Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

0ceaf65857...45.exe

windows7-x64

10

0ceaf65857...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    25s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ceaf65857d7abd3d0b19c8ed58b4d45.exe

  • Size

    512KB

  • MD5

    0ceaf65857d7abd3d0b19c8ed58b4d45

  • SHA1

    f0e101c0dc5604fe0ac289894957ff53b753ff13

  • SHA256

    0feaab70d04347b17ec2c5743826777c10a63ba589630456d0bfa2ea836a043a

  • SHA512

    8f060a53b6140fdc9982cd8f8b4042554e01274118bf5a300bd1bff36c1049d630295b9d63c8931458ae84c3be376fffd3cbf46bb451c04114218987cd73ee54

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 19 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ceaf65857d7abd3d0b19c8ed58b4d45.exe
    "C:\Users\Admin\AppData\Local\Temp\0ceaf65857d7abd3d0b19c8ed58b4d45.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\SysWOW64\lhspiqaepchcf.exe
      lhspiqaepchcf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3948
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3060
    • C:\Windows\SysWOW64\xswltgox.exe
      xswltgox.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2452
    • C:\Windows\SysWOW64\jvtdiummrzhscow.exe
      jvtdiummrzhscow.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3928
    • C:\Windows\SysWOW64\wmjllniuyj.exe
      wmjllniuyj.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1500
  • C:\Windows\SysWOW64\xswltgox.exe
    C:\Windows\system32\xswltgox.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    461KB

    MD5

    8070260446043f8660b7599a0df23296

    SHA1

    22becaf5969504fd352dcd2d1df5c0f6b3843b53

    SHA256

    3d81d0a11948652cb565038bd588ad910039224003ba884d81d5d76c0191daa2

    SHA512

    9ab3c0d8bfc0afaf97b964fd6da051726819595b63d7004561ac9fa80c6ae2dcbbe2323ccb9e7f2994e58f53e041e21926243b370b050eba874eee49fb4448f6

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    447KB

    MD5

    015667467cb4c4ec965e527dc5ec7274

    SHA1

    79c1f8db05588d6a11e77c5f1c79c32011fbeb69

    SHA256

    ec590b0a27e90dcc0dfb374ec59452d68e9f8e1eaefd5c97b5b2e54fed69c859

    SHA512

    cccbd83799a73f580b737f2c6916c977921fa58697f35f58b44e716c7b200ea83fc0d9e3f82fbe603b32c5219c7aaa8740de4d29750e03887478f86001f6cad6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    506014e5cddd2202b8f7ebe29cf91677

    SHA1

    39274ea14c8797c8bf3349b4c70b5f1b1eebcc8d

    SHA256

    99786df150f87f071dc465d305fe2f675cf0c2d293590af9d70c4758a3a4674d

    SHA512

    c67abc5f19766fdea4e97239e3b2535d37ff9865aaf7183c3361077c42d0d7720cd31b96a30e9a5f88d4fe3b37146a8fdaa54857177593cb30a34d7b61cc73b3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    5462cbce596b452c35c6cdc0be6c6e0a

    SHA1

    0e3b82b6fdeef34bbc74503fdad0eb7af1dcd33f

    SHA256

    ff05736fc0f39f9f4a73ced9527dbbb16a293720ad711055a976425fd10a99ee

    SHA512

    dce9520743059ed2632374710af32249ab7f53c54eb9818228bdf97a73ef6d62a3d1677c6d1f7d8ed956d229240e0fb025c1c294d15486923d77299e5d692953

    Download Submit

  • C:\Users\Admin\Desktop\SaveUndo.doc.exe
    Filesize

    12KB

    MD5

    63e92bda69237f813e01f6c659e9ffe5

    SHA1

    f093fc21d532e51b4ac8ac19646a7693a5973331

    SHA256

    227463fb9b915c509106507cdf8afc0b105f2117a7c9c867beb3efca71ba35d8

    SHA512

    b95d684c808f9e9383428c3f9e360e40c637ee2920346280ecdeaead5f744a2d7373d9c79e3121fb2525d9a579d782046c9f0d090ce1b464e765f4b31a0705b9

    Download Submit

  • C:\Users\Admin\Desktop\TestRestore.doc.exe
    Filesize

    87KB

    MD5

    987548ddedc3154b3db3e10adab07d53

    SHA1

    c81c62958d31f05a34f262581de31e13ed178370

    SHA256

    f14aeb2b7592fef5c4eb1f4a5687175a9b9271c0f2b5db8cbe96f0142708431d

    SHA512

    5362253151708f80aa06f40441acf46073392104e630a1d169dfe68760fcef43ddd555a339a995935d5dfa4b1292b391d6351419cf340a6e8e1fb3678f5c22b8

