Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

05a7a349e3...97.exe

windows7-x64

10

05a7a349e3...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    53s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2023, 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe

  • Size

    5.9MB

  • MD5

    64e7cd89bb30e3e4ff61954b1eaaa75c

  • SHA1

    f8d19c2493acf007b4dcb045501ef650d4d4a6c4

  • SHA256

    05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97

  • SHA512

    65fa366f0d34624f12feb02e2d0b9842488db8c4b7e85207b7f1c9f213f8c22301dbfdf2e5ea63d5bdee3deeec64d979b2c732c2a13c39cb2c8aeab6e24d2b34

  • SSDEEP

    12288:0XgvmzFHi0mo5aH0qMzd58lv7FVPJQPDHvd:0XgvOHi0mGaH0qSdaFn4V

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 19 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe
    "C:\Users\Admin\AppData\Local\Temp\05a7a349e3cf602aa1b8f5162b5d82ecb2be9cab68186c1abf53bb38c132dd97.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe
      "C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:4924
    • C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe
      "C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Modifies registry class
      • System policy modification
      PID:3880
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\fwabxzeczzsqpfbsaufwab.zec
      Filesize

      280B

      MD5

      66e03b7eb8270b4a886d8e7670987190

      SHA1

      170bf0876c15cfe6a12ea248434fe808ff6c47d3

      SHA256

      000dd99c29926cb491a5f7367807a36334765db860c0f50aa03812c5f27356ad

      SHA512

      16b45b35a3a555a57bd292edae6375bf6a6d23b4ed9d06ccb4000da522ab48a17fe87fd432c72a601b29788193d5e15e1ecedf541f986313bb53269b18b0ba86

      Download Submit

    • C:\Program Files (x86)\fwabxzeczzsqpfbsaufwab.zec
      Filesize

      280B

      MD5

      8dbd54c120ea886e81ba762ac42cbb99

      SHA1

      131013053099e5140fa1490542f4867c9ab4fadf

      SHA256

      901b55f477d6d6cc30f7bf5179487060fdec692eb94ec86faca8671be74c4130

      SHA512

      8fc22ca318554167982a9f77ab5cda13f4d03420d8cef5cdcf047dcfd1c2dd0f70c4fd1981e1b41f92c2f11f32c3e9df2ff2b9b70ca0ccdb885e2e34ef5da00d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe
      Filesize

      7.7MB

      MD5

      e8eafc24260030cf89f7c351264cddff

      SHA1

      9aebb85d73b1684946bf0de78eed67834ff83200

      SHA256

      66126b6c5b39c6e82329781dafc36f7785fd61213f406aca9692b5bb5ac33e98

      SHA512

      317c2b85ea14bfb03845f0c7e65b8e10301f1d5e82610fec8e0f2f6120e1786ad9727a1702ffc6c5c1d1f95c808963cd6d3b355fae1382dc9865f61438ffab4b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe
      Filesize

      7.7MB

      MD5

      e8eafc24260030cf89f7c351264cddff

      SHA1

      9aebb85d73b1684946bf0de78eed67834ff83200

      SHA256

      66126b6c5b39c6e82329781dafc36f7785fd61213f406aca9692b5bb5ac33e98

      SHA512

      317c2b85ea14bfb03845f0c7e65b8e10301f1d5e82610fec8e0f2f6120e1786ad9727a1702ffc6c5c1d1f95c808963cd6d3b355fae1382dc9865f61438ffab4b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe
      Filesize

      7.7MB

      MD5

      e8eafc24260030cf89f7c351264cddff

      SHA1

      9aebb85d73b1684946bf0de78eed67834ff83200

      SHA256

      66126b6c5b39c6e82329781dafc36f7785fd61213f406aca9692b5bb5ac33e98

      SHA512

      317c2b85ea14bfb03845f0c7e65b8e10301f1d5e82610fec8e0f2f6120e1786ad9727a1702ffc6c5c1d1f95c808963cd6d3b355fae1382dc9865f61438ffab4b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pmwdfn.exe
      Filesize

      7.7MB

      MD5

      e8eafc24260030cf89f7c351264cddff

      SHA1

      9aebb85d73b1684946bf0de78eed67834ff83200

      SHA256

      66126b6c5b39c6e82329781dafc36f7785fd61213f406aca9692b5bb5ac33e98

      SHA512

      317c2b85ea14bfb03845f0c7e65b8e10301f1d5e82610fec8e0f2f6120e1786ad9727a1702ffc6c5c1d1f95c808963cd6d3b355fae1382dc9865f61438ffab4b

      Download Submit

    • C:\Users\Admin\AppData\Local\fwabxzeczzsqpfbsaufwab.zec
      Filesize

      280B

      MD5

      8338ba07bd42fae194f2b41270bcdabf

      SHA1

      343e40eb383a25953096318018356893158c529d

      SHA256

      cce8c5dd154abef81552f9de25ddc3fd2f126af109d815dd30827e3d2ff270e9

      SHA512

      360bc4ba5f1cd72f0ed63dc3d7297d5dfa7a1637f204b2c1924119e79606a01fd72c0328b9a4e0aa31cc5552354ff84bbe2272e5fa8d52d44e3a95e3eda949a9

      Download Submit

    • C:\Users\Admin\AppData\Local\wynzgtjsalpyijqslqmodpwjziqbfoyzg.bgc
      Filesize

      4KB

      MD5

      1cd78487476c771b7e9008ed124b56a2

      SHA1

      d41b09d438496bc8bc38b5e6b90af38184c616a2

      SHA256

      e4d0b4cf96f37569166cab6ce12e52bca71e15ed9d28e8195e654fddb569ddb1

      SHA512

      07698dbc9694e138c388362e066172a96b3dee4c11fa963f0dac048df7da6f786d4c6e2a0e594a3dec0d8f2a701c4bdf752b0a1d90a3a444eee77b1f02c41763

      Download Submit