Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 15:31
Static task
static1
Behavioral task
behavioral1
Sample
2985538024ccd7fbf883fc62e5f43d6a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2985538024ccd7fbf883fc62e5f43d6a.exe
Resource
win10v2004-20231215-en
General
-
Target
2985538024ccd7fbf883fc62e5f43d6a.exe
-
Size
512KB
-
MD5
2985538024ccd7fbf883fc62e5f43d6a
-
SHA1
dedc59f763fa208e197a649348d5e8f452948be6
-
SHA256
0f2111fb67cfd68f6993e7132253a9e6544402cc8cb7bf330f5144d7cdf4e9c7
-
SHA512
ae76771018e130a7275ffe7ebda9913a2ae2b86e899d44605648b4937c12bfbd844b1a29fc713a840396f7abdcb4ca757c54b7950acddb7e8e0af36553beee65
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4824 tvloinxpwe.exe 1420 izxullpjzbxcpca.exe 4360 qmkshbgh.exe 4708 unyvtvzpmcxzz.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2864-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x001100000002315e-18.dat autoit_exe behavioral2/files/0x000800000002320d-5.dat autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\qmkshbgh.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File created C:\Windows\SysWOW64\unyvtvzpmcxzz.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File opened for modification C:\Windows\SysWOW64\unyvtvzpmcxzz.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File created C:\Windows\SysWOW64\tvloinxpwe.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File opened for modification C:\Windows\SysWOW64\tvloinxpwe.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File created C:\Windows\SysWOW64\izxullpjzbxcpca.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File opened for modification C:\Windows\SysWOW64\izxullpjzbxcpca.exe 2985538024ccd7fbf883fc62e5f43d6a.exe File created C:\Windows\SysWOW64\qmkshbgh.exe 2985538024ccd7fbf883fc62e5f43d6a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 2985538024ccd7fbf883fc62e5f43d6a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FF894F298268903CD6217EE6BC94E1445944664F6234D69E" 2985538024ccd7fbf883fc62e5f43d6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368C4FF1822DDD209D0A68A7B9011" 2985538024ccd7fbf883fc62e5f43d6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67514E0DBC3B8BD7FE1ED9134CF" 2985538024ccd7fbf883fc62e5f43d6a.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2985538024ccd7fbf883fc62e5f43d6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7E9C2583506A3576A5772E2DDE7CF264DC" 2985538024ccd7fbf883fc62e5f43d6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9BEFE65F2E5837C3B36819B39E2B3FC028F4260033AE2CE429C08D2" 2985538024ccd7fbf883fc62e5f43d6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15C47E5389A53BDBAD03292D7CE" 2985538024ccd7fbf883fc62e5f43d6a.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 1420 izxullpjzbxcpca.exe 4824 tvloinxpwe.exe 1420 izxullpjzbxcpca.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 1420 izxullpjzbxcpca.exe 4824 tvloinxpwe.exe 1420 izxullpjzbxcpca.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2864 wrote to memory of 4824 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 31 PID 2864 wrote to memory of 4824 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 31 PID 2864 wrote to memory of 4824 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 31 PID 2864 wrote to memory of 1420 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 30 PID 2864 wrote to memory of 1420 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 30 PID 2864 wrote to memory of 1420 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 30 PID 2864 wrote to memory of 4360 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 28 PID 2864 wrote to memory of 4360 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 28 PID 2864 wrote to memory of 4360 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 28 PID 2864 wrote to memory of 4708 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 27 PID 2864 wrote to memory of 4708 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 27 PID 2864 wrote to memory of 4708 2864 2985538024ccd7fbf883fc62e5f43d6a.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\2985538024ccd7fbf883fc62e5f43d6a.exe"C:\Users\Admin\AppData\Local\Temp\2985538024ccd7fbf883fc62e5f43d6a.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵PID:1380
-
-
C:\Windows\SysWOW64\unyvtvzpmcxzz.exeunyvtvzpmcxzz.exe2⤵
- Executes dropped EXE
PID:4708
-
-
C:\Windows\SysWOW64\qmkshbgh.exeqmkshbgh.exe2⤵
- Executes dropped EXE
PID:4360
-
-
C:\Windows\SysWOW64\izxullpjzbxcpca.exeizxullpjzbxcpca.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1420
-
-
C:\Windows\SysWOW64\tvloinxpwe.exetvloinxpwe.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4824
-
-
C:\Windows\SysWOW64\qmkshbgh.exeC:\Windows\system32\qmkshbgh.exe1⤵PID:960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d76d22b81130bc9206c7c947d7a9ea5e
SHA15956e88a6ec7949ce5a350e21703307d855f34b1
SHA256b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870
SHA512112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1