KB

    MD5

    854c1cc0045f1b27e52f5aa10f9c32c6

    SHA1

    d37b8258dfc3fa66696d7e6ed717bf2fb884e811

    SHA256

    1a9eb23287288e2dd45ac26d0d61a7cc900ec905d767386ff67b0170f7e9ef54

    SHA512

    7570b2c5878c584b356200c1d55d392fd0e06e9e429d8feaea2552dcf433eb4c3033aeda218b6b979e748ed3b3e67899a10ca1c1200ead7c2d707e4f392badd4

  • C:\Users\Admin\Music\UnlockConnect.doc.exe

    Filesize

    512KB

    MD5

    c47ea5a297bc195f9e6684da5a18269c

    SHA1

    f0a2c4796420a009bbaabbe5f33ea3eaf8d32d05

    SHA256

    b66438529118a6d4d318f23c3b51196a59fc306dd0a8aad782b8cfba9d3bf617

    SHA512

    3c0b3e7c5ee8efe8080f85ec7abd8c5eb56b1ea80f8c19a2f6fcb7495aa1478cec9623d704c88f45ae66d1239d1dd0bb61aef7cea4a4cc20e78728d124214686

  • C:\Windows\SysWOW64\hbfzgvve.exe

    Filesize

    512KB

    MD5

    0490f1084f82690b9bd2a90c79ff765a

    SHA1

    2012bbc0cfb00fce495761e967d128837a1c126e

    SHA256

    f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86

    SHA512

    42019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f

  • C:\Windows\SysWOW64\hbfzgvve.exe

    Filesize

    512KB

    MD5

    0490f1084f82690b9bd2a90c79ff765a

    SHA1

    2012bbc0cfb00fce495761e967d128837a1c126e

    SHA256

    f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86

    SHA512

    42019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f

  • C:\Windows\SysWOW64\hbfzgvve.exe

    Filesize

    512KB

    MD5

    0490f1084f82690b9bd2a90c79ff765a

    SHA1

    2012bbc0cfb00fce495761e967d128837a1c126e

    SHA256

    f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86

    SHA512

    42019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f

  • C:\Windows\SysWOW64\rvfadgwnkr.exe

    Filesize

    512KB

    MD5

    d246efcae62704261a7915337ebd3d1c

    SHA1

    b2f310c66cac3311c7970f397fc8a142576afa72

    SHA256

    5c7f0b01ee7774311ff354350cd1e0fbc9a9b565df46176055ad4b84c33b78dd

    SHA512

    d29d36d8abd579c2c03de7e71a82cdd86b46d03c94383cc1db9c969b75ff2b79a4a3b01ffd552e01bb51ca269173056584c79d5099f70ac1927eaeb07fd97347

  • C:\Windows\SysWOW64\rvfadgwnkr.exe

    Filesize

    512KB

    MD5

    d246efcae62704261a7915337ebd3d1c

    SHA1

    b2f310c66cac3311c7970f397fc8a142576afa72

    SHA256

    5c7f0b01ee7774311ff354350cd1e0fbc9a9b565df46176055ad4b84c33b78dd

    SHA512

    d29d36d8abd579c2c03de7e71a82cdd86b46d03c94383cc1db9c969b75ff2b79a4a3b01ffd552e01bb51ca269173056584c79d5099f70ac1927eaeb07fd97347

  • C:\Windows\SysWOW64\sulhwtpcrfcml.exe

    Filesize

    512KB

    MD5

    baa5a714e5286868e57eabd353779a29

    SHA1

    e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912

    SHA256

    3b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631

    SHA512

    f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4

  • C:\Windows\SysWOW64\sulhwtpcrfcml.exe

    Filesize

    512KB

    MD5

    baa5a714e5286868e57eabd353779a29

    SHA1

    e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912

    SHA256

    3b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631

    SHA512

    f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4

  • C:\Windows\SysWOW64\sulhwtpcrfcml.exe

    Filesize

    512KB

    MD5

    baa5a714e5286868e57eabd353779a29

    SHA1

    e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912

    SHA256

    3b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631

    SHA512

    f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4

  • C:\Windows\SysWOW64\vpodhoetlylzfwd.exe

    Filesize

    512KB

    MD5

    47ebe80146dc45f2ef51d1a30a680d1a

    SHA1

    1a06f68e58c0ddf61b1bfb8713c30a206b9501a1

    SHA256

    461d40efe1a8d8eafaaab9d65e8eefd224e3e2f6453a0fbc4462d39e61a74b5e

    SHA512

    7b15d16ace191011264056583e7c20cf714ac712ad87124dd54b94c12d30286bd8148fb221464cc6d6347b9e927d39448230425ddc2f1e143d159661ea52d65d

