Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

cfa345dfb8...25.exe

windows7-x64

10

cfa345dfb8...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfa345dfb8af076d5024e725d895d461d9acc5281b72c3bd094ffa4019f9f325.exe

  • Size

    255KB

  • MD5

    892a5e874e6b085f16d8c23c21cae8ed

  • SHA1

    3dcbf56bc299178ba161f9566342fe13c7c3afea

  • SHA256

    cfa345dfb8af076d5024e725d895d461d9acc5281b72c3bd094ffa4019f9f325

  • SHA512

    23f9ee384855b41bd79ad84d1cc9b3b7d1a7197faa92b0fa47aed6fa39711c017dc00e370838b681383b0e7fdbbcf44c2d8a03a57d24889b8f1697bbbe50cce1

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJg:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIT

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfa345dfb8af076d5024e725d895d461d9acc5281b72c3bd094ffa4019f9f325.exe
    "C:\Users\Admin\AppData\Local\Temp\cfa345dfb8af076d5024e725d895d461d9acc5281b72c3bd094ffa4019f9f325.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\imrorbexyn.exe
      imrorbexyn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\fvlvxwxp.exe
        C:\Windows\system32\fvlvxwxp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1664
    • C:\Windows\SysWOW64\xmmhqncasnoqpat.exe
      xmmhqncasnoqpat.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1616
    • C:\Windows\SysWOW64\fvlvxwxp.exe
      fvlvxwxp.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:516
    • C:\Windows\SysWOW64\xnopfqjwsdfkt.exe
      xnopfqjwsdfkt.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:752
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1292

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      c9be4db10a31115305bc96e7d54351c5

      SHA1

      a2eea41fed564fb8ba91cdd726f536ea713d13b0

      SHA256

      0fd0c0ad8d113da883081a6345dce8773699eaf441eb422472fa356668aeb45c

      SHA512

      2a6150ab431de8ade2e4d961f312972b55ae4fb9ad50a516c5ee62e27677a00d4ab45db59cc7612fd3f1efd9437b2b7f6dbd734c4b0e6c48e33759e1de988622

      Download Submit

    • C:\Users\Admin\Desktop\UpdateComplete.doc.exe
      Filesize

      255KB

      MD5

      6bf8d3ebcacce9c949de27fd182ae2a6

      SHA1

      115de2939a1eaf312854bbc3955a72915625beca

      SHA256

      4e5e6439be67ce37c86f1321c8ed1c035cc9f8156c77f963ee5b67b6e06a67b6

      SHA512

      1ba1260cae3b1cc276110373311c81c6370028355badaac4d3b1a655f7641a254ca088f18488907cde0395b1abf676999b8e6df4a822ae83e1a62dfac91b880a

      Download Submit

    • C:\Windows\SysWOW64\fvlvxwxp.exe
      Filesize

      255KB

      MD5

      3cf57a8e7e51407d32d72a94a0dbb8bf

      SHA1

      856965d772e354d9401327f1329dd8ddb5403747

      SHA256

      5cbff14089bbe065cc70b8dd664e4e06d7b484afe4d08d533614a6d47b74b317

      SHA512

      d1aa20f6445c31520fc0c156bac801659150bb3bd6eb89b42022c2db20d0bcd7475bae58d1ef76d0a369da35168e2daf48073200d2f0d4539b1a99abfe5dd37f

      Download Submit

    • C:\Windows\SysWOW64\fvlvxwxp.exe
      Filesize

      255KB

      MD5

      3cf57a8e7e51407d32d72a94a0dbb8bf

      SHA1

      856965d772e354d9401327f1329dd8ddb5403747

      SHA256

      5cbff14089bbe065cc70b8dd664e4e06d7b484afe4d08d533614a6d47b74b317

      SHA512

      d1aa20f6445c31520fc0c156bac801659150bb3bd6eb89b42022c2db20d0bcd7475bae58d1ef76d0a369da35168e2daf48073200d2f0d4539b1a99abfe5dd37f

      Download Submit

    • C:\Windows\SysWOW64\fvlvxwxp.exe
      Filesize

      255KB

      MD5

      3cf57a8e7e51407d32d72a94a0dbb8bf

      SHA1

      856965d772e354d9401327f1329dd8ddb5403747

      SHA256

      5cbff14089bbe065cc70b8dd664e4e06d7b484afe4d08d533614a6d47b74b317

      SHA512

      d1aa20f6445c31520fc0c156bac801659150bb3bd6eb89b42022c2db20d0bcd7475bae58d1ef76d0a369da35168e2daf48073200d2f0d4539b1a99abfe5dd37f

      Download Submit

    • C:\Windows\SysWOW64\imrorbexyn.exe
      Filesize

      255KB

      MD5

      f977e26ff54ed0c23674b39c9b1f569b

      SHA1

      f18e45b8f69676a575708374a4c0403f94791f71

      SHA256

      ca684a46dd081d87bdafdc3e88e0bdc840926339375d568ac41de1b81cc8279f

      SHA512

      e1a07df7cf347360c19bb22f2a9efc9df9e935022c892b909d5a6d95c96122d6fba50b3fe3989d5b4246238f85b61c553d04ec461479801e78c77882b775a913

      Download Submit

    • C:\Windows\SysWOW64\imrorbexyn.exe
      Filesize

      255KB

      MD5

      f977e26ff54ed0c23674b39c9b1f569b

      SHA1

      f18e45b8f69676a575708374a4c0403f94791f71

      SHA256

      ca684a46dd081d87bdafdc3e88e0bdc840926339375d568ac41de1b81cc8279f

      SHA512

      e1a07df7cf347360c19bb22f2a9efc9df9e935022c892b909d5a6d95c96122d6fba50b3fe3989d5b4246238f85b61c553d04ec461479801e78c77882b775a913

      Download Submit

    • C:\Windows\SysWOW64\xmmhqncasnoqpat.exe
      Filesize

      255KB

      MD5

      dd4246225b167349601da4b9e27c276b

      SHA1

      41ee97b6e57afa6dc87006dc067aae0a59095627

      SHA256

      a79a20029ceb5d26672c2916705d3c7156637d0ac30bb0c78de6d90237239237

      SHA512

      6c934834a8e3958a06a8e305dd9af05e2143d2819a8c56e798ce5dfeb22e2fb743c4e5c4936ae79e1840a6a14f1b4f88990c8108d09baa41b278fc57cdfcd883

      Download Submit

    • C:\Windows\SysWOW64\xmmhqncasnoqpat.exe
      Filesize

      255KB

      MD5

      dd4246225b167349601da4b9e27c276b

      SHA1

      41ee97b6e57afa6dc87006dc067aae0a59095627

      SHA256

      a79a20029ceb5d26672c2916705d3c7156637d0ac30bb0c78de6d90237239237

      SHA512

      6c934834a8e3958a06a8e305dd9af05e2143d2819a8c56e798ce5dfeb22e2fb743c4e5c4936ae79e1840a6a14f1b4f88990c8108d09baa41b278fc57cdfcd883

      Download Submit

    • C:\Windows\SysWOW64\xnopfqjwsdfkt.exe
      Filesize

      255KB

      MD5

      44ee47c8842ba78ef5bc5ea6baab976d

      SHA1

      50d0c1617856acbb0885df82224dddcb8fa9515c

      SHA256

      2eb5e12b2119c7f74f17c9f2b39fc981fdf5aa0623c7bbcab528b81aa1dc462c

      SHA512

      e855b370037984bf8c32a850b9fc2908ab6564cf84106c578eac2329df6b685053a6e20324108a1639bdec6f63c8049692a33782b6c20dc3ae674f13aab2e03f

      Download Submit

    • C:\Windows\SysWOW64\xnopfqjwsdfkt.exe
      Filesize

      255KB

      MD5

      44ee47c8842ba78ef5bc5ea6baab976d

      SHA1

      50d0c1617856acbb0885df82224dddcb8fa9515c

      SHA256

      2eb5e12b2119c7f74f17c9f2b39fc981fdf5aa0623c7bbcab528b81aa1dc462c

      SHA512

      e855b370037984bf8c32a850b9fc2908ab6564cf84106c578eac2329df6b685053a6e20324108a1639bdec6f63c8049692a33782b6c20dc3ae674f13aab2e03f

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\fvlvxwxp.exe
      Filesize

      255KB

      MD5

      3cf57a8e7e51407d32d72a94a0dbb8bf

      SHA1

      856965d772e354d9401327f1329dd8ddb5403747

      SHA256

      5cbff14089bbe065cc70b8dd664e4e06d7b484afe4d08d533614a6d47b74b317

      SHA512

      d1aa20f6445c31520fc0c156bac801659150bb3bd6eb89b42022c2db20d0bcd7475bae58d1ef76d0a369da35168e2daf48073200d2f0d4539b1a99abfe5dd37f

      Download Submit

    • \Windows\SysWOW64\fvlvxwxp.exe
      Filesize

      255KB

      MD5

      3cf57a8e7e51407d32d72a94a0dbb8bf

      SHA1

      856965d772e354d9401327f1329dd8ddb5403747

      SHA256

      5cbff14089bbe065cc70b8dd664e4e06d7b484afe4d08d533614a6d47b74b317

      SHA512

      d1aa20f6445c31520fc0c156bac801659150bb3bd6eb89b42022c2db20d0bcd7475bae58d1ef76d0a369da35168e2daf48073200d2f0d4539b1a99abfe5dd37f

      Download Submit

    • \Windows\SysWOW64\imrorbexyn.exe
      Filesize

      255KB

      MD5

      f977e26ff54ed0c23674b39c9b1f569b

      SHA1

      f18e45b8f69676a575708374a4c0403f94791f71

      SHA256

      ca684a46dd081d87bdafdc3e88e0bdc840926339375d568ac41de1b81cc8279f

      SHA512

      e1a07df7cf347360c19bb22f2a9efc9df9e935022c892b909d5a6d95c96122d6fba50b3fe3989d5b4246238f85b61c553d04ec461479801e78c77882b775a913

      Download Submit

    • \Windows\SysWOW64\xmmhqncasnoqpat.exe
      Filesize

      255KB

      MD5

      dd4246225b167349601da4b9e27c276b

      SHA1

      41ee97b6e57afa6dc87006dc067aae0a59095627

      SHA256

      a79a20029ceb5d26672c2916705d3c7156637d0ac30bb0c78de6d90237239237

      SHA512

      6c934834a8e3958a06a8e305dd9af05e2143d2819a8c56e798ce5dfeb22e2fb743c4e5c4936ae79e1840a6a14f1b4f88990c8108d09baa41b278fc57cdfcd883

      Download Submit

    • \Windows\SysWOW64\xnopfqjwsdfkt.exe
      Filesize

      255KB

      MD5

      44ee47c8842ba78ef5bc5ea6baab976d

      SHA1

      50d0c1617856acbb0885df82224dddcb8fa9515c

      SHA256

      2eb5e12b2119c7f74f17c9f2b39fc981fdf5aa0623c7bbcab528b81aa1dc462c

      SHA512

      e855b370037984bf8c32a850b9fc2908ab6564cf84106c578eac2329df6b685053a6e20324108a1639bdec6f63c8049692a33782b6c20dc3ae674f13aab2e03f

      Download Submit

    • memory/516-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/516-85-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/752-97-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/752-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1292-101-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1616-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1616-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1628-83-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1628-88-0x0000000003CF0000-0x0000000003D90000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1628-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1664-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1664-89-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1724-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1724-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1724-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1844-93-0x000000007182D000-0x0000000071838000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1844-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1844-86-0x0000000070841000-0x0000000070843000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1844-99-0x000000007182D000-0x0000000071838000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1844-82-0x0000000072DC1000-0x0000000072DC4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1844-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1844-105-0x000000007182D000-0x0000000071838000-memory.dmp

      Filesize

      44KB

      Download