Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

1af82dcb65...fe.exe

windows7-x64

10

1af82dcb65...fe.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    133s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1af82dcb653fdb7b76bda1abfdedbbfe.exe

  • Size

    512KB

  • MD5

    1af82dcb653fdb7b76bda1abfdedbbfe

  • SHA1

    0a4dc744486aeb247e582bdbae41091cc624bc2a

  • SHA256

    289fb07890b4fbca5d0bd8a9e5e80a8f2e4d29ebc7c937b8b16e50fdeafac831

  • SHA512

    1d3b9a17b2b2419cee8edd4748ad7d8532accc549a69ca4bc5d2922f902c61aae8df9b24ff17dc73d35f41d5fa0eeb092cf3432ce72e57ad100ae88be5f1106e

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 19 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1af82dcb653fdb7b76bda1abfdedbbfe.exe
    "C:\Users\Admin\AppData\Local\Temp\1af82dcb653fdb7b76bda1abfdedbbfe.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\pomsglqadr.exe
      pomsglqadr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\tmvvagzm.exe
        C:\Windows\system32\tmvvagzm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2592
    • C:\Windows\SysWOW64\tucarjmoqoxmizc.exe
      tucarjmoqoxmizc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2748
    • C:\Windows\SysWOW64\tmvvagzm.exe
      tmvvagzm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2988
    • C:\Windows\SysWOW64\patikrfsnybfn.exe
      patikrfsnybfn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2628
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2200
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      110KB

      MD5

      009f8b68bad69af59cad29fb86f70817

      SHA1

      49a02f65bdaf47c28760ec41e619489da8c6f90e

      SHA256

      c364b16f5e8b4d8472f14f94a28ac085eb70fcd392a29ae33fe839fe7fe83ba8

      SHA512

      4625b3de42d258146c7bba42c971cf58b6d166f7dc098a99df0ea31df349c2cac3e24e244208172c58fef634cf21db4e96881b738e43348be7c9e40e6a91a2f1

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      85KB

      MD5

      328820f13b21271afa7548dd63f0bcbf

      SHA1

      448b29b6a017b753837601d034d9aafc3a9ae0a9

      SHA256

      5d8d9c13b2e11566490755a3f3b9bdfaa08e910820bd6ce0858173112166025a

      SHA512

      85bc9f2a4c512cb8ae56482844482d61871424308e3cc19c169051ed33e4bcc1d4fbcc02a0dee7c5f47d8aa61d2086a557d132f181eee24cc3dea455d79078e6

      Download Submit

    • C:\Windows\SysWOW64\patikrfsnybfn.exe
      Filesize

      160KB

      MD5

      d2c5bc698b712a3f1a74121301851078

      SHA1

      5fbe998db4f7d0618bf2217289ebbe9daacb525c

      SHA256

      53414b7e48af33be8d44e4f7fd6025c40852314daf1321c05ae02014bc878021

      SHA512

      7f9d5732b708727b538ae86e4405e3d1e533587c361c12358d172c965962cd600ee282270f15e80bd44a17d8dc230a29ea569ddd69dd1f52f146a186bf5bcb71

      Download Submit

    • C:\Windows\SysWOW64\patikrfsnybfn.exe
      Filesize

      187KB

      MD5

      81d4481525fe9eccb28942a084a46f63

      SHA1

      89b31dfdd76db8251f311da55ecf225cf44d6d35

      SHA256

      37c4eae35060afe91365374a869112f149ffac2ab0db0747a42fae53ad0cd61d

      SHA512

      10580e7854b5d65cb046a3c672bd724cf9073228a20b53e6c67dfe14bae6207a7a407819cc548ec8dc1d80b0636a1f44e6bd90fa57f30ff81bc143db05b8ba12

      Download Submit

    • C:\Windows\SysWOW64\pomsglqadr.exe
      Filesize

      270KB

      MD5

      006ccbf8e808364f82a294b5ccffef46

      SHA1

      5569c7fde3333c099a62e350b587a2bc5a40b0b6

      SHA256

      85a6882620b74694768db1cfc32fbefe75f7e344f156dce217e4b2c4845eeb09

      SHA512

      d83a6f874bdf9f5fecad45bf9c2e211bd44196c21d73f438fe6a00aa4948c7b5467ddcb058fbc4e2d221791f2699727879f208945a7cdd9a2d7971b769c00012

      Download Submit

    • C:\Windows\SysWOW64\pomsglqadr.exe
      Filesize

      201KB

      MD5

      86afecf9ae6275c385deae87e10e5956

      SHA1

      88bd5e1d7e818994195d788080ca1b8ae531a389

      SHA256

      de5cdc015f741ed0ad916a4b50075724e38e682dfce995007fa2b6c6f73dec83

      SHA512

      ddcf188bfecc0225ef13697561055a4cbfa6ab7e4d255ecf84f9be2a17f487e42771a6e9ab57ab60b7ba8218dc4a4c856946249805647b462de319b643893491

      Download Submit

    • C:\Windows\SysWOW64\tmvvagzm.exe
      Filesize

      218KB

      MD5

      a2251f4e685c4a26195758aa13c129c7

      SHA1

      851cdcbc4337ddac3d05450905f9b0228980f403

      SHA256

      887ef9bda3609f99686b75b8fdc4b9572449f07de17e4e4e591b301f88a7c81d

      SHA512

      641d15f73223760f7226f1b79ad83500d08d54de7ba7778ed63ddf84fe3bc6d9ca3d882d4487c1a73034abcfb6a0b456e9048c270b59c75fdd5e077498630464

      Download Submit

    • C:\Windows\SysWOW64\tmvvagzm.exe
      Filesize

      140KB

      MD5

      5bbb7aa5eb6499905906089647b0a062

      SHA1

      c1cc5ce5b94fbf1d132552d513d6597c8d6e2f11

      SHA256

      43813f797f24e078ddffe9b9601ecc5843cc2758ed8f06b4d45b63da56f5ce85

      SHA512

      08cf301f27232369f688d35f2ce023cdc631e263e20ddc745ee26373be30bca1578b2b5b3b7b67894f93f866f0e55aa64e163dab0c01fe1d8e800d489a565bae

      Download Submit

    • C:\Windows\SysWOW64\tmvvagzm.exe
      Filesize

      197KB

      MD5

      36649300e19561c7761c05d14a0f5ee6

      SHA1

      7f9a05e634cce9abe5fba7951d84fdd7244d7b4a

      SHA256

      5ca7ca648fe6129357d9a3d326278804f5b5ea6c072317999b4b93636ac86eff

      SHA512

      33cdc8423cec6bde0fae2076a3608d73557ffe23338a47fac59b86fa02ca12a9c919ddef28633d46dc9f61437ca0bf79300c14e849162cd6b344355699bded71

      Download Submit

    • C:\Windows\SysWOW64\tucarjmoqoxmizc.exe
      Filesize

      202KB

      MD5

      422b5ccce4b3db37ca222b69abd256ab

      SHA1

      b0b12e771885759b03bebdba8f727b699a345057

      SHA256

      3a961386ec974c2c3ef22a05bb8aab6cf2bfd65f1f87992d00c6398c45f32e19

      SHA512

      96bc6e1f5536584e0aee87a56bc72511c89830465926a961467ca139ac7b6f5d3c77d71c0b58bb49280d96b55326e9677e4f53d47c081c28562fcd7dd3c4533a

      Download Submit

    • C:\Windows\SysWOW64\tucarjmoqoxmizc.exe
      Filesize

      261KB

      MD5

      7532b77c98033f52ab44807bc3bef32e

      SHA1

      332dc85c01bcf008e71ab62e048701866e6c7399

      SHA256

      6f30b86cf720a5614a17d99437280ae81448c7e5d7cf818b6677d48795361211

      SHA512

      2aedf421070cd68097949c864013d96ec9d59178f2caf5f6e8366ee9ef1d73a5d5c6ed4151a170c0d923bf9d736714106f22254468c5a0206a0eb638c055443d

      Download Submit

    • C:\Windows\SysWOW64\tucarjmoqoxmizc.exe
      Filesize

      312KB

      MD5

      07190537549264329d3fba8d82462b60

      SHA1

      1d1bfdff7daf5514bd90a387cf4ecca27a4d3af8

      SHA256

      b32427ec508cba1b50f81c373f4e6165d2e0a67fef39762afbe1e667d4e0ddc0

      SHA512

      1c6acd2ed634086785163b1c142cec31ec7885a42b985b4da99a1c7c7104390127ba150bb07445eb35d47673c878cd43f092b42dd85781ceb4a720924e1ff7a9

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      105KB

      MD5

      600ebe265f61003ff05b266a68c49f9a

      SHA1

      03bc1ad1610af154b3d936201fdb39aa01444e5d

      SHA256

      81e3dd826f95c2297fe66ed66d5bb9f22bdf1743c2945ec6b70e071eafe1a2b1

      SHA512

      d22ac92060b45320f4e4809ac1c4280af891e6104b9ee8fc05f60edd639fc3a6f446a13f2d0e613d642ac37bb2e9d03242820611d38455b520e20a8f4945d867

      Download Submit

    • \Windows\SysWOW64\patikrfsnybfn.exe
      Filesize

      295KB

      MD5

      f50993c63e4929cdb9f0036a11181204

      SHA1

      5959bd47ae12907676995905c642ff70ec605016

      SHA256

      6aae046986f78aa24ec765151b363be1e90e84ec9a0ff72331cdb4426c207f2d

      SHA512

      dcaaf8e819f1cb0ca2365b803fb82da32b979b87ee14de9d3916fd307420ed9374c9d3611900a6fb7bf0d7bbfeb21d8f24488ba34b0adbd3afa546183f221da9

      Download Submit

    • \Windows\SysWOW64\pomsglqadr.exe
      Filesize

      318KB

      MD5

      da657497fd2bdd826116b74b371e5637

      SHA1

      e2c45907d6e721e9cd8f223bae6182debc18429f

      SHA256

      7b3d14d329ed51bc8938b56d616694082b1a9a1bb60467c2ee141a39ca9deb27

      SHA512

      2ca6e7da9f89cf2bb79041adfe7cfb8ccf8ca9e279f0857fcca53cf182ff66b6298915dc296f676d1393b7bf211d281225f88dedaa6cd55460ddc0b0db426fc6

      Download Submit

    • \Windows\SysWOW64\tmvvagzm.exe
      Filesize

      203KB

      MD5

      3145eba33852b6ce557fd5aaa6bcd4dd

      SHA1

      a8240a69ca4355b970761116723dd06ced599eae

      SHA256

      beac68cf1d79d63d1fcc6041ddfabaa93d75f53c619657687d1a6f83533d9c6a

      SHA512

      52077a227c834aca2ac8dc4b34588b5aff274a9400c0f63a24b8789a356300efd62cf8b42fa9126e4ccb5a73c9d77c5839d3d72952a781da14eadb141a5cdd8e

      Download Submit

    • \Windows\SysWOW64\tmvvagzm.exe
      Filesize

      152KB

      MD5

      3866b6472bc57a9ff6fb25dca20185db

      SHA1

      629fcac71397fc5ce2d63baaee45a934cfe31245

      SHA256

      bc6740c78a35e6e989dafdf53301cc5c2d7837b04c04c18588f66051e7bd28ed

      SHA512

      4198b6983d802c3730d44014dd04bd9a56d29021f4aea45f8a77ebd86fc4fb11642250769d376438b21d9dc2bab26e1b99980b9788c36797ea6f8c5370515561

      Download Submit

    • \Windows\SysWOW64\tucarjmoqoxmizc.exe
      Filesize

      174KB

      MD5

      bd34abfeb921c8a8120b76801b312308

      SHA1

      eb6541d321401020c9ed8f250f4ff9946e1d04de

      SHA256

      76b51910415f9572b6a622d7e23654a1689e72c154e8f1e612a147f1f5fa2151

      SHA512

      ebca676070f619f98728218ed07684464d0fb2149158af1206d58bdb2f1cd320ca013d1dcf70edaceb78fac72132fa5867876d85a922315064e13c59aee93a42

      Download Submit

    • memory/920-78-0x0000000004130000-0x0000000004131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/920-82-0x0000000004130000-0x0000000004131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2416-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2656-47-0x000000007129D000-0x00000000712A8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2656-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2656-45-0x000000002F2E1000-0x000000002F2E2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2656-80-0x000000007129D000-0x00000000712A8000-memory.dmp

      Filesize

      44KB

      Download