Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

21683aef18...e9.exe

windows7-x64

10

21683aef18...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21683aef181b87eb95f9bd10a7c129e9.exe

  • Size

    512KB

  • MD5

    21683aef181b87eb95f9bd10a7c129e9

  • SHA1

    f62e26da896e841e6c96615add344170e3dc67ca

  • SHA256

    1ba03c3750f8cddea31a0bb897cf00eec2c5102a676dc70fc4e93464425dc547

  • SHA512

    1d7dcd0b77c962611a51a29483e0d72c7ad57df087b8f959ad04b9d992ebbdae080cfee3118aeb045e04976d1c2273f8ca92708595519a8290bb915efe85ddf5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21683aef181b87eb95f9bd10a7c129e9.exe
    "C:\Users\Admin\AppData\Local\Temp\21683aef181b87eb95f9bd10a7c129e9.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Windows\SysWOW64\ydzxupilis.exe
      ydzxupilis.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3960
      • C:\Windows\SysWOW64\vawgdssj.exe
        C:\Windows\system32\vawgdssj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1328
    • C:\Windows\SysWOW64\ytnsrhdfgzkreie.exe
      ytnsrhdfgzkreie.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3428
    • C:\Windows\SysWOW64\vawgdssj.exe
      vawgdssj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3296
    • C:\Windows\SysWOW64\ovjoqcfebsata.exe
      ovjoqcfebsata.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2112
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    81KB

    MD5

    52c61dcb071a9b6ae81e0e35e5093cd5

    SHA1

    4a4b2bef78246e204a502000501719dce685a272

    SHA256

    e6d0c3d8e00a8de1ded31e8e79047114f1e1611767461b8116dd0f155548fd40

    SHA512

    d4e37a8289204037140bf56e571437178b2d82e44f194272eae2158eee473de5be7703bc51c779fa213359b4a595541c7e9d8416e17cd73fac9ffce320fac7a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CompressGrant.doc.exe
    Filesize

    118KB

    MD5

    35bc43784022a1bd182cec562c8944fb

    SHA1

    da69dd6f5dbcd6512ccb9c917fd6414496e5621a

    SHA256

    eb0ee88788037c9d3a8916f2013bc73c274050d25ed0232151f9b6afcc2b2a2c

    SHA512

    e421cfe0900b8f10340a816b6c2b82693fb2f7ffca40513c72dfc708d725cf42416009e2289d6914a7292f190ca2aeb798bdb880dc39da267583507e08dbd03d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\CompressGrant.doc.exe
    Filesize

    147KB

    MD5

    36034e07499486156fe0d8c141544cd0

    SHA1

    af6e08f0e14b9e1f7c5836625a7c6285111e7899

    SHA256

    4574dd3f2b689e68f518e4fd84ae42597e59024fd4b57f5168114b531742264d

    SHA512

    5e77654c34ad2e30320a67c1fe1a52906b1ef98fb57090e1505fbe217a92aac14d95e8a3546f2f61453fe79c2047e903e2f9ac200f271827b230ced1b048b3d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    bbaa0e5000a7d06522209b52d57f3138

    SHA1

    586b648aa56c3941bc4cc065c024604543412671

    SHA256

    e6867438f1e0138cef1981f9b03f2914b695622c152537560a782748d3cd51e5

    SHA512

    91a113f85abd0f572160d4ae31345a83950a2f8732b30bfea8212f21200d242a76ecb1b0b0beac4c978ae9027bae68f9f2247be2d5c4d4cbc752111a2e60bed6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    a719f7e2fde01538840ba605c000b7f5

    SHA1

    16ddfc6a4632b85afcad7bf0630fdf5c9fcbf41b

    SHA256

    25da3baca11c20281f55c94aacb88095b2a42dfafad487c07ed7f4e7178e4280

    SHA512

    d5848d0cba091769b261d9ce8010a5a1200cb8271094ec38f122f15f49631341846130ed7ec4c36c4ae6139e93866506acb99bfe9da2b7d13e8b0cf8d9567ec4

    Download Submit

  • C:\Windows\SysWOW64\ovjoqcfebsata.exe
    Filesize

    133KB

    MD5

    46fecaf416921ff5c7c3ace50c9b31cc

    SHA1

    a287ff35aedeba1d1d74e5a8dc69cdb743b41bdd

    SHA256

    7c0682f878e00d7063bb513bab197322f631fb46900bbf85dff9d83a7c92898d

    SHA512

    d67c60b4a9fe61330d8a8281ce502967ba637e946ce0d829f63afb4833fbd5d3d209d9943c20ace0252b4a954934029c7cd8234ccdd55f25d70b1a80eda56ed7

    Download Submit

  • C:\Windows\SysWOW64\ovjoqcfebsata.exe
    Filesize

    149KB

    MD5

    5a1366d811460096a3c3f9960094826e

    SHA1

    73404ca8a2aad03e5abf7adeb6cbb311b2cf6a0a

    SHA256

    4e9231d36d7c9aadd6a627de644ddf942629f80c1d33739a9cdded3380bfca92

    SHA512

    95d7b50fe24e86d40df88c6c7c2c57c1e2a9575c3922316dc842e3cf41712b8f511a6602e83aa43b45e819dd85a0b853340e47055ea5d8e00794344328cb58e1

    Download Submit

  • C:\Windows\SysWOW64\vawgdssj.exe
    Filesize

    252KB

    MD5

    427c4b4034d4273e2c6fcf1dfef094ef

    SHA1

    5e210f6aa2576597125d6448efeb01c28aecbe91

    SHA256

    dea93c89e7a836fcccdf783fef731435159335b2cbd06d825a3a10e2f622e158

    SHA512

    2c9829ef28dc349593d574a93b442a5f89e42b66e705b54d7799ac5f427d4f5365a7fbe8580af7b1a53b2a5b29a4c02e1db6d52b5187d809134c83c132ea993f

    Download Submit

  • C:\Windows\SysWOW64\vawgdssj.exe
    Filesize

    225KB

    MD5

    c11378b311208ac18b8b2b360aa5d422

    SHA1

    2a58d15159b55e84e402879b826bced5b5614aa6

    SHA256

    531251044f3aea586a9b39560637987120ccc90a7878855d266fb80e106bd4d9

    SHA512

    9c685dc11aec7af5feccc6595c579cc1c9d76d4157b2bdd9f192a9ca980a3777a211151ed77120b20000cd1ad42a33619610e3d06cc0e7f915ba7169ed9e9cd4

    Download Submit

  • C:\Windows\SysWOW64\vawgdssj.exe
    Filesize

    23KB

    MD5

    79044e71df7913e2faa4969638092572

    SHA1

    eb626c325e64c69a9e343cb47ffd8ee2acfda1c2

    SHA256

    df76a687e9b860f0ce7f1a660cdae6191fe394a31cd0206745328b5793e1ac29

    SHA512

    eb3ea3cb579b89eb22e93464fb545e622fd375932cacc45e68da66ce5aed2660a97cf9adb68d5474656903b68b519e3a89ba56474f926bd5376bb2d1eb67c759

    Download Submit

  • C:\Windows\SysWOW64\ydzxupilis.exe
    Filesize

    166KB

    MD5

    5bb54e851d24722dfe04da6917ba7337

    SHA1

    6b4be7d52880042994495af5ba4e9b2f10c3fa6c

    SHA256

    755579e3036344c33aa95ea660e07a19b973f9c317c220513945bdc458ecf897

    SHA512

    db4d9763227cc483e343422233e9be2a0d2142bbaf6adf5e7b0bb992b2394e3b2646ed3e103791605ca57f090c42ba04055ceb17a25da58dae1aaf93b8e3f592

    Download Submit

  • C:\Windows\SysWOW64\ydzxupilis.exe
    Filesize

    223KB

    MD5

    bb8cce72eba0524ec9fca1766a35288b

    SHA1

    3466edbba800a500cd054577aa37887c18eac35b

    SHA256

    c15fba6fd271df48acc4403ed0594f946a89a860bd9e9ea25e84e2faee9ea68d

    SHA512

    d1724ed0ba4054d8af07fd97e4551220e67c6d25c8c28527720ccf699567fe8a35e293ae4a2a5c4db48745e6a0a9246f5910628a915b0711f890fbc3c2a88a31

    Download Submit

  • C:\Windows\SysWOW64\ytnsrhdfgzkreie.exe
    Filesize

    147KB

    MD5

    7e9eeffa8ac6aa40151908e838e20f0b

    SHA1

    d42443edbe07f64b083ac32d9a3542414c8541fc

    SHA256

    3d2c1c8a86468a563b8c2e6da0847f2a7d88220b7cd7a9d96baf89ee745f4c5c

    SHA512

    c0d421e5a3d23a02d1422b3ec44647643b4e5361c57bec51a0123e9495cdbc55e7ee2e226caaa35bff1f2617dddc0033746bc88dba4e0a2c11b54706daef4a7e

    Download Submit

  • C:\Windows\SysWOW64\ytnsrhdfgzkreie.exe
    Filesize

    202KB

    MD5

    89fe729bcb215793cf6036b989a7cb02

    SHA1

    3e4e54a61855771c986735bbc414baa243026fd8

    SHA256

    a306a630bb6be2eb90bf99e1171b5130043f9ab587b928da3dcc74c47b8c5040

    SHA512

    3d19e7615d33f350f4e181f9e64c3794e27e2977aeeef2399b94dee975206b090fd520d06fc1913799350e3eec5279cccedadc5a12434e094be2cf3d011419b4

    Download Submit

  • C:\Windows\SysWOW64\ytnsrhdfgzkreie.exe
    Filesize

    33KB

    MD5

    a50e4bfc86e047ac28faf07f1af917f6

    SHA1

    e200ed4509d6d1c6bb2282104cfe23f17cde0883

    SHA256

    77fa6f724d498f5e839d8861e91bd706e9a012cba113ada6c3a11e1005929c2e

    SHA512

    9e6db0f0bf437d725588f6c814236347ed0894ba24811d1cf82115134da5076a7f5bf47fbbca77dd8eb9d3358a95f44fedac799c1acab1c6e1cebd7641c8d752

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    4bd769a0d47461f17fb8586697dbe098

    SHA1

    42650e9de8cd31101e262f311965b0bd7160e907

    SHA256

    b60616c12293625897b86a6975913299f68456f8aa2c89ccc737e7b86d04c815

    SHA512

    4f30c24314572b480622b19eefb64bfd71f4fd982367b66e1b40bde035309be04887fe37d33eef32764b55304cea47d8d2f458e36bb0087a821c189dac497112

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    fa61eb7cee1877d5d6cd5b50543553d5

    SHA1

    4631db042db6e0b535f57516cd0a2dc5e9461bdb

    SHA256

    01c47346825e13d591dedb21b79ab65a7e24250de9048353835f604feb2c0b85

    SHA512

    c15833842112368e5b0c2b1bfca1cb085ea70aecc194c6aba99750eb141c5273736eb5ee7f875feecc6c05639ecba7f7224253c6cc6dd3337646877a28ca7052

    Download Submit

  • memory/2792-40-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-46-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-41-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-39-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-37-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-51-0x00007FF86B000000-0x00007FF86B010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-38-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-52-0x00007FF86B000000-0x00007FF86B010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-44-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-48-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-50-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-49-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-47-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-43-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-45-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-99-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-100-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-101-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-42-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-141-0x00007FF8AD450000-0x00007FF8AD645000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2792-137-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-138-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-139-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2792-140-0x00007FF86D4D0000-0x00007FF86D4E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3640-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download