Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    182s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 19:19

General

  • Target

    0ceaf65857d7abd3d0b19c8ed58b4d45.exe

  • Size

    512KB

  • MD5

    0ceaf65857d7abd3d0b19c8ed58b4d45

  • SHA1

    f0e101c0dc5604fe0ac289894957ff53b753ff13

  • SHA256

    0feaab70d04347b17ec2c5743826777c10a63ba589630456d0bfa2ea836a043a

  • SHA512

    8f060a53b6140fdc9982cd8f8b4042554e01274118bf5a300bd1bff36c1049d630295b9d63c8931458ae84c3be376fffd3cbf46bb451c04114218987cd73ee54

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ceaf65857d7abd3d0b19c8ed58b4d45.exe
    "C:\Users\Admin\AppData\Local\Temp\0ceaf65857d7abd3d0b19c8ed58b4d45.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\SysWOW64\xwhpxhtajs.exe
      xwhpxhtajs.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\wwpsodso.exe
        C:\Windows\system32\wwpsodso.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1628
    • C:\Windows\SysWOW64\dyxwvsahuplytug.exe
      dyxwvsahuplytug.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2668
    • C:\Windows\SysWOW64\wwpsodso.exe
      wwpsodso.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2380
    • C:\Windows\SysWOW64\rigojnpmlwixh.exe
      rigojnpmlwixh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1124
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      186c2a17f6c96dbe795ee87dd6169075

      SHA1

      b4b91b66600c1709c78a9f659a7195c00d6bda9e

      SHA256

      bc765027746c49060e31a945d32a80bec06b0bfd50be15e48d2f3322e563b652

      SHA512

      778190d1870b1bc2546cddcb9523a3dd7a9890bc3b1e9fda65cb9b3a1cc2a250b86c163df3dc353a7bf07024f66c8d40f6294b668bd7103de0e4e2c248d38ebf

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      7f33245f19dbf75a0b166ec88861096e

      SHA1

      48e53c04824a0cb5198c534d2eceef2945ee7a88

      SHA256

      2f40b9de8e018b45f1a34175b658025cbee48cf659748103382e7842a9fe480b

      SHA512

      2e6bcc5002ea9e0f72f82140aa2c6d865cda3fea6967eb132d1347304b3cf06869cdd9a8c35e14affaf422eaaf367527d751c1458f42ff47d8fa767f7536051a

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      cbd876c7329fd2869eea08af6cefd0e7

      SHA1

      3fdbb583a8e475b1c69c4a2e34da2a448c05fbd3

      SHA256

      694e3ac01e0d32be5c644b0acc181044f38fbe7993b35e9160cb28b183b91e6c

      SHA512

      29282ab61ee45badec84f17edc02915409155cf9035d5fb186794bd1f255e3e942a2a3b2d3fb07163b59c90bd93041f5d7c17f75ea57c2c306cfa5e32d4ec25c

    • C:\Windows\SysWOW64\dyxwvsahuplytug.exe

      Filesize

      512KB

      MD5

      8142c29c6bdb667a05f65a8336095029

      SHA1

      1747ba8093e724e7a4e7c9f80029a1fc9db5be42

      SHA256

      2a1cb059968d8db8c8eebec690db0d8eccda4bf48aa686a630dc7f397c920076

      SHA512

      45290ff07059ee77b0643d0c29c83c64371600b0a52cc0e19176113576b04d21658d2f4ff3f4500790a7dca49fa9ab86454401f5112db2f9f8ffc083e700a5b0

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\rigojnpmlwixh.exe

      Filesize

      512KB

      MD5

      14934e3edbb96dced0ce24ad1226b331

      SHA1

      ef4f575310b615c0b06e37c5143df808ef409ce6

      SHA256

      83ebda44e499f977aa4ee7a2f38ffcf4d3a3f5664aa43cabc95388f156ef99b8

      SHA512

      e79034d7b98e6a91fb118b8d2546faceb89e6715dda887d84c7fb03e1db68d4b5cd399b3e14810a46d53cae121ddbfcc20a8fae5feaa61b54d40ff3b7f12348c

    • \Windows\SysWOW64\wwpsodso.exe

      Filesize

      512KB

      MD5

      0cd3a7ab2f4cce41677e1260ddfc62c5

      SHA1

      c5a202ad90ee43654762decfd87ff6cae5cca4bf

      SHA256

      48e3c709e12773d7f7b40f00fff64da26fc3a97fc2d0988145298a8ce57b9ebb

      SHA512

      50ad31f27954c5b0cbf33cba81d0a87d875def430fd4dbe9420afb42241caf90b0d269964ac4a8d97243a09643299bf38ade2149cbc5ca8b9eb85ef92f36624b

    • \Windows\SysWOW64\wwpsodso.exe

      Filesize

      470KB

      MD5

      dba30b63086280656ef29cffce8f2b1f

      SHA1

      3e1f69f1a3c4c38b9f749d9d57fd8db09b52ba3a

      SHA256

      b4954988d858e7051dfaced251d879b388c5ebf463282765345d6fe2b388bb94

      SHA512

      e8396061891140265599cec13615ec1f325449aabb4c886ee5d466ce670185ec37a71dbccba6612744fe86d4ab527eed6f882be9a665167342454c8d76be42b0

    • \Windows\SysWOW64\xwhpxhtajs.exe

      Filesize

      512KB

      MD5

      5b9404222b3261cf82038a3a3e9f7172

      SHA1

      a0a95753dc877cd823a56f313adbdc139a4bdfef

      SHA256

      3ae83bda144b05987a700df92e0a23ab90a653d4145d77560c9552b8515ef2a0

      SHA512

      882ac17bbfe866d6666d83a884baa0a6c26f877daf998d8f182d3709d3567cf2463408748ac9b5745c7098c39882083d25b9e91fc2494a88c65f7aa0b2e2c982

    • memory/828-47-0x000000007186D000-0x0000000071878000-memory.dmp

      Filesize

      44KB

    • memory/828-62-0x000000007186D000-0x0000000071878000-memory.dmp

      Filesize

      44KB

    • memory/828-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/828-88-0x000000007186D000-0x0000000071878000-memory.dmp

      Filesize

      44KB

    • memory/828-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/828-42-0x000000002F9B1000-0x000000002F9B2000-memory.dmp

      Filesize

      4KB

    • memory/2752-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB