Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

17a074f5e5...03.exe

windows7-x64

10

17a074f5e5...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17a074f5e5b2f7984bf1a2bf5dc7d703.exe

  • Size

    652KB

  • MD5

    17a074f5e5b2f7984bf1a2bf5dc7d703

  • SHA1

    3bd75ae7711be9b54e98f9f233880b2b6ec290db

  • SHA256

    a808c713279d64fe10987ae5b3efc6deb468226c1cdff032d06a2cf0c02d6071

  • SHA512

    d1071720cad6dda7916cb9acaf25fd38bb252559e9331ceea60084d56f555a214431fb8f072e136847443ff12551f09e0222d337e59218b73fcb772907867a1c

  • SSDEEP

    12288:BQMFG+2gef5x/xQTB2OfDKC7WgcBj3hdUU54Knq:BQj+29VgfDnKFDwp

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 26 IoCs
    persistence
  • Disables RegEdit via registry modification 7 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 60 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe
    "C:\Users\Admin\AppData\Local\Temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe
      "C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe" "c:\users\admin\appdata\local\temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2448
      • C:\Users\Admin\AppData\Local\Temp\ujmrvkk.exe
        "C:\Users\Admin\AppData\Local\Temp\ujmrvkk.exe" "-c:\users\admin\appdata\local\temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:2704
      • C:\Users\Admin\AppData\Local\Temp\ujmrvkk.exe
        "C:\Users\Admin\AppData\Local\Temp\ujmrvkk.exe" "-c:\users\admin\appdata\local\temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2232
    • C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe
      "C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe" "c:\users\admin\appdata\local\temp\17a074f5e5b2f7984bf1a2bf5dc7d703.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\bljjisnqrwxlhydgxblvttsc.abg
    Filesize

    260B

    MD5

    2c6c8d6f9dc24f6cc2a33400bdafeb4f

    SHA1

    19d844415104d3974f8136954b5b3dd727fce947

    SHA256

    d9f41c872f98282e958b891463c8ef28bf7a1891b85618835c4ef967b694b55c

    SHA512

    1e17ec73aac207f2a4da9e38cb3eb7074c25c96396a63343287f3404eb20bb0732aca8b4e31717e8b4d203619becd75096fc11f1d7460475676e5e7fcb49b56e

    Download Submit

  • C:\Program Files (x86)\bljjisnqrwxlhydgxblvttsc.abg
    Filesize

    260B

    MD5

    1f567866c9ed61b7990ed65f0d80fd2d

    SHA1

    65bab04de32ea44187b5d22321a7308a96163c27

    SHA256

    281377c7e13f9ee4fadfbcfd9dabed0c5a2e70fcc7618d34c2128a340137c936

    SHA512

    af6ed09648ccbfa5b94b0bac2684ddc2f1a4ddd907e53e03111cbc8d22d24dfbf263a535740085de2eb50c9a23f55cfe397e55badb41d6e142ac125fb9f1a707

    Download Submit

  • C:\Program Files (x86)\bljjisnqrwxlhydgxblvttsc.abg
    Filesize

    260B

    MD5

    748cc11aca4bca8a3aa4d399614384f1

    SHA1

    9f8bbf5b9c8da44bbbd2a3e4302934a0d42c97fc

    SHA256

    24b460f62c3490573810b1e545d3176fbf9b8811c92868186c6c53b697ccf67e

    SHA512

    e1f71838526d4cdfdd8ac6fc836fc19b40b2211cebdd29f60e480b3324b21c31299bad9f2b33e96e33be224629b49c493e27ffea566d1a4dcaedf745feeae2c0

    Download Submit

  • C:\Program Files (x86)\bljjisnqrwxlhydgxblvttsc.abg
    Filesize

    260B

    MD5

    0c9b7d3fac6656ac6a7ad52e5f77d534

    SHA1

    fc5746e4dbda49deb10e66c05cc50c792b630cdc

    SHA256

    c2e5495e2bb0e3d624003c9c40d84e3bc205f38ccc86498d238dd6d8e34e3335

    SHA512

    9dfaf9b64d4be5c4c1b2c2d59d62c2cd2aa828869faf342e564d6824deb8cda555d90f51b0d904372cd39c806f6dab246662ed74621adecfbe7f7b9754b73ca4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe
    Filesize

    93KB

    MD5

    d0d00e68d36aee31078074b27e802750

    SHA1

    fb2b9d736accbb9b17b837908c80cd0d4c59fe91

    SHA256

    4724d7d003040b9be8fcb4c3f1afcdeb65ff9a1d090da1ba4c26f8b34e21c5b4

    SHA512

    3bbf251b72bb90b887abd80d666244326173164634cf4e319d0c31aebbc1e23ae22d78ad7970402cdae5eb57dd10b56a0185b8d6a48e3d2884d0c0163becbd8b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe
    Filesize

    320KB

    MD5

    304415df6ad55a90301aa8158e5e3582

    SHA1

    cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd

    SHA256

    34a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d

    SHA512

    4ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ujmrvkk.exe
    Filesize

    724KB

    MD5

    b487addffdfa6b9d961ed624fc4199a0

    SHA1

    6915ebf3cfd00f2fff765c7d0396a133739d3dca

    SHA256

    e17facfc07d69dd1b2f4d1c292618fef1f57ce5b722948167f82669883a418ba

    SHA512

    9489dc60f192de0fb93e6d2899de47cdaac48c3eb8ea726c31443afea24e4287c7c73d3fc1625792ad76ef9f3a3b89829258fe13b40868b182f74499b0be9d8d

    Download Submit

  • C:\Users\Admin\AppData\Local\bljjisnqrwxlhydgxblvttsc.abg
    Filesize

    260B

    MD5

    88aa1d39e53c78282a52d1d2e5b3b4d7

    SHA1

    25d1d98c269b2445395017b2d922427306f0d4fe

    SHA256

    312fdb654cc18292c11cb8cb261caa063be1c52a83425d9e9d4c3431e044ae50

    SHA512

    768e8b7f5f9e3974173d81a4a88141bb3c121b3a83dd2dca9eea1594a15f4dce1d32926df83b7b062fe463e0163ccfa014f94b8d6865073eefad7f9aba7063af

    Download Submit

  • C:\Windows\SysWOW64\azmbpoyqgaqtekewc.exe
    Filesize

    652KB

    MD5

    17a074f5e5b2f7984bf1a2bf5dc7d703

    SHA1

    3bd75ae7711be9b54e98f9f233880b2b6ec290db

    SHA256

    a808c713279d64fe10987ae5b3efc6deb468226c1cdff032d06a2cf0c02d6071

    SHA512

    d1071720cad6dda7916cb9acaf25fd38bb252559e9331ceea60084d56f555a214431fb8f072e136847443ff12551f09e0222d337e59218b73fcb772907867a1c

    Download Submit

  • C:\Windows\SysWOW64\jjxnccngxsjnzgbubv.exe
    Filesize

    92KB

    MD5

    ad67c3a629052e2717c4bad84ab0d60d

    SHA1

    8376431e1a6400971e9e22e0efe98b29c40efee3

    SHA256

    cd397d09210b0ae875edfcff2d796436e3979e27c240b0deff7937a29b61e176

    SHA512

    f145848fca9f9f39179e62661ee37d5338655227d0b5de67fd280eaf138c4f0d32164887eff0098ecc9a109a3a4de26161b958624a2f70728f547708defb1c7d

    Download Submit

  • C:\Windows\SysWOW64\jjxnccngxsjnzgbubv.exe
    Filesize

    99KB

    MD5

    f2d14154e70dc9848cce970274d6d992

    SHA1

    d9830075be3067420be5b6f06cec1ab6542b0b5f

    SHA256

    d250c0dccac89879f3f5dca8ebcd34927865351c642f47b44336929e88d62b90

    SHA512

    3353434acd899e9ae867ef6eabe4f3808c4c5f5fa82d7ef21f9270ac97c244da0932088172e817a7f38c0d22c26a3b4cd48ae423efb8b920305eb4c9c8ef3369

    Download Submit

  • C:\Windows\nrjdwapmhgbjzkjgrptxpj.exe
    Filesize

    137KB

    MD5

    0dedec0e903018cc2b9f22a3146f2426

    SHA1

    6e8e83edf1eb357bb28e82ad0a485d8f24b1fc92

    SHA256

    b35c86efe9934e702f16ec06effa1ce7dc5b08b37d73fa158de0e46035bcbf63

    SHA512

    8dde118bf36708c78de7b0de85c6d65cc926f8e996e12b8b05595da0154b808d07a1f45b5c42028087d6b26ad5795201993bf3e1f0716da0e466ef6b842f9446

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ujmrvkk.exe
    Filesize

    92KB

    MD5

    03144b09024322131ce30f8f6db0f90f

    SHA1

    571a2ba73449ec143f14243893b7e8ee71ecbee4

    SHA256

    0eba799826b83927a8c9e894da288c9dace2e819c8240dc35fcc389595ab9fdd

    SHA512

    b2d552d7bee92bf04ca1d0d0974ae85150d74cc90256169c961a6ee75d66246d72dc061ad215b6effb80f755fbd746788180a8f591c7d39c31882d0475b2ef81

    Download Submit