    Download Submit

  • C:\Users\Admin\Music\ResumeUnprotect.doc.exe
    Filesize

    3KB

    MD5

    ccaefe72fccd2bcef5c3767af5175d5b

    SHA1

    bc20e0801c1f1fea2410c86b9c00a9d8c96acdc7

    SHA256

    b6983674c0c33edc1bebb073635857da4eef2cfce8a908ed835626c7cd34286e

    SHA512

    f36e84ef287a03a0df857fe152b2cfe456f3d7d5f31dd8c9f1f7fb889f2af2539b11703f991530bb3dd5dbf67261eee46e7e51acaa3ab4e887395e75d309089a

    Download Submit

  • C:\Windows\SysWOW64\jvtdiummrzhscow.exe
    Filesize

    33KB

    MD5

    abab6f3a2a63876087d12e46b110a235

    SHA1

    9c4447c132160202f7edf99c8d166b9094901ff0

    SHA256

    fa29736ab998ec1f48e32ae24de9d63d9a700033fe3a05c2a3a6650680cf8778

    SHA512

    a35d6e106890abbe411ae4a6c1d1d01d6e72189d4a6dfe1e95112b3974bcbab3c95276c7a18163098edd053a99d5980961aeaf25ac3cdc2e61adcca35259972a

    Download Submit

  • C:\Windows\SysWOW64\jvtdiummrzhscow.exe
    Filesize

    9KB

    MD5

    4fc938d977a5c28db85103a49f51992e

    SHA1

    1aa5fe5328e9f71152b6172c5245ecd3fb352ca2

    SHA256

    0fdc90765506cfc5d04162173f157d2944ea279090dc2f94b2a378bba2feeb3c

    SHA512

    0f704b04173d1dc9bdec8e8e5d6d745b29e2fb067b9f38e0eedea03201ffa6645dd0ae6b1a747ba56b09b733d76ef96e7d584e16ebdd197910b6b4bc28c2d81e

    Download Submit

  • C:\Windows\SysWOW64\jvtdiummrzhscow.exe
    Filesize

    4KB

    MD5

    803b224565d303017e5832f92b7b4ce8

    SHA1

    78a33ddd089d5265dd91be951deebc8e19f992a3

    SHA256

    a9fdb72dba1e2c28457fd8df3956015cb2eb7149d62eb164e14c278c8246a41e

    SHA512

    83141b7dbc9388e43f3239195fd03c2f0fa8386424f29db9810fb4d24831adfed7b6e9137cade95ab052d3bb7e1ea6ce4100b1c06558390131baed6dbc4097c4

    Download Submit

  • C:\Windows\SysWOW64\lhspiqaepchcf.exe
    Filesize

    10KB

    MD5

    a75d6f6bc86cce841a484a0711b4acf3

    SHA1

    296b1be36950696f856af0841e3ba62bd7f18f6b

    SHA256

    ff452d604a214fcde37b1e9fec6ca5a78cdd4dd8b34beb3e5684c263d4dc474c

    SHA512

    7f68633706db339b6ba2eb9eef2d6a5fccd57b750d4bf30530283f03142899d127043d7b60895c648171c745a6ae0428d06174ab21737413e9887743be27a8c9

    Download Submit

  • C:\Windows\SysWOW64\lhspiqaepchcf.exe
    Filesize

    1KB

    MD5

    ec89629d437c17787acc7061c89e753c

    SHA1

    c65089b32eba1cf75d3546335718073460c971f9

    SHA256

    87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

    SHA512

    65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

    Download Submit

  • C:\Windows\SysWOW64\wmjllniuyj.exe
    Filesize

    13KB

    MD5

    075ac05d5e883e704c7c7e7230c4b083

    SHA1

    b3d3d9e424988b350af1652b81421b8e3688144b

    SHA256

    1c7153973465f9a4a16a88e73e9c6243640646aa3267a2d8b352c6d375a708a1

    SHA512

    5f400658adebd50503ef1608393cd5a1d5d4812f84395e70f2318a7c61f74c2d7545c5adae60f9c94d8e7585909aa7b351ba6161eae87cead4bddae7551c0fc0

    Download Submit

  • C:\Windows\SysWOW64\wmjllniuyj.exe
    Filesize

    48KB

    MD5

    00258d80e6b81a30b695a6a0bd50bb98

    SHA1

    82cb186d3b70e990a56e7d4b479752084ea5a539

    SHA256

    9873af51fe291accc91772eabb1210a3fe2a6f17818aaf4c75561d9f13599f79

    SHA512

    96b315f031ed4f82ea00d53cee25a4643225efd09877d7380dc86ff24719a50e62267c9e4f60797e22ed672e314a9ff497c31ee164c0537262c71e52a09a9afd

    Download Submit

  • C:\Windows\SysWOW64\xswltgox.exe
    Filesize

    17KB

    MD5

    9908decb035bc4391319c4e223eecda4

    SHA1

    24222d9fbe4a2cd90cc8bd4902c28fd15c3136cb

    SHA256

    32f929c476bae1aee0e917e84704e1bf005e4a84af5d93d837481c5da6eeffda

    SHA512

    d91afbcbd72ebb038ed9411d2a9c983f798cba4f1470c47b33c6af5f89b12b5dbaaf887d0f3ede21e8914b512dde4ebab09f9ea54b7e54d451d800e7dc94f224

    Download Submit

  • C:\Windows\SysWOW64\xswltgox.exe
    Filesize

    19KB

    MD5

    139b7d5bbec18f5ba616ac291baa3ca4

    SHA1

    21584c82cdbdc4f74b27a7147fb8b788d4e14510

    SHA256

    f45cbf7beec1789dd46784ac7c029d78b948ebecff4bba8ebe77d91d48aa1c0a

    SHA512

    8748034af4b690e5e2f4331bf77a1136386b159545bc72d97a6c9e6374c06ef9d7511532c827ba7286ff6526f1f8376055f9cf292ac5db96011bf29969b37738

    Download Submit

  • C:\Windows\SysWOW64\xswltgox.exe
    Filesize

    7KB

    MD5

    47195ee9b17c37a4a199cc22336361e1

    SHA1

    5432117f3e6e80d866decc62cf56ba107199cf37

    SHA256

    2daafda15ab03b0b50d27be7b2f3ecce934310e031aa9d3e0b6df0309d6c2654

    SHA512

    59a637a2ca5825a9bda3a322311bfb8507616e875065daa4a52a5d453dffdfc4e5f554ecd5548f0a153a02083e985d15e92986fb37eeaca45be0f7bacb638a50

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    42KB

    MD5

    d308290087571879044718368bcfb262

    SHA1

    28e8531efd9f1c9a7f31f0ce2db1a9b97834777f

    SHA256

    d2d8d61dd1d50b1130025079206813a07563dc376c710ec95311a3a251d8e9bb

    SHA512

    e49cc87dff457c336aa214ab343883109eb381dc2c8f680bbcb0dfb000a1bf6154ec9e83ca2b9e5722b3a7f89c90d19574a9f2d527a662b252b4bb25728edfb9

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    33KB

    MD5

    f8567df817d4887dc91cf71f4235315c

    SHA1

    d7e26967ae15815e8d8232f82ff543ecf873ee79

    SHA256

    2fb1824accfaec47c0ca25777a3ec1198a070bb8b347f34bc940544e959ac091

    SHA512

    12d942740883133f0a12e825560bb5c9656151b5c2bd01adb1c225fbedfd5af1a60166770f70d6aabbff5218c8841304030cf94f696263bbd836cb46e4f335a6

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    45KB

    MD5

    818d3a11ad59b2e9eb043f8b5e5540ef

    SHA1

    19e7c752cb10402c4ea8d77229a3e7191c175ef8

    SHA256

    1c844272f5ff7f732e436f6192f8e4409ac70203ff25570a78ec8339da715abf

    SHA512

    8aa9f3b51a1b864a02fc978b6402ebaa2f50105807a7dbf19d1655d9d1575d32dcf85d53d057a02058800b4bd28989e2ea70ca4e6ae26329ddb4a6907e7869df

    Download Submit

  • memory/1332-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3060-53-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-48-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-36-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-39-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-43-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-44-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-45-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-47-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-50-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-54-0x00007FFBA9B50000-0x00007FFBA9B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-52-0x00007FFBA9B50000-0x00007FFBA9B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-51-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-49-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-35-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-46-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-42-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-40-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-37-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-119-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-120-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-144-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3060-143-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-142-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-141-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-140-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download