Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 03:17

General

  • Target

    0276f65dff093433bc35b40d852e5825.exe

  • Size

    512KB

  • MD5

    0276f65dff093433bc35b40d852e5825

  • SHA1

    77bb0c664fc7515d461e43558aaebb76fb154d91

  • SHA256

    4af568f0576b3ec963aeaed7bf5f0887adc3381128cff58964b19b58a86a1f6f

  • SHA512

    dff66347db146d9ba8bc02376bad874c921de1e340666798269af2d5395ac43e2b8e0a656cd6bbbab6c4353f67887a7f7183dd46f32182dbe72ba5a978083524

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0276f65dff093433bc35b40d852e5825.exe
    "C:\Users\Admin\AppData\Local\Temp\0276f65dff093433bc35b40d852e5825.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\gqewpjgtwb.exe
      gqewpjgtwb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\efrdlecy.exe
        C:\Windows\system32\efrdlecy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2132
    • C:\Windows\SysWOW64\lwtuhjtniwyykmh.exe
      lwtuhjtniwyykmh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c yrpozfvpdqdjg.exe
        3⤵
          PID:2672
      • C:\Windows\SysWOW64\yrpozfvpdqdjg.exe
        yrpozfvpdqdjg.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2748
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:2868
        • C:\Windows\SysWOW64\efrdlecy.exe
          efrdlecy.exe
          2⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2768

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

        Filesize

        192KB

        MD5

        110f40dbeb901f612cee1dc242fdb309

        SHA1

        0d668d172ef81b3f17c1f870513988629c697600

        SHA256

        2776ac73ff5e792a5a804395643f25e611d6eb66037ffd261caacd95ae084b82

        SHA512

        076fda5dfa04f3c443f91657f607ef768185b7753767eb70d557635d398a76f85c8b3c19c7d864f9c342ced1af18c9c98f6f4da4b7bb86dca104230fa71b6df1

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

        Filesize

        166KB

        MD5

        5ad5bbc4f36b4b929e6dc4767f678b61

        SHA1

        62ea0b683a614c1216089f7291216d593cb66162

        SHA256

        510d15aad650d105aeea2ae3ee9a5725e88f2d544c30bb121c0d77e911c6b235

        SHA512

        40d351d1bfcfc0f516bafabe16abdbed1fa9ad4fc9f8fb3ee36dcffece1da93e725aaa7a14cec1c04d8fc6b6eed9000cd5e14deeea7ebf244b19695128720775

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        4f5e4cf993930d936a59df4d31acbc7b

        SHA1

        cceaf2f8290951e8e94568a5205ff5ccaa42fdd9

        SHA256

        7861492763a8c2279cb368ae74de04d6974c98c695454c5e1176f3740cd3edb0

        SHA512

        56528bcdd133fb663b3860b3a518d421234e0d92162f6cfaf7405957339e36ae17ce2d31d0b67ff07a50c33952cd9c9f013d7058fa0c0446f5d82821d9d6084a

      • C:\Windows\SysWOW64\efrdlecy.exe

        Filesize

        512KB

        MD5

        d48ab50937ed31e0f349f9cbdcd733f6

        SHA1

        709123c4e684fef7e0e0824af64e3ac97e8f675d

        SHA256

        a5f631d22697f1f18841c495067a14d7bd80e791fb3efea1dc5492eed7d20dab

        SHA512

        0f91b871bb547e00cf4602d957af053cae65460409feaeae43beeee09bd559f6c0fd0447abce82ec5ae6db85238d08ac9f96a78159b27796076d2aac4a8667e0

      • C:\Windows\SysWOW64\efrdlecy.exe

        Filesize

        92KB

        MD5

        6662b185f19fbf697c56a25c92de7961

        SHA1

        0df0c0df0de3724258df2549c583e3c934aca726

        SHA256

        c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

        SHA512

        c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

      • C:\Windows\SysWOW64\gqewpjgtwb.exe

        Filesize

        384KB

        MD5

        0e151ec3919b72f9a6c7fe60d10f4ea0

        SHA1

        91fb01badc6db9808233ff95abf39c37982a8c85

        SHA256

        f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c

        SHA512

        41d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b

      • C:\Windows\SysWOW64\lwtuhjtniwyykmh.exe

        Filesize

        320KB

        MD5

        40eccbf82b7b8fc916befc4f91646a41

        SHA1

        9b26728b4c732bfeb504f70ab523d90def972d37

        SHA256

        1dc118e41bf637830be03d9bfe6d57960cf8dc9dbe9c8302a78e3406285bbaaa

        SHA512

        4714d4a188098bfac7feb042ef4c6f0236e826c335c740df7f47d60f0e70d50c5eeaf73e1b94afb0408bd8c6b5ef6fa9d49577a6ac214ce115f4b6db0b341cdf

      • C:\Windows\SysWOW64\lwtuhjtniwyykmh.exe

        Filesize

        512KB

        MD5

        65d61752ecdc1f463205659da1676dcc

        SHA1

        0c13bd2a32424d900654a48894ee8df1d321517e

        SHA256

        9f60eacd12ce74a7cd8ae6ce442dbb3569509f7292c6d180bdfb7dabdd3e6eca

        SHA512

        32f816520f1daf414e3cd2ab8fe198ad923e81586592e618834a8f8c4e8c9c5de256007c9280bf32590b18a165ea1876041a07c8f41185e7e59a98b436365df9

      • \Windows\SysWOW64\efrdlecy.exe

        Filesize

        85KB

        MD5

        27623bf17711551baa843bbab18a4b07

        SHA1

        2d6d50bab42c5defdd9bdf3f14fb826853558392

        SHA256

        6a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368

        SHA512

        53f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b

      • \Windows\SysWOW64\efrdlecy.exe

        Filesize

        91KB

        MD5

        45919c63699643c76616ebd5003d3c7f

        SHA1

        8b3a793ac7b62244d18fe49c548f6d0dd5f20b5a

        SHA256

        f2cd726bd32c1aa89c38bc0b95fd8c47873ab1ef5bc8194fd04885fd76ac9e77

        SHA512

        41bbabacc22a42afd857735de38345818a8caf8aa6d902181c22f30a696826adfe74ab2350ec0c124c4130b103aa4f6db290c57d13e4de9b3b5f4b1d7dfbc8bd

      • \Windows\SysWOW64\gqewpjgtwb.exe

        Filesize

        512KB

        MD5

        9670aad22bc46978e58e36bf34df130e

        SHA1

        a9c35137406fa364ad92658331717c2c9b86cb98

        SHA256

        f905dd6b43752ba9da912d6b8a424b65c8e11594208735276f8165bdf6d10787

        SHA512

        8bce46da9c852422b955b23edfd45e741ee7779aab3cc9a9b8c3e66e0bf191d950d849e8d1228694184191adb45543efbafdc7cd22cbdb51ee4869909580a7c1

      • \Windows\SysWOW64\yrpozfvpdqdjg.exe

        Filesize

        512KB

        MD5

        2223b58f09569f236db8c62484d6504d

        SHA1

        857dba76a23f00bdde56550179d57c041d0599db

        SHA256

        3dfe8fe1d7d8c6769050615f45fac6bc05b80e3b0fa09b15f973a7350315be9c

        SHA512

        6f17a6d6f499b87413b858f4c1db807ebbe597da91b096d798b827cde2316f9931b97a0dfec3e45861b05078ee6e16f49dcde937594d260117d0399c4fe2b082

      • memory/1720-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

      • memory/2752-45-0x000000002FC81000-0x000000002FC82000-memory.dmp

        Filesize

        4KB

      • memory/2752-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2752-47-0x0000000070F7D000-0x0000000070F88000-memory.dmp

        Filesize

        44KB

      • memory/2752-71-0x0000000070F7D000-0x0000000070F88000-memory.dmp

        Filesize

        44KB

      • memory/2752-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB