Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    0s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 08:16

General

  • Target

    1167cca48c541a7c546a51ef7b0efd54.exe

  • Size

    512KB

  • MD5

    1167cca48c541a7c546a51ef7b0efd54

  • SHA1

    e4bd7e7168c108a2308c6cc400b0b7aa30622677

  • SHA256

    40a434f89c653ffee0f23c3ad025dee7eed96b19b963bc56e3f4cb45e3fac426

  • SHA512

    17b87a22708abfcaf2767e31f465c0727e5d1dee9949e7c18c7c98db07e9ea0041f7be8ee4d35c2168541c7942b49a19ef41edd4a71e51e167c2b30a9a11291d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1167cca48c541a7c546a51ef7b0efd54.exe
    "C:\Users\Admin\AppData\Local\Temp\1167cca48c541a7c546a51ef7b0efd54.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
        PID:1636
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1524
        • C:\Windows\SysWOW64\klgizdrpqsbje.exe
          klgizdrpqsbje.exe
          2⤵
          • Executes dropped EXE
          PID:2708
        • C:\Windows\SysWOW64\ukrciglv.exe
          ukrciglv.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2780
        • C:\Windows\SysWOW64\ggcodhoyjmbnrlm.exe
          ggcodhoyjmbnrlm.exe
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2376
        • C:\Windows\SysWOW64\wkwxeenrpx.exe
          wkwxeenrpx.exe
          2⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Windows security modification
          • Modifies WinLogon
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2964
      • C:\Windows\SysWOW64\ukrciglv.exe
        C:\Windows\system32\ukrciglv.exe
        1⤵
          PID:2700
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c klgizdrpqsbje.exe
          1⤵
            PID:2984

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\ggcodhoyjmbnrlm.exe

            Filesize

            3KB

            MD5

            df2af516f75df6f168999f3c9b46ac65

            SHA1

            5b048e82d94f35a17e12159ecc92fcba075dfd69

            SHA256

            2e910def9f00b8c140881dc40b04f4733706a8cfe2c964eb40d9698257966da8

            SHA512

            7b20ad5885206a64b781f1f89e5c47ca9619333b30b0c922e144831e8375c331837ef1fd3476e60a297f74ed5a4375bb7c91ef9431e10af09f30e4bd98605738

          • memory/1636-45-0x000000002F941000-0x000000002F942000-memory.dmp

            Filesize

            4KB

          • memory/1636-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/1636-47-0x0000000070B6D000-0x0000000070B78000-memory.dmp

            Filesize

            44KB

          • memory/1636-77-0x0000000070B6D000-0x0000000070B78000-memory.dmp

            Filesize

            44KB

          • memory/1636-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2496-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB