Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

f98c438be9...0c.exe

windows7-x64

10

f98c438be9...0c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    176s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f98c438be981cf04775be0aaede2491a97d7209323426e6e38dbfbcf067bf20c.exe

  • Size

    255KB

  • MD5

    959659d0dad9d478b5e9300adf841e94

  • SHA1

    30821776c716ec7506f0d8951c5a782a601eef9d

  • SHA256

    f98c438be981cf04775be0aaede2491a97d7209323426e6e38dbfbcf067bf20c

  • SHA512

    603a1c6060882c44870e2122594ec510f31446679aae09c4158bad2a156b537473cf0fd7df3f66c0d21d9cddb2ecc9aee456f7381437c843ff4bcc46c23f8d87

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJe:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIR

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f98c438be981cf04775be0aaede2491a97d7209323426e6e38dbfbcf067bf20c.exe
    "C:\Users\Admin\AppData\Local\Temp\f98c438be981cf04775be0aaede2491a97d7209323426e6e38dbfbcf067bf20c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\SysWOW64\gkakzukczw.exe
      gkakzukczw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\SysWOW64\mouarejx.exe
        C:\Windows\system32\mouarejx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1860
    • C:\Windows\SysWOW64\riqmbndjsblkcld.exe
      riqmbndjsblkcld.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2772
    • C:\Windows\SysWOW64\mouarejx.exe
      mouarejx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2184
    • C:\Windows\SysWOW64\iwubldzpfwbjk.exe
      iwubldzpfwbjk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4864
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3468

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    8309c16c837594caed5ac113e7c5b3ff

    SHA1

    34cad0141899c238b1f599c2f4364ca05f9db9b0

    SHA256

    1f34b954dddd2d437e21d00b049f4eccb6504f2fdc0eed1b387708fcb27f2d82

    SHA512

    e47cc44b64159295db4014035dc758afe69cbc3ac76821be114374e024a078e2468c35be42a726cc6ad0a389b89e6471cb08780179ce967b2bf0a58a0b54f195

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    95ee7002b79a605f5ad0ea93b1a669c8

    SHA1

    5cf16a33e878fe39bbf70236686e10520db5fa81

    SHA256

    8b129d43f5984ca1add5ea5dee081433985ba20ffd2167e7956be72509fe018c

    SHA512

    2ccc99be5e933be6bf88d7c519bc3f6ed27a7e7ce8488471d9b26e4a11e724b16043f81ee3c798053ba5218ab9a307cf0ae8c74e5a69ae58515ea3835963cf5c

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    95ee7002b79a605f5ad0ea93b1a669c8

    SHA1

    5cf16a33e878fe39bbf70236686e10520db5fa81

    SHA256

    8b129d43f5984ca1add5ea5dee081433985ba20ffd2167e7956be72509fe018c

    SHA512

    2ccc99be5e933be6bf88d7c519bc3f6ed27a7e7ce8488471d9b26e4a11e724b16043f81ee3c798053ba5218ab9a307cf0ae8c74e5a69ae58515ea3835963cf5c

    Download Submit

  • C:\Users\Admin\Documents\DebugResize.doc.exe
    Filesize

    255KB

    MD5

    4edb97e4e8de1d179346e2b52103167b

    SHA1

    2b63a2fa80abe1be01e8b3293e2ee0ad0e8d678d

    SHA256

    ba5a674416f88e7974d8f81ce6566812fb711ef5baacc366f935bca45f27fd60

    SHA512

    091f025286572af2501a250f2510f5a3c71a8982a19d6a78f7b5e88584e9aa8c6a5d28d8e1b4be32aa97b8913abf2eaf4380262e6d428aff10117f73aab2c508

    Download Submit

  • C:\Windows\SysWOW64\gkakzukczw.exe
    Filesize

    255KB

    MD5

    78ade9ca05945dde003de3d874f3e333

    SHA1

    e0326e767acba58dc7784950476ef0c1508b2e81

    SHA256

    d8744a975f3f17584463ebe0e2d0f1af7528dffb0f1378791237455331160fc9

    SHA512

    fc765fc05b862ebbbee7a0036c005d4a7e704acc7ad7a33d6d9d11bfbcc6807a30532a89e3d61eb9be882a93af293f7d70d89589ee4101b6fc153701cfb74d81

    Download Submit

  • C:\Windows\SysWOW64\gkakzukczw.exe
    Filesize

    255KB

    MD5

    78ade9ca05945dde003de3d874f3e333

    SHA1

    e0326e767acba58dc7784950476ef0c1508b2e81

    SHA256

    d8744a975f3f17584463ebe0e2d0f1af7528dffb0f1378791237455331160fc9

    SHA512

    fc765fc05b862ebbbee7a0036c005d4a7e704acc7ad7a33d6d9d11bfbcc6807a30532a89e3d61eb9be882a93af293f7d70d89589ee4101b6fc153701cfb74d81

    Download Submit

  • C:\Windows\SysWOW64\iwubldzpfwbjk.exe
    Filesize

    255KB

    MD5

    ddbefe1d793f854ab6f5721fe5a1005a

    SHA1

    ca1a91d062f1a3b7f2498225a12fba82c10a8e98

    SHA256

    08c1aa208819a0a25a60bd08a72464814ac100df5807d7e831f19c11291bbb76

    SHA512

    e875acc87f877dfea8f1d214981cb33de8857f58fac852e8e447c7b6e9193188746bddc2f78e7be60848af794fa015a0d975801506a8188e28ea0880b7f21bd6

    Download Submit

  • C:\Windows\SysWOW64\iwubldzpfwbjk.exe
    Filesize

    255KB

    MD5

    ddbefe1d793f854ab6f5721fe5a1005a

    SHA1

    ca1a91d062f1a3b7f2498225a12fba82c10a8e98

    SHA256

    08c1aa208819a0a25a60bd08a72464814ac100df5807d7e831f19c11291bbb76

    SHA512

    e875acc87f877dfea8f1d214981cb33de8857f58fac852e8e447c7b6e9193188746bddc2f78e7be60848af794fa015a0d975801506a8188e28ea0880b7f21bd6

    Download Submit

  • C:\Windows\SysWOW64\mouarejx.exe
    Filesize

    255KB

    MD5

    cfb7c8396184ae20059b2beabf0d271b

    SHA1

    da50e20ff38550096844198da14375dcb578666c

    SHA256

    0cb2789107a4157fc4b120825090cfa568ef0ca0617b73719586b481a672b316

    SHA512

    c55f150b1519300b1b073d013f7e7eff0121b9033996e3815efc7193e084d855102bb4f84fe816b1207b7262b34160a0a2bf54ec66610c62ec32f56cbb6e7aad

    Download Submit

  • C:\Windows\SysWOW64\mouarejx.exe
    Filesize

    255KB

    MD5

    cfb7c8396184ae20059b2beabf0d271b

    SHA1

    da50e20ff38550096844198da14375dcb578666c

    SHA256

    0cb2789107a4157fc4b120825090cfa568ef0ca0617b73719586b481a672b316

    SHA512

    c55f150b1519300b1b073d013f7e7eff0121b9033996e3815efc7193e084d855102bb4f84fe816b1207b7262b34160a0a2bf54ec66610c62ec32f56cbb6e7aad

    Download Submit

  • C:\Windows\SysWOW64\mouarejx.exe
    Filesize

    255KB

    MD5

    cfb7c8396184ae20059b2beabf0d271b

    SHA1

    da50e20ff38550096844198da14375dcb578666c

    SHA256

    0cb2789107a4157fc4b120825090cfa568ef0ca0617b73719586b481a672b316

    SHA512

    c55f150b1519300b1b073d013f7e7eff0121b9033996e3815efc7193e084d855102bb4f84fe816b1207b7262b34160a0a2bf54ec66610c62ec32f56cbb6e7aad

    Download Submit

  • C:\Windows\SysWOW64\riqmbndjsblkcld.exe
    Filesize

    255KB

    MD5

    7d45817319492382d2b1ce29d72637e9

    SHA1

    362f22d139a642effa58715f31b1acb9ce53c1bd

    SHA256

    64d6e71c85eb9fb88de9e3c60be5ee60d87ccc76d83efbcadb002933678911dd

    SHA512

    d36887a77039bb3588666da5c09ea0678f4967d0b205712dd8fc0a5c710da9d703e528d2bef5d31be04270ba66f4ac55aedf0e26102c95a6a453daf224af3726

    Download Submit

  • C:\Windows\SysWOW64\riqmbndjsblkcld.exe
    Filesize

    255KB

    MD5

    7d45817319492382d2b1ce29d72637e9

    SHA1

    362f22d139a642effa58715f31b1acb9ce53c1bd

    SHA256

    64d6e71c85eb9fb88de9e3c60be5ee60d87ccc76d83efbcadb002933678911dd

    SHA512

    d36887a77039bb3588666da5c09ea0678f4967d0b205712dd8fc0a5c710da9d703e528d2bef5d31be04270ba66f4ac55aedf0e26102c95a6a453daf224af3726

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    0371751d30661b8f5010161e0d4d7e9d

    SHA1

    3339ea0eafbf0c3d50e644266659a853949fb41c

    SHA256

    90394b1026a0b95dee57da4df37559d472f8391a79b5973fea544b1b7857bf95

    SHA512

    1bdfed80832fca5edf6c4a41c0d173547f56bd479af24e4cdc9a66e49df2fd954457676ccbc036dbe12af97b1866857614493ceee0a874fa6561d6839b60e45a

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    0371751d30661b8f5010161e0d4d7e9d

    SHA1

    3339ea0eafbf0c3d50e644266659a853949fb41c

    SHA256

    90394b1026a0b95dee57da4df37559d472f8391a79b5973fea544b1b7857bf95

    SHA512

    1bdfed80832fca5edf6c4a41c0d173547f56bd479af24e4cdc9a66e49df2fd954457676ccbc036dbe12af97b1866857614493ceee0a874fa6561d6839b60e45a

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    d674028d9cd90be2c1b384cd4b1c0b15

    SHA1

    838e3dc0656bbd79ed0606d8e2a54461e4f82599

    SHA256

    fead36d3f7d13999e38e2b91e49b98672e52989ec50302030eebb798851c798f

    SHA512

    a0fb457f55cdf2532ab4a29d9a1d2e2039c39cdca10da21a187f6e70222fef4965a2e5300c40440b872057b7e836d760f7daa58a832af32d67b1ffa44334e19d

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    88f62b32a90c4a572d2749105167e2b7

    SHA1

    f795ce0d59b32ea0a1cff22ed9e747117476b458

    SHA256

    c5e309d1a8e36aaf27a4a5423b422b1faf3ccdd5a7e3a24da84aa32a7ae44c37

    SHA512

    7ec90a9a07233127a847dad5220cbfb9822b7280e26b3cde14439d20cd232cebef776b542228c63e02fcaa341ba4c98c1d4acfb21dfd2ff23875380ba4434124

    Download Submit

  • memory/1860-169-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1860-151-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2184-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2184-167-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2772-166-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2772-141-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3468-154-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-156-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-157-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-162-0x00007FFD68B90000-0x00007FFD68BA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-163-0x00007FFD68B90000-0x00007FFD68BA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-155-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-179-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-176-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-158-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-178-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3468-177-0x00007FFD6ABF0000-0x00007FFD6AC00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3492-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3492-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3800-139-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3800-165-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4864-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4864-168-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download