Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

03fc9e8b77...16.exe

windows7-x64

10

03fc9e8b77...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03fc9e8b77254aea88e4ee6874e6aa16.exe

  • Size

    512KB

  • MD5

    03fc9e8b77254aea88e4ee6874e6aa16

  • SHA1

    37ed01e12640426729ec3445035421cae398e9f3

  • SHA256

    67ae1cb8fb6f1617dfb89958e55245dc791d41f8e3b7af48b175543f243ee46e

  • SHA512

    31633112a32d70680d560e97b93994cdcf15e25973b6062558c1bad4100137e926e27742e4775b3f289464cb39b2314ba93e83895c4ac55fa8da5e0e22ac2f1a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj63:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 18 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03fc9e8b77254aea88e4ee6874e6aa16.exe
    "C:\Users\Admin\AppData\Local\Temp\03fc9e8b77254aea88e4ee6874e6aa16.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\xgzwavpjrp.exe
      xgzwavpjrp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\ommhclbq.exe
        C:\Windows\system32\ommhclbq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2160
    • C:\Windows\SysWOW64\kmvdbkdbcmjfchu.exe
      kmvdbkdbcmjfchu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2904
    • C:\Windows\SysWOW64\ommhclbq.exe
      ommhclbq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2896
    • C:\Windows\SysWOW64\yhtlqvbymasie.exe
      yhtlqvbymasie.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2908

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      280a4151d11b174c7e96ecd9149f00dc

      SHA1

      414d50f9c860fa6f1d156d3c66f214cdee6e61bb

      SHA256

      263f18cbb1601a4d6394f346c3a76729b059c7ceaad164509b0598e36c15044e

      SHA512

      ddf04e710c4c22790fac4f3df03f2b888fcd78b2c83007d809b0094ec49bb2bcb0b0c6efce4cd4fa42d8d845f4c08c8d62f038bcea5db87a6a1f1fc342ec67b7

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      9488267b308a7f8cb1b03914d874bea0

      SHA1

      cc06caa98953d33784270c13ed55d80760593c69

      SHA256

      a39a6aa71cec8379565efd8b2c4f3e62d306e1c400a60d17bb9d7bcfcaa29aad

      SHA512

      498b403ce903d1a48bcf882bfe304c809547209c3a8633cb75d9d0f3e185c7bb5103ddde48579111f9693e43b6db531f26a155f39f66f7a8d0b8237adf1a88cb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      0f75b80be9265b8687fc2fa7ea837eb4

      SHA1

      5503df85735e6e4155c687cae14f008bdc4b8590

      SHA256

      1d743e2a9af1a8a4d426e49f83b7752bbaf53492ffeef8ebbfc02c8e229f8b4f

      SHA512

      23b263818bdde92b08fa51b19a541137b21c7b1b22f6fc8c6826edbb14f216cc07a6b983797f8a9a46f7e3c1518ebf38315376ae38c17d838614723d95684f62

      Download Submit

    • C:\Windows\SysWOW64\kmvdbkdbcmjfchu.exe
      Filesize

      254KB

      MD5

      3941239db066a3ed76078dd3a3ac364f

      SHA1

      e1a61e2e5d3bba55800cf0b3be7880754bbfd087

      SHA256

      53edeba2eb0d8b218a6ae22bb1ede3915ceba8d3c9b092b2a82724113318093b

      SHA512

      49542af31ff65c072adef459989ff414171f56b1bf74b8e13e4d919beeb806fcb3aaf85ece46b94b2a58401e1b35428767a5a6fe63b475f85f77b74fff26b678

      Download Submit

    • C:\Windows\SysWOW64\kmvdbkdbcmjfchu.exe
      Filesize

      131KB

      MD5

      29167f1855ffb1fa96aa26dfbfe523c9

      SHA1

      77c0fd06d2a875ed30cc35744170596e334e55c9

      SHA256

      a436b043dca9e92c152624db511704944b3f3cb542e3d7be7082c045248dee48

      SHA512

      1c06b6fb421e7ea47f4c37fd531b5e72c2edf7d31327f4dd2567efbd377a2f0ed0631ea26df27763c4a9ffcc9eabb059a51a2058c954eeaa3a1e6001062d1fbc

      Download Submit

    • C:\Windows\SysWOW64\kmvdbkdbcmjfchu.exe
      Filesize

      291KB

      MD5

      05522b332ef9b702c3e8610547c0074e

      SHA1

      df969dc482c431c3a12da3305442674c13701061

      SHA256

      830b639c96425a90a2a6e8ce0869390add23362e24d99b038e1b5e8d0747074f

      SHA512

      a929450065eed6a405f6cfb9b225d14869494fe8d8b456f4ffb45af2328f063f3856b0c50eae45b777781f4beba2150065d6641109f1dfd7f77d0d97305dcdc0

      Download Submit

    • C:\Windows\SysWOW64\ommhclbq.exe
      Filesize

      203KB

      MD5

      90497b7e3b6fd02b3f702dc55dcda345

      SHA1

      bf240fb388fffef09b88ae231ce9f30c84566e2e

      SHA256

      8d48db005800e778dd46d75b4bcc4f181cd5570bf405f907c98436de4571ddad

      SHA512

      dfaad016e9167f6d78a404aab396d17d79ecd1eeb4d90280ef849db72666abb73d4fe24db2a42c355ac5851a477c0f3b860e06c3a88166bdba459090026458d0

      Download Submit

    • C:\Windows\SysWOW64\ommhclbq.exe
      Filesize

      207KB

      MD5

      a2453eb54a08ee035215e7ea2f1c9fc1

      SHA1

      8aabc4aab6f74fce2b62df294668425e165cb90f

      SHA256

      945e4e78331f39941f7cfeb0191a6b7cfa771b5ea833d1b340e2be16335bfa99

      SHA512

      f593f84fc81815070f6d3a2b7586f663ca346144069091227067179e0b3a6ac9531bfc992c2f58464044ead5285f9e347c85900e3f07481d77cd7760662c8eb5

      Download Submit

    • C:\Windows\SysWOW64\ommhclbq.exe
      Filesize

      68KB

      MD5

      1cbc202762f261d511dd5cc80b12e230

      SHA1

      1608c0b358282a41c14904cc637c28fff59a56cc

      SHA256

      63113b75978f7681fadac580ff1a539cd1b12df0633a13eaab86540f0d5076bc

      SHA512

      29b84672ff492b24c5299dead1f2232f603be7f6a793a6eda73cc46ac423e8467f160570107c453ff311f70be21ac4fed9b3770dd3aa635a1d1d3dd2285eada5

      Download Submit

    • C:\Windows\SysWOW64\xgzwavpjrp.exe
      Filesize

      150KB

      MD5

      149f2685d35bb08ece34182582b2c3ff

      SHA1

      209dcd2044196d7d949c92c5954e89cdc1b6e5e3

      SHA256

      dd7b8b4f85a14887d0d80c6a1174df43c4c831f938d270928fbf48552ffd7897

      SHA512

      9a28c695536eaad31801c739b4d5f16b5d5a1aabb9662bf31a41007c7825d338981c0742def7e365d3eddc1877f6b30d7e03cbb5e990e6692e04cef3323fd3a1

      Download Submit

    • C:\Windows\SysWOW64\xgzwavpjrp.exe
      Filesize

      168KB

      MD5

      7e31e6cebfa61cd36e38f2d5fbcf7212

      SHA1

      b8a07a77a876c1e458653600d0cd310d467d64c0

      SHA256

      9a230c93bd6828b01b5dad3686466c6a6f502a2f36d707b2555320095103a2be

      SHA512

      e5d346f612cd961ab20659874ce0d419685c538a0064b876ea093683db9b5147065b70d3e4e9752a436389002f1f94c173a00557e11013c0d45f2fc2b077fbef

      Download Submit

    • C:\Windows\SysWOW64\yhtlqvbymasie.exe
      Filesize

      237KB

      MD5

      10bfb91d70ba2b4f7676d8f4c43b8c54

      SHA1

      4f302de4ad2b159134e15bc31cffd8809ec47b3a

      SHA256

      7b98414d60570c5b34c9c8986974fa134d851649e1fba2af1f3982d00045ac7e

      SHA512

      cc738124a316237c479a3b472b7910e21e9fed601c06034806eae8c5aa008fcbf203491e9086be10ec3d0da6824fe0d5cec01e79deebe2d6944b771baeee16cf

      Download Submit

    • C:\Windows\SysWOW64\yhtlqvbymasie.exe
      Filesize

      179KB

      MD5

      61db19c3df0070b85b469b05ba82ea9b

      SHA1

      a0dff8496744a474766a1c0a43a93885914c0ddc

      SHA256

      2391c03b0f0e6976e50a421ca3f63c1bfc4eb75f6b58456d8c1139329c641a07

      SHA512

      013473b51f74aedd6b228b160451afd71912e9f7211751095c49edb63c29e67666bce83cf53a8cb497f4f461bf22347306f7cb599651ad0a4834361da5c25b16

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\kmvdbkdbcmjfchu.exe
      Filesize

      304KB

      MD5

      8733cff65a9617c8a34ce79990a7fb1e

      SHA1

      11ed731bfec300f5cd5ab89974abe987e1a76e97

      SHA256

      e93bf9054f10a4b29c49310a01d5bbe4d50be69b04c9858561cf9c508b7338e4

      SHA512

      505b6d179497b62ad23d430edd686a583d34d821a406fcf776e5263e93f0b4b0420bb9f1dd3d1f90e86b30793a1081e80fd7fe05ade603438eb6340698424687

      Download Submit

    • \Windows\SysWOW64\ommhclbq.exe
      Filesize

      239KB

      MD5

      98783c97b9929c03723926491849ec17

      SHA1

      0c3fd01c5f85ff21fa9f5a86c9621f3bd8bfb8d4

      SHA256

      535fb2fb0ae48e62308910f993dc8b11bf24a5b073fdf0a84b0f1552ec4a577e

      SHA512

      1adb4c3f95d58674c76d1bbe47a20e72fddfdef29b98947e1760e73dc280461b2317eac39655a9cc6327ccec9f445b198ecbb4b2d5a9782028a54fb2f76d7d10

      Download Submit

    • \Windows\SysWOW64\ommhclbq.exe
      Filesize

      112KB

      MD5

      5678fd122b85610878d147402a96077b

      SHA1

      63de6e8b9bb117846e2dbee6f1b716e09aee2d95

      SHA256

      835396d9a346b0917a4a1171b7098e0a9c38c99dc935ec9b7ea82eb2c2d0810b

      SHA512

      f15b41e028eee15569335c70ea7b7253efab99a886445d3b556ae70d582fba172d32f4d7a8826f9c0ccbfb01a148e9924d8a37a2d89e5f8164a8199fcc4dd7f6

      Download Submit

    • \Windows\SysWOW64\xgzwavpjrp.exe
      Filesize

      330KB

      MD5

      ae9fcb2c1054cd9c50f1c21e12603b82

      SHA1

      60308b676fa642defcc7dfbaae75d2eb2130b7bb

      SHA256

      6284a4614272915fc7f27d4c27ad4fed45ebeb9e9c3392915fdbd61505fb84a9

      SHA512

      a7e8d895b097e5987512d6bdcd5d8ec2b8f9d787742d2b7211da7d94ddcb969001907c9245b6cb2b0da9fa5317f61f0ab04c3778b4621ca00e8a3e4bf8e63b78

      Download Submit

    • \Windows\SysWOW64\yhtlqvbymasie.exe
      Filesize

      268KB

      MD5

      c9011ef3c1b82b5249319d8138e749b6

      SHA1

      410c9a96ce79c6e90fe6163ac77192c5517f9b8f

      SHA256

      6da9ff0f79e6deaec5d7c80e46c55888d12f18a2bea2e4859b12510b2ec981e5

      SHA512

      b589861273ff13f0e1724a3ae266ba864c49914a324018dd654a91a514d8c435d9a5f70971082183bce1c92157c8b9afcbdf327e95683e8e52d768609ff8e512

      Download Submit

    • memory/1476-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1476-47-0x000000007174D000-0x0000000071758000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1476-45-0x000000002F351000-0x000000002F352000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1476-81-0x000000007174D000-0x0000000071758000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1476-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3016-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download