Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0de805cfde...73.exe

windows7-x64

10

0de805cfde...73.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2023, 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0de805cfde7a628a940caf8def63836afd6d75860614592f619797ff2265eb73.exe

  • Size

    26.5MB

  • MD5

    970f1757ccc0b60859d23302688359ee

  • SHA1

    bbe7be423ba59b0e9872d4f8556b8a9f89d46204

  • SHA256

    0de805cfde7a628a940caf8def63836afd6d75860614592f619797ff2265eb73

  • SHA512

    ca1e1b4a018c730391b90b7b235932bc87b1aa331c1c8327d1aa510cb0c6eb49e7ed110703ae8b2c41e54c1f066d51fa691aff3e09c5cc7a22c3195bce23ff47

  • SSDEEP

    6144:O3Te8ySm8hQAAIfFrRXuEE+0l97mKwKArOHV3j86JQPDHDdx/Qtqa:B/zkFF+EExZmKbciVTPJQPDHvd

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • UAC bypass 3 TTPs 12 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 27 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 39 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0de805cfde7a628a940caf8def63836afd6d75860614592f619797ff2265eb73.exe
    "C:\Users\Admin\AppData\Local\Temp\0de805cfde7a628a940caf8def63836afd6d75860614592f619797ff2265eb73.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Adds policy Run key to start application
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\wcjpy.exe
      "C:\Users\Admin\AppData\Local\Temp\wcjpy.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • System policy modification
      PID:2604
    • C:\Users\Admin\AppData\Local\Temp\wcjpy.exe
      "C:\Users\Admin\AppData\Local\Temp\wcjpy.exe" "-"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • System policy modification
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\gkptazebltyxlmbqcglpwvaxh.uth
    Filesize

    272B

    MD5

    062cbc71698497a1e108bca11e1918e1

    SHA1

    abaf94b62a04fc8b9321498456fb231fdc1dabc1

    SHA256

    fb29bf08229dbb6ca1dae7d3eebd7827840333dd0bdf329bf62a00839f096965

    SHA512

    32c942c3b94397a5e8adfb18c08360386e00e159455ddc3576bb67a71eca25b1afad81d13fa5e53030ff6b96116e93ed245d64589491eae250d78c9bbe2e5d2d

    Download Submit

  • C:\Program Files (x86)\gkptazebltyxlmbqcglpwvaxh.uth
    Filesize

    272B

    MD5

    348cbde50816de6508a78559c9185c75

    SHA1

    15be78ed1ee877aafdc858237232b3827015e735

    SHA256

    c482a3a8f18f1cb392a5ea10ee5c66909447db1eff9be8068565e0689f352567

    SHA512

    25e1c286581007c49062b9aa8e42b80633cb664fcfdf76d08344682f46ba351011fc3d69b449803878c4b8a8cc3e7957dec06790c2a577e775737f1a358d29f9

    Download Submit

  • C:\Program Files (x86)\gkptazebltyxlmbqcglpwvaxh.uth
    Filesize

    272B

    MD5

    4e7bf9bda65a8caada070f1519a4b439

    SHA1

    3be849ecd48bd04aeccfe77af304f32adc176e00

    SHA256

    c872cf46de5553fd4b945f48a6d8a22b0ae865a8545452e8e4ef382229c03cfc

    SHA512

    31bc409c1bf2aa6c62164fbbd06370ef02c4e5482dbaf2ed658c85eb84f74b072e19ee1831898d504083b8023b76a4081ee9f782f518547e4e4be8712b641466

    Download Submit

  • C:\Program Files (x86)\gkptazebltyxlmbqcglpwvaxh.uth
    Filesize

    272B

    MD5

    6b0b7d2a35982080bac47314ff339783

    SHA1

    6f75559eebbf782165cfe918b212a99b50f50a49

    SHA256

    6a70c8b87d86bfea25a92741190ecc3449fddcd70a08aea50b958c7aa2b82b59

    SHA512

    cefa02da3e95ae4d58ce45fe73af4b3605ebe31257331c790b126c4870f0ed5358b6c2ac8119183d1e5616575d0edf24f5a07dfc6ec6432f1d428e5aee961021

    Download Submit

  • C:\Program Files (x86)\gkptazebltyxlmbqcglpwvaxh.uth
    Filesize

    272B

    MD5

    bc5e346e75fe345f4c89ae02164ec3d0

    SHA1

    7af1d21f151549e5312fc9e59b742501123d3cb7

    SHA256

    92cce4c492627858963e608c151c038c5ff9806200aea45e95667b2dcaac8557

    SHA512

    803ca2dc406d46d6a2d0253f05194209e2b03c1ebbf5ecf94c02a937014ddd0fec7bca213ba5c1ce7c08060b906e218f32375456f312c4465d085eec20fb3a25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wcjpy.exe
    Filesize

    30.5MB

    MD5

    c2d82571a875e1247f1e66540defb130

    SHA1

    f32cfcccf47802c97fd02fd8219e17559faf181e

    SHA256

    7f3f0c229a1f0109e9b510a1cd2471352bcd656968b71014639e1289e7efe90d

    SHA512

    2ccf54003d4739421e3b902e946c44a1c7864e76c06c1692f43d2887a87be42b480527621779dccf4682caef7a2d3427b1419a40f5b92ee5afd2b28ff186a051

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wcjpy.exe
    Filesize

    30.5MB

    MD5

    c2d82571a875e1247f1e66540defb130

    SHA1

    f32cfcccf47802c97fd02fd8219e17559faf181e

    SHA256

    7f3f0c229a1f0109e9b510a1cd2471352bcd656968b71014639e1289e7efe90d

    SHA512

    2ccf54003d4739421e3b902e946c44a1c7864e76c06c1692f43d2887a87be42b480527621779dccf4682caef7a2d3427b1419a40f5b92ee5afd2b28ff186a051

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wcjpy.exe
    Filesize

    30.5MB

    MD5

    c2d82571a875e1247f1e66540defb130

    SHA1

    f32cfcccf47802c97fd02fd8219e17559faf181e

    SHA256

    7f3f0c229a1f0109e9b510a1cd2471352bcd656968b71014639e1289e7efe90d

    SHA512

    2ccf54003d4739421e3b902e946c44a1c7864e76c06c1692f43d2887a87be42b480527621779dccf4682caef7a2d3427b1419a40f5b92ee5afd2b28ff186a051

    Download Submit

  • C:\Users\Admin\AppData\Local\gkptazebltyxlmbqcglpwvaxh.uth
    Filesize

    272B

    MD5

    07469a92eab60d37d457e620c1ba7397

    SHA1

    64832388b6d7efacd409c6e4ca4582dcce96e9ab

    SHA256

    5a9976357a129632efaae3ac3fc8df7377e08331696ad791368db4797c2e68ee

    SHA512

    4bb742351b1dddf068d36c92085c3f928110c60eb9f067bf8a288fc7f5bd95b5cdd9f609a11c4f1fef0722e2cff930d071b160567e5d7d70198bef387cd3c706

    Download Submit

  • C:\Users\Admin\AppData\Local\gkptazebltyxlmbqcglpwvaxh.uth
    Filesize

    272B

    MD5

    c919c1a05af39a7bd1fd6394ef274e0e

    SHA1

    718c009e04eb6eb29465e391639fe040495c7339

    SHA256

    0cda115138d004a6915ef8130d1c9bee42a2a3e7afa5159fcdda45542f1c0b35

    SHA512

    70e7ff94dab316d54d5379ca0d82d4104dc8708deda569cf57ae958f9c7ab62b92ab668f3e4f53d7d03f322b8f4b51afb52e84ccb18d12fc83036db17a1a8aeb

    Download Submit

  • C:\Users\Admin\AppData\Local\laqfxhxfatjtseeebqgvnxnvqjzjiuuurgwl.ndl
    Filesize

    3KB

    MD5

    317d0b83455586dfb9fd4b9763fafcc4

    SHA1

    116063a681cdee520b44c6d87b7169626e8127cc

    SHA256

    fbb7a1282fbefaa52d5ded5d6138dbb626403a576fcca8c3c0d89d58f0ab1ba5

    SHA512

    a0819791a2bd3ee3175951fd55586e6591666d653ea0bfa153332d1d542e51d019c8dea6ab5de5baa270ae120854126f3fac1076152479cab44f39c744494191

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wcjpy.exe
    Filesize

    30.5MB

    MD5

    c2d82571a875e1247f1e66540defb130

    SHA1

    f32cfcccf47802c97fd02fd8219e17559faf181e

    SHA256

    7f3f0c229a1f0109e9b510a1cd2471352bcd656968b71014639e1289e7efe90d

    SHA512

    2ccf54003d4739421e3b902e946c44a1c7864e76c06c1692f43d2887a87be42b480527621779dccf4682caef7a2d3427b1419a40f5b92ee5afd2b28ff186a051

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wcjpy.exe
    Filesize

    30.5MB

    MD5

    c2d82571a875e1247f1e66540defb130

    SHA1

    f32cfcccf47802c97fd02fd8219e17559faf181e

    SHA256

    7f3f0c229a1f0109e9b510a1cd2471352bcd656968b71014639e1289e7efe90d

    SHA512

    2ccf54003d4739421e3b902e946c44a1c7864e76c06c1692f43d2887a87be42b480527621779dccf4682caef7a2d3427b1419a40f5b92ee5afd2b28ff186a051

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wcjpy.exe
    Filesize

    30.5MB

    MD5

    c2d82571a875e1247f1e66540defb130

    SHA1

    f32cfcccf47802c97fd02fd8219e17559faf181e

    SHA256

    7f3f0c229a1f0109e9b510a1cd2471352bcd656968b71014639e1289e7efe90d

    SHA512

    2ccf54003d4739421e3b902e946c44a1c7864e76c06c1692f43d2887a87be42b480527621779dccf4682caef7a2d3427b1419a40f5b92ee5afd2b28ff186a051

    Download Submit

  • \Users\Admin\AppData\Local\Temp\wcjpy.exe
    Filesize

    30.5MB

    MD5

    c2d82571a875e1247f1e66540defb130

    SHA1

    f32cfcccf47802c97fd02fd8219e17559faf181e

    SHA256

    7f3f0c229a1f0109e9b510a1cd2471352bcd656968b71014639e1289e7efe90d

    SHA512

    2ccf54003d4739421e3b902e946c44a1c7864e76c06c1692f43d2887a87be42b480527621779dccf4682caef7a2d3427b1419a40f5b92ee5afd2b28ff186a051

    Download Submit