Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    205s
  • max time network
    84s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 19:13

General

  • Target

    244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe

  • Size

    255KB

  • MD5

    b087f6eb1cedbd7c3aa83f37291aa692

  • SHA1

    3d84c0740bd244e6d57a42f6026f4a80fc04318a

  • SHA256

    244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d

  • SHA512

    73db8e072342f7a4790512eaadc95c6a2e87bc6ec397f14738e874db23979bb4ebce619107eb18805c72110a54fb72e5ac97c7c75ac9baa5dec86761611a4974

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJE:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIH

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • UPX packed file 35 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe
    "C:\Users\Admin\AppData\Local\Temp\244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\hdcuztvley.exe
      hdcuztvley.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\hfuczssk.exe
        C:\Windows\system32\hfuczssk.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:816
    • C:\Windows\SysWOW64\dbjtzxyrueygvch.exe
      dbjtzxyrueygvch.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:720
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c vizpvuemnjffb.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1336
        • C:\Windows\SysWOW64\vizpvuemnjffb.exe
          vizpvuemnjffb.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:1060
    • C:\Windows\SysWOW64\hfuczssk.exe
      hfuczssk.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:744
    • C:\Windows\SysWOW64\vizpvuemnjffb.exe
      vizpvuemnjffb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1712
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1740
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1868
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x540
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1520

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      255KB

      MD5

      d0fd58eaa81a32f4384c0042f8e853a2

      SHA1

      b73fc191b800db5f47ef4cfa5334d8ff69642fda

      SHA256

      e2d296a67ca39e012b708360b8addfb4b2713b6233917bb6397430bc5c9f25d3

      SHA512

      7a3e0c1c0fa47f2ab6216b6fe4c309255540381ea64935c25e9cddfe28e1fec40ddd7c947b168407b85377106c588b6f87a0c407047d1d3b601b396ed0672a3a

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      255KB

      MD5

      d0fd58eaa81a32f4384c0042f8e853a2

      SHA1

      b73fc191b800db5f47ef4cfa5334d8ff69642fda

      SHA256

      e2d296a67ca39e012b708360b8addfb4b2713b6233917bb6397430bc5c9f25d3

      SHA512

      7a3e0c1c0fa47f2ab6216b6fe4c309255540381ea64935c25e9cddfe28e1fec40ddd7c947b168407b85377106c588b6f87a0c407047d1d3b601b396ed0672a3a

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      255KB

      MD5

      9de9e8b1cab59b1239c0567d3c6912b5

      SHA1

      6d49c0d0cb99cde08ac83bd974fa5e5ce11eb3f9

      SHA256

      d131da089e9c504be9b7ddfcc54db14dbc0d5c48cb06ae17154dda7e96b16a1a

      SHA512

      dcc0efeac852ba5a5a5a2f1e12d0f942306846dab7c19130a77bb8b2042c059de4f64192d68c13c99dec5b433ba7b49714b8df5852185f2cd5812818f84c2f9b

    • C:\Program Files\ExpandApprove.doc.exe

      Filesize

      255KB

      MD5

      da36689630073139dfee6a127c6b2fca

      SHA1

      06d6ff9bc142d8342fc009c03307a591bca1fd66

      SHA256

      910477d22f21113f0dd1b1a09553ddcebc6ebe0f1b4829bd8c0224a34a313852

      SHA512

      1e340b2bc932c92bcea703eab5f0378199a2c584fbe24196c83c9c1e2f62940d21b64b168219af7633429d5fde2da6e99b1ebbbadba3b3513bc8cc6f495da626

    • C:\Windows\SysWOW64\dbjtzxyrueygvch.exe

      Filesize

      255KB

      MD5

      8ef0ffc22c214037aed5ad4a2ca513a2

      SHA1

      1ed7133a391e9041653587a65208c2a4fd8200ea

      SHA256

      6d6da0c4831f95702587313df2475ada21d96d8561a63c654fdeca9f9eb9bb82

      SHA512

      2eabaf4216717a707f576621513c0057ae380e9a8b4819235f9e5a3896677be2a80bfbfd585a3667f89f29e21e1ebc8a60cbfd5a4c827ad9d45c545f351950cc

    • C:\Windows\SysWOW64\dbjtzxyrueygvch.exe

      Filesize

      255KB

      MD5

      8ef0ffc22c214037aed5ad4a2ca513a2

      SHA1

      1ed7133a391e9041653587a65208c2a4fd8200ea

      SHA256

      6d6da0c4831f95702587313df2475ada21d96d8561a63c654fdeca9f9eb9bb82

      SHA512

      2eabaf4216717a707f576621513c0057ae380e9a8b4819235f9e5a3896677be2a80bfbfd585a3667f89f29e21e1ebc8a60cbfd5a4c827ad9d45c545f351950cc

    • C:\Windows\SysWOW64\hdcuztvley.exe

      Filesize

      255KB

      MD5

      51a78050da644e8a237e08c7d7e3771d

      SHA1

      de75ae82ca94e83290649fa9f655c76097dedacc

      SHA256

      1f022d1ef22da299a2424328a9e96a24e26d41be4131376445f2d8bc2026ab65

      SHA512

      5c0b44c51ceeec5812df422da5b9319ebdf324b9c99ee2d6980873fa39e285b9f45a22fc0e6b0a4dcd1d7f2da54f0b06f9e1fd009e0c00bf5d03cfd562ac96eb

    • C:\Windows\SysWOW64\hdcuztvley.exe

      Filesize

      255KB

      MD5

      51a78050da644e8a237e08c7d7e3771d

      SHA1

      de75ae82ca94e83290649fa9f655c76097dedacc

      SHA256

      1f022d1ef22da299a2424328a9e96a24e26d41be4131376445f2d8bc2026ab65

      SHA512

      5c0b44c51ceeec5812df422da5b9319ebdf324b9c99ee2d6980873fa39e285b9f45a22fc0e6b0a4dcd1d7f2da54f0b06f9e1fd009e0c00bf5d03cfd562ac96eb

    • C:\Windows\SysWOW64\hfuczssk.exe

      Filesize

      255KB

      MD5

      8265049fb50f69d10a68d583eabf035b

      SHA1

      d5e29d50284025462a8e5f95d1661863dc56ea29

      SHA256

      7c321b3f3326c1b0cacf64d03fde68046b76ddbffbd87390414250e21dfb22a9

      SHA512

      e438d4580b2e1971be6c3ef2f65af35746d422e740821693370cb8bad8697f505394261c4d015911c8c44b127a2c5d6ce13b5ecfaa0771ff03bbf62e3d09a1bd

    • C:\Windows\SysWOW64\hfuczssk.exe

      Filesize

      255KB

      MD5

      8265049fb50f69d10a68d583eabf035b

      SHA1

      d5e29d50284025462a8e5f95d1661863dc56ea29

      SHA256

      7c321b3f3326c1b0cacf64d03fde68046b76ddbffbd87390414250e21dfb22a9

      SHA512

      e438d4580b2e1971be6c3ef2f65af35746d422e740821693370cb8bad8697f505394261c4d015911c8c44b127a2c5d6ce13b5ecfaa0771ff03bbf62e3d09a1bd

    • C:\Windows\SysWOW64\hfuczssk.exe

      Filesize

      255KB

      MD5

      8265049fb50f69d10a68d583eabf035b

      SHA1

      d5e29d50284025462a8e5f95d1661863dc56ea29

      SHA256

      7c321b3f3326c1b0cacf64d03fde68046b76ddbffbd87390414250e21dfb22a9

      SHA512

      e438d4580b2e1971be6c3ef2f65af35746d422e740821693370cb8bad8697f505394261c4d015911c8c44b127a2c5d6ce13b5ecfaa0771ff03bbf62e3d09a1bd

    • C:\Windows\SysWOW64\vizpvuemnjffb.exe

      Filesize

      255KB

      MD5

      d99d7c71c1f3fa8c5c48dcf40273ea59

      SHA1

      4563195dac1f389131f20484b781d6ab8a90ec1e

      SHA256

      9d20b531a1dd4aae58048600f7c8f89094901586710ca750aa500f05f05072f0

      SHA512

      0eb8d5d31f6a7991513dc7a94e7e5ea42a1e2d68a2de385c560829c756cc9a6e3bdbf05177d1d6de217fec65266737d904f3a69d5826c57fae36c1374086ff12

    • C:\Windows\SysWOW64\vizpvuemnjffb.exe

      Filesize

      255KB

      MD5

      d99d7c71c1f3fa8c5c48dcf40273ea59

      SHA1

      4563195dac1f389131f20484b781d6ab8a90ec1e

      SHA256

      9d20b531a1dd4aae58048600f7c8f89094901586710ca750aa500f05f05072f0

      SHA512

      0eb8d5d31f6a7991513dc7a94e7e5ea42a1e2d68a2de385c560829c756cc9a6e3bdbf05177d1d6de217fec65266737d904f3a69d5826c57fae36c1374086ff12

    • C:\Windows\SysWOW64\vizpvuemnjffb.exe

      Filesize

      255KB

      MD5

      d99d7c71c1f3fa8c5c48dcf40273ea59

      SHA1

      4563195dac1f389131f20484b781d6ab8a90ec1e

      SHA256

      9d20b531a1dd4aae58048600f7c8f89094901586710ca750aa500f05f05072f0

      SHA512

      0eb8d5d31f6a7991513dc7a94e7e5ea42a1e2d68a2de385c560829c756cc9a6e3bdbf05177d1d6de217fec65266737d904f3a69d5826c57fae36c1374086ff12

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\dbjtzxyrueygvch.exe

      Filesize

      255KB

      MD5

      8ef0ffc22c214037aed5ad4a2ca513a2

      SHA1

      1ed7133a391e9041653587a65208c2a4fd8200ea

      SHA256

      6d6da0c4831f95702587313df2475ada21d96d8561a63c654fdeca9f9eb9bb82

      SHA512

      2eabaf4216717a707f576621513c0057ae380e9a8b4819235f9e5a3896677be2a80bfbfd585a3667f89f29e21e1ebc8a60cbfd5a4c827ad9d45c545f351950cc

    • \Windows\SysWOW64\hdcuztvley.exe

      Filesize

      255KB

      MD5

      51a78050da644e8a237e08c7d7e3771d

      SHA1

      de75ae82ca94e83290649fa9f655c76097dedacc

      SHA256

      1f022d1ef22da299a2424328a9e96a24e26d41be4131376445f2d8bc2026ab65

      SHA512

      5c0b44c51ceeec5812df422da5b9319ebdf324b9c99ee2d6980873fa39e285b9f45a22fc0e6b0a4dcd1d7f2da54f0b06f9e1fd009e0c00bf5d03cfd562ac96eb

    • \Windows\SysWOW64\hfuczssk.exe

      Filesize

      255KB

      MD5

      8265049fb50f69d10a68d583eabf035b

      SHA1

      d5e29d50284025462a8e5f95d1661863dc56ea29

      SHA256

      7c321b3f3326c1b0cacf64d03fde68046b76ddbffbd87390414250e21dfb22a9

      SHA512

      e438d4580b2e1971be6c3ef2f65af35746d422e740821693370cb8bad8697f505394261c4d015911c8c44b127a2c5d6ce13b5ecfaa0771ff03bbf62e3d09a1bd

    • \Windows\SysWOW64\hfuczssk.exe

      Filesize

      255KB

      MD5

      8265049fb50f69d10a68d583eabf035b

      SHA1

      d5e29d50284025462a8e5f95d1661863dc56ea29

      SHA256

      7c321b3f3326c1b0cacf64d03fde68046b76ddbffbd87390414250e21dfb22a9

      SHA512

      e438d4580b2e1971be6c3ef2f65af35746d422e740821693370cb8bad8697f505394261c4d015911c8c44b127a2c5d6ce13b5ecfaa0771ff03bbf62e3d09a1bd

    • \Windows\SysWOW64\vizpvuemnjffb.exe

      Filesize

      255KB

      MD5

      d99d7c71c1f3fa8c5c48dcf40273ea59

      SHA1

      4563195dac1f389131f20484b781d6ab8a90ec1e

      SHA256

      9d20b531a1dd4aae58048600f7c8f89094901586710ca750aa500f05f05072f0

      SHA512

      0eb8d5d31f6a7991513dc7a94e7e5ea42a1e2d68a2de385c560829c756cc9a6e3bdbf05177d1d6de217fec65266737d904f3a69d5826c57fae36c1374086ff12

    • \Windows\SysWOW64\vizpvuemnjffb.exe

      Filesize

      255KB

      MD5

      d99d7c71c1f3fa8c5c48dcf40273ea59

      SHA1

      4563195dac1f389131f20484b781d6ab8a90ec1e

      SHA256

      9d20b531a1dd4aae58048600f7c8f89094901586710ca750aa500f05f05072f0

      SHA512

      0eb8d5d31f6a7991513dc7a94e7e5ea42a1e2d68a2de385c560829c756cc9a6e3bdbf05177d1d6de217fec65266737d904f3a69d5826c57fae36c1374086ff12

    • memory/720-105-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/720-89-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/744-106-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/744-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/816-110-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/816-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1060-109-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1060-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1108-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1108-108-0x0000000003CB0000-0x0000000003D50000-memory.dmp

      Filesize

      640KB

    • memory/1108-104-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1648-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

      Filesize

      8KB

    • memory/1648-56-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1648-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1648-57-0x0000000002F10000-0x0000000002FB0000-memory.dmp

      Filesize

      640KB

    • memory/1648-90-0x0000000002F10000-0x0000000002FB0000-memory.dmp

      Filesize

      640KB

    • memory/1648-88-0x0000000002F10000-0x0000000002FB0000-memory.dmp

      Filesize

      640KB

    • memory/1684-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1684-103-0x0000000070D5D000-0x0000000070D68000-memory.dmp

      Filesize

      44KB

    • memory/1684-111-0x0000000070D5D000-0x0000000070D68000-memory.dmp

      Filesize

      44KB

    • memory/1684-98-0x000000006FD71000-0x000000006FD73000-memory.dmp

      Filesize

      8KB

    • memory/1684-97-0x00000000722F1000-0x00000000722F4000-memory.dmp

      Filesize

      12KB

    • memory/1712-107-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1712-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

    • memory/1868-82-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

      Filesize

      8KB

    • memory/1868-117-0x00000000027B0000-0x00000000027C0000-memory.dmp

      Filesize

      64KB