Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    106s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2023, 12:04

General

  • Target

    8d3f622b8952892016c0b582c33687d8_JC.exe

  • Size

    704KB

  • MD5

    8d3f622b8952892016c0b582c33687d8

  • SHA1

    9d1e76efcb39695a5ee663e69e567848a719176d

  • SHA256

    bc704212e1f9c40781d39d0a9e2ebc5a261ae228d3b3d8705e170d65b69daba2

  • SHA512

    53c7c8b96a3756f0c94558cbf6dc0cf80438f20275a31db349a2bddab660f453c80b767f8d24ef2128bfedc68401c2963dbbade6c45c5bf945bdfa92647d0873

  • SSDEEP

    12288:VXgvmzFHi0mo5aH0qMzd5807FyPJQPDHvd:VXgvOHi0mGaH0qSdPFM4V

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 24 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d3f622b8952892016c0b582c33687d8_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\8d3f622b8952892016c0b582c33687d8_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe
      "C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies registry class
      • System policy modification
      PID:4628
    • C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe
      "C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:3424
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\vrbdhmmvtijfctdidlhrtxcclj.zvs

      Filesize

      280B

      MD5

      5cd55e3bbbcaaf1f7321904348b19d9d

      SHA1

      c02679dcb48cde86ed3b6e5d183371f845e690bf

      SHA256

      7e10b17b9cb59cb581bce264b9f97d9cb3ed61d46b05298bf2a3605ab82e91cb

      SHA512

      97fa13c2f6325836f88ffdc648e9ca07317e29e104ebf0b0a3158ddd385a4287166196dc41610fa60c8ef65b31466f2fa7449108bd0c4c80e86dcf5965251d70

    • C:\Program Files (x86)\vrbdhmmvtijfctdidlhrtxcclj.zvs

      Filesize

      280B

      MD5

      2da65535afc1db291cc12a27484f1f45

      SHA1

      611a9c6a32f2ebf1a923b6e6ce1aac0df70d4c48

      SHA256

      371ac592f2ccb5d3ec6972ad5c660ef8d21ec06f3bfb787532c25a48fbc744ca

      SHA512

      b1e80ff96d1f306ca8065cd1e42aeea4952b2e90f707a1dfa265eb6f09b088575fe91d52f7be111cd8a1f189d3dc1ac057e17c3685e43d235c5efa1998cbc6c7

    • C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe

      Filesize

      1.3MB

      MD5

      bbcf4f0c4be88fdcb469ee572015dc3e

      SHA1

      f79c15e62030eee614e13c1a4d37739d0bc5d9df

      SHA256

      bc5f64dbbce975204642c5c0ac860b6212686867f0e081ba3f3b48cfb5475597

      SHA512

      b9a601a55f85f15f863eafe409d05c9aad68c280dac98e5bddfbef8e1e1b02255a2ff591ba0d7386d00b3b87001c6ee0de6dae57232818162f723889fbdd6bce

    • C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe

      Filesize

      1.3MB

      MD5

      bbcf4f0c4be88fdcb469ee572015dc3e

      SHA1

      f79c15e62030eee614e13c1a4d37739d0bc5d9df

      SHA256

      bc5f64dbbce975204642c5c0ac860b6212686867f0e081ba3f3b48cfb5475597

      SHA512

      b9a601a55f85f15f863eafe409d05c9aad68c280dac98e5bddfbef8e1e1b02255a2ff591ba0d7386d00b3b87001c6ee0de6dae57232818162f723889fbdd6bce

    • C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe

      Filesize

      1.3MB

      MD5

      bbcf4f0c4be88fdcb469ee572015dc3e

      SHA1

      f79c15e62030eee614e13c1a4d37739d0bc5d9df

      SHA256

      bc5f64dbbce975204642c5c0ac860b6212686867f0e081ba3f3b48cfb5475597

      SHA512

      b9a601a55f85f15f863eafe409d05c9aad68c280dac98e5bddfbef8e1e1b02255a2ff591ba0d7386d00b3b87001c6ee0de6dae57232818162f723889fbdd6bce

    • C:\Users\Admin\AppData\Local\Temp\pnzdjq.exe

      Filesize

      1.3MB

      MD5

      bbcf4f0c4be88fdcb469ee572015dc3e

      SHA1

      f79c15e62030eee614e13c1a4d37739d0bc5d9df

      SHA256

      bc5f64dbbce975204642c5c0ac860b6212686867f0e081ba3f3b48cfb5475597

      SHA512

      b9a601a55f85f15f863eafe409d05c9aad68c280dac98e5bddfbef8e1e1b02255a2ff591ba0d7386d00b3b87001c6ee0de6dae57232818162f723889fbdd6bce

    • C:\Users\Admin\AppData\Local\vrbdhmmvtijfctdidlhrtxcclj.zvs

      Filesize

      280B

      MD5

      81e128e19c3afc26bc43baf9e5b89e7b

      SHA1

      d9ab0c53d8f93ac595937d5e8e6f8c23c7c0ead3

      SHA256

      0ef7e74323074a51510278b24c78e4b2c3175591e0ba7b0266f59cbe31fee57d

      SHA512

      04c2f8c83ff240afb858974143a2a14df03f5508625035f75363bcebf48734fc6791aba5956dc63409fef81247f9dd3a136fbada4009218f799651b8bfd03461

    • C:\Users\Admin\AppData\Local\wdylaqbveeqxfhcsyrytgvlwqzzlsacxntmto.qgr

      Filesize

      4KB

      MD5

      7437112f20b3a25322ee0b5ded8cb853

      SHA1

      06396afb82df8319f2c6fcebfedbec476a3cde00

      SHA256

      8fa70e4bf4d4be3c031073790a9f39e93503faa178893e11176a1d3952f805a3

      SHA512

      8e57466809b34abf5d5355480302705e6eb27db82e7af6dc39d24e5af49c098c8c4604dba26cc3fa441a53e35144f8444ecb29d31f1fe7af8e83d35aec0725c8