Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

36a425dc83...bc.exe

windows7-x64

10

36a425dc83...bc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36a425dc83d6c26a23b9e5d95351588317fcd2563914d73ca6c4b3664cf341bc.exe

  • Size

    255KB

  • MD5

    1e2f424781f6afd497d001af661967ac

  • SHA1

    4e8c7765733528536460909fe30297b25fb30843

  • SHA256

    36a425dc83d6c26a23b9e5d95351588317fcd2563914d73ca6c4b3664cf341bc

  • SHA512

    76b72bd84def252534143664a088695fccf1e8b4e18ba1de36a6ea76fe34316a7df37ce597766a34b08247f937fb3758312a81c63739b9bc6f6c0142434c744d

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI62:Plf5j6zCNa0xeE3mD

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36a425dc83d6c26a23b9e5d95351588317fcd2563914d73ca6c4b3664cf341bc.exe
    "C:\Users\Admin\AppData\Local\Temp\36a425dc83d6c26a23b9e5d95351588317fcd2563914d73ca6c4b3664cf341bc.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\SysWOW64\hnmmzloazh.exe
      hnmmzloazh.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SysWOW64\blmvzsjy.exe
        C:\Windows\system32\blmvzsjy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5032
    • C:\Windows\SysWOW64\wylfxkymiawdvdp.exe
      wylfxkymiawdvdp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c twrxwtawhrvrb.exe
        3⤵
          PID:4272
      • C:\Windows\SysWOW64\blmvzsjy.exe
        blmvzsjy.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4348
      • C:\Windows\SysWOW64\twrxwtawhrvrb.exe
        twrxwtawhrvrb.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4936
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3408

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      8020a14d7dfddb318aeb7851465df85d

      SHA1

      1976017e82769e98d2b705d172d9c412b3db2a73

      SHA256

      c093ac18bc48acb8db94b5642d77de587e0c51c374319d081dedd2be3a05ae84

      SHA512

      22c19f9f6b39fe8c8ad0f71eb428189a44d6f822b3bcea1ea8e0c2b3d4abe5b916b41a4c4930be009fe432505ea349869af09f540b263beac9a745978b05ad26

      Download Submit

    • C:\Users\Admin\Documents\OptimizeRepair.doc.exe
      Filesize

      255KB

      MD5

      35cc59518eb16d9ff85e86fa7f55565c

      SHA1

      ed2cff726d4519ee08c1e7eb9f114918fec59db6

      SHA256

      21c38daf9183b479b29a91ecbc10b1827e9d38e4891b2f4e0b540bf46d25dfd4

      SHA512

      e933940c70b67bcf82eba8da34cd36e30245175ee9e66066d60b30d8a48e160eea9fb9eb00816c2f03344a3ccc57e5843664a01c8a363e5fce6534567169f35b

      Download Submit

    • C:\Windows\SysWOW64\blmvzsjy.exe
      Filesize

      255KB

      MD5

      73380f5600dd9371fbc6f18ee7f572a6

      SHA1

      43252212b1e9ec459d0ec064387383d3feb778cb

      SHA256

      19c4971fed5c6e29f8b5c84fde061246aadb1b553e3860dc51679df5cc17c3d3

      SHA512

      5d7871f8b4ec634a9bf83efbbdde3d7e7dbb7ab0c5486ffe4b6a285dbd6b9c794050aeb6e0e4ed1f297b0ccb0ab6d55a3e42392a540ff87e3ba5c6dde1dd3323

      Download Submit

    • C:\Windows\SysWOW64\blmvzsjy.exe
      Filesize

      255KB

      MD5

      73380f5600dd9371fbc6f18ee7f572a6

      SHA1

      43252212b1e9ec459d0ec064387383d3feb778cb

      SHA256

      19c4971fed5c6e29f8b5c84fde061246aadb1b553e3860dc51679df5cc17c3d3

      SHA512

      5d7871f8b4ec634a9bf83efbbdde3d7e7dbb7ab0c5486ffe4b6a285dbd6b9c794050aeb6e0e4ed1f297b0ccb0ab6d55a3e42392a540ff87e3ba5c6dde1dd3323

      Download Submit

    • C:\Windows\SysWOW64\blmvzsjy.exe
      Filesize

      255KB

      MD5

      73380f5600dd9371fbc6f18ee7f572a6

      SHA1

      43252212b1e9ec459d0ec064387383d3feb778cb

      SHA256

      19c4971fed5c6e29f8b5c84fde061246aadb1b553e3860dc51679df5cc17c3d3

      SHA512

      5d7871f8b4ec634a9bf83efbbdde3d7e7dbb7ab0c5486ffe4b6a285dbd6b9c794050aeb6e0e4ed1f297b0ccb0ab6d55a3e42392a540ff87e3ba5c6dde1dd3323

      Download Submit

    • C:\Windows\SysWOW64\hnmmzloazh.exe
      Filesize

      255KB

      MD5

      928d0663beb43cfc708f927d0d5aca17

      SHA1

      4904d4c4d22f24aca023308616583194e100dc49

      SHA256

      3b360ac9fd0a28ad6f5e960fc2a47bae19a17a8c774e43b2db51d729f4d567a2

      SHA512

      fa5918afe036c14f11c2b8cab2456cfffd399437db283f112c3cc469368408d21f810bd7835f3128d0c31fd4d722061251099088319e6829d51dd7e8a22a2c03

      Download Submit

    • C:\Windows\SysWOW64\hnmmzloazh.exe
      Filesize

      255KB

      MD5

      928d0663beb43cfc708f927d0d5aca17

      SHA1

      4904d4c4d22f24aca023308616583194e100dc49

      SHA256

      3b360ac9fd0a28ad6f5e960fc2a47bae19a17a8c774e43b2db51d729f4d567a2

      SHA512

      fa5918afe036c14f11c2b8cab2456cfffd399437db283f112c3cc469368408d21f810bd7835f3128d0c31fd4d722061251099088319e6829d51dd7e8a22a2c03

      Download Submit

    • C:\Windows\SysWOW64\twrxwtawhrvrb.exe
      Filesize

      255KB

      MD5

      4fa8c704b3f0e75bfbfcaa0ab88271b5

      SHA1

      9a94832df70797ca52168c543d8974e5c6d52cdc

      SHA256

      40850019566799c865e5627f2f7ed4c15020f6f05236d0ad4191cb7e42cd4a2f

      SHA512

      c3ba9de62b332980410420b2a027f6d7b6a61342b9770bb6c3724633f37a37256e22378bd24b115efc74052b64168c19582d15899caabb3d5c69222edc8016d5

      Download Submit

    • C:\Windows\SysWOW64\twrxwtawhrvrb.exe
      Filesize

      255KB

      MD5

      4fa8c704b3f0e75bfbfcaa0ab88271b5

      SHA1

      9a94832df70797ca52168c543d8974e5c6d52cdc

      SHA256

      40850019566799c865e5627f2f7ed4c15020f6f05236d0ad4191cb7e42cd4a2f

      SHA512

      c3ba9de62b332980410420b2a027f6d7b6a61342b9770bb6c3724633f37a37256e22378bd24b115efc74052b64168c19582d15899caabb3d5c69222edc8016d5

      Download Submit

    • C:\Windows\SysWOW64\wylfxkymiawdvdp.exe
      Filesize

      255KB

      MD5

      6d0d1305741978cb42c4ec64961ddc62

      SHA1

      7127a443a78154fc4dc4f79f07ffee456984548e

      SHA256

      e2e238d7b354875141efe28008f109c6695bc7393e5299c805478a631cef60a9

      SHA512

      fa37ea624694f690710c15f5698536796a00e1db4a773144fbd4c8921ccf21fe9d34720186897886d8b2a5403094d396b790bf0134b83573645b6d8f45ce1f4d

      Download Submit

    • C:\Windows\SysWOW64\wylfxkymiawdvdp.exe
      Filesize

      255KB

      MD5

      6d0d1305741978cb42c4ec64961ddc62

      SHA1

      7127a443a78154fc4dc4f79f07ffee456984548e

      SHA256

      e2e238d7b354875141efe28008f109c6695bc7393e5299c805478a631cef60a9

      SHA512

      fa37ea624694f690710c15f5698536796a00e1db4a773144fbd4c8921ccf21fe9d34720186897886d8b2a5403094d396b790bf0134b83573645b6d8f45ce1f4d

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      255KB

      MD5

      0133cc157b8dc6fdec8f0bf3021e64a0

      SHA1

      601a95b45919bc9e8aced0b7f34a263a4b5f3f1f

      SHA256

      f3f0f6f28e2b948b4799252de08cc7a223dc066b701821b20e1287333f48ab5b

      SHA512

      846cca368da9d49dbdf5df3f7b121e12e2dd1eb4346f074570e975baf2f38bd0bab1fa40b39bbe36be3b5bc854f00a15b12423e3cc873ff395da67bc4f0ddc75

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      255KB

      MD5

      0133cc157b8dc6fdec8f0bf3021e64a0

      SHA1

      601a95b45919bc9e8aced0b7f34a263a4b5f3f1f

      SHA256

      f3f0f6f28e2b948b4799252de08cc7a223dc066b701821b20e1287333f48ab5b

      SHA512

      846cca368da9d49dbdf5df3f7b121e12e2dd1eb4346f074570e975baf2f38bd0bab1fa40b39bbe36be3b5bc854f00a15b12423e3cc873ff395da67bc4f0ddc75

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      255KB

      MD5

      ab7738e1ef9c435678f2e1a1c8a59a17

      SHA1

      8692217d59b0d3a4afc26c56f1a6a9bcf58944a0

      SHA256

      e126b27c732b4d247f898d475e1aa49eb18af191c8f8887b9518d7156c6a6a0d

      SHA512

      bb7b68c94db0fdaaf367edac1e268a611e8538b1cdccce7815583f296a6624e7bd7957dbf14866996d953fca8ea25867730fc06d3cb40a05bd7a3375cdfa8b41

      Download Submit

    • memory/900-138-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/900-156-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3096-141-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3096-165-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3408-164-0x00007FFB30520000-0x00007FFB30530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3408-162-0x00007FFB30520000-0x00007FFB30530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3408-161-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3408-157-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3408-158-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3408-159-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3408-160-0x00007FFB32DD0000-0x00007FFB32DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4348-167-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4348-145-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4616-155-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4616-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4616-133-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4936-153-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4936-169-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/5032-152-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/5032-168-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download