  • C:\Windows\SysWOW64\vpodhoetlylzfwd.exe

    Filesize

    512KB

    MD5

    47ebe80146dc45f2ef51d1a30a680d1a

    SHA1

    1a06f68e58c0ddf61b1bfb8713c30a206b9501a1

    SHA256

    461d40efe1a8d8eafaaab9d65e8eefd224e3e2f6453a0fbc4462d39e61a74b5e

    SHA512

    7b15d16ace191011264056583e7c20cf714ac712ad87124dd54b94c12d30286bd8148fb221464cc6d6347b9e927d39448230425ddc2f1e143d159661ea52d65d

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Users\Admin\Documents\ExportUnregister.doc.exe

    Filesize

    512KB

    MD5

    1540fcab07a37be400c08db6e81cff3e

    SHA1

    e08a6f161a2ba165957ddbe2d3a6243679f8ff1b

    SHA256

    1f5446c8a90cc15810989d63689cfaf6625a5aca63af285e5f519e0b469fc635

    SHA512

    9e075202d3882464eab05e33020ae62cdcec03b16d1c69b25781699e13b7a5d39b5b1c06dd4b2c72e302988839056ea693c46ed9fa94591946205e05e644942a

  • \Windows\SysWOW64\hbfzgvve.exe

    Filesize

    512KB

    MD5

    0490f1084f82690b9bd2a90c79ff765a

    SHA1

    2012bbc0cfb00fce495761e967d128837a1c126e

    SHA256

    f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86

    SHA512

    42019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f

  • \Windows\SysWOW64\hbfzgvve.exe

    Filesize

    512KB

    MD5

    0490f1084f82690b9bd2a90c79ff765a

    SHA1

    2012bbc0cfb00fce495761e967d128837a1c126e

    SHA256

    f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86

    SHA512

    42019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f

  • \Windows\SysWOW64\rvfadgwnkr.exe

    Filesize

    512KB

    MD5

    d246efcae62704261a7915337ebd3d1c

    SHA1

    b2f310c66cac3311c7970f397fc8a142576afa72

    SHA256

    5c7f0b01ee7774311ff354350cd1e0fbc9a9b565df46176055ad4b84c33b78dd

    SHA512

    d29d36d8abd579c2c03de7e71a82cdd86b46d03c94383cc1db9c969b75ff2b79a4a3b01ffd552e01bb51ca269173056584c79d5099f70ac1927eaeb07fd97347

  • \Windows\SysWOW64\sulhwtpcrfcml.exe

    Filesize

    512KB

    MD5

    baa5a714e5286868e57eabd353779a29

    SHA1

    e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912

    SHA256

    3b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631

    SHA512

    f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4

  • \Windows\SysWOW64\sulhwtpcrfcml.exe

    Filesize

    512KB

    MD5

    baa5a714e5286868e57eabd353779a29

    SHA1

    e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912

    SHA256

    3b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631

    SHA512

    f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4

  • \Windows\SysWOW64\vpodhoetlylzfwd.exe

    Filesize

    512KB

    MD5

    47ebe80146dc45f2ef51d1a30a680d1a

    SHA1

    1a06f68e58c0ddf61b1bfb8713c30a206b9501a1

    SHA256

    461d40efe1a8d8eafaaab9d65e8eefd224e3e2f6453a0fbc4462d39e61a74b5e

    SHA512

    7b15d16ace191011264056583e7c20cf714ac712ad87124dd54b94c12d30286bd8148fb221464cc6d6347b9e927d39448230425ddc2f1e143d159661ea52d65d

  • memory/656-98-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

    Filesize

    8KB

  • memory/1156-96-0x000000007155D000-0x0000000071568000-memory.dmp

    Filesize

    44KB

  • memory/1156-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1156-92-0x0000000070571000-0x0000000070573000-memory.dmp

    Filesize

    8KB

  • memory/1156-91-0x0000000072AF1000-0x0000000072AF4000-memory.dmp

    Filesize

    12KB

  • memory/1156-109-0x000000007155D000-0x0000000071568000-memory.dmp

    Filesize

    44KB

  • memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

    Filesize

    8KB

  • memory/1200-55-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB