Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

3046f693f0...b2.exe

windows7-x64

10

3046f693f0...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 17:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3046f693f07ef5720f685bf2b586fcb2.exe

  • Size

    512KB

  • MD5

    3046f693f07ef5720f685bf2b586fcb2

  • SHA1

    dc28149b45cbdc89ecc8daa2af16668a3bf037a1

  • SHA256

    77ff0c8a05d5ceab36fd6e15403c82b5749f67cee085fa99a41d10e6886e770f

  • SHA512

    a8ebf07b59cb28277b4eeb14102b7289128fb3fa3849698c6fb65c9a9fa110770376248d96ba3f524b039cdf406429ea3ecbe0c66c334ab6c74d806e87241440

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3046f693f07ef5720f685bf2b586fcb2.exe
    "C:\Users\Admin\AppData\Local\Temp\3046f693f07ef5720f685bf2b586fcb2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\zrivutddov.exe
      zrivutddov.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\oysrrpki.exe
        C:\Windows\system32\oysrrpki.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2584
    • C:\Windows\SysWOW64\vhoslazrxwybckj.exe
      vhoslazrxwybckj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2736
    • C:\Windows\SysWOW64\crvvpqutdfvvr.exe
      crvvpqutdfvvr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1920
    • C:\Windows\SysWOW64\oysrrpki.exe
      oysrrpki.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2348
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1616

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      0feed29195d959e353de1e9910679f58

      SHA1

      850c242672dfeec2a0cfd67ac871c136785565b2

      SHA256

      5923204b5ca7bbea64fac7756435e448a267134aacfec9b18269794b8ee21e5a

      SHA512

      562404484b1a22849e7dbd65827f2a02b13d197639622b8219362cf2d0e6b1f5faf54d8f97595dd2e3ef8e26ad1c9b19405c4df76e0d1dccb9baa814264b3867

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      ddb5cd19014d1889557da16d4393984c

      SHA1

      9954d2370a7158c80500b628a571d19bab99b709

      SHA256

      1974368d07bc5df05ad864c3244bf40c0106653abd49b9c5229e9634021b65a2

      SHA512

      82be354f7726f48dca3cd31cc424425ec6b36940539a5cdf64f16a06eb32df29c0d2e63c9f9a58aab5c8207fe4cf3ce0e0f2ef49b9c1f6866059c77e92996a9a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      59907a0fc8e98ff31667f793ba3e1ecc

      SHA1

      f27ec55327e956565524667c8d7faebb8851301a

      SHA256

      08489d30a8d184059af8a9d637b1d2f56075c42ae499607f1a5fc82fdd6ca11b

      SHA512

      9e5fa6c03c0fb7539e7449f9345c90da4a158b8e253e4101248cef095539de95d0c22636c13f0f1d6c41e4f3094e120ee732ca5b19496240dfee8c5170a1c35c

      Download Submit

    • C:\Windows\SysWOW64\crvvpqutdfvvr.exe
      Filesize

      182KB

      MD5

      9026a9bf38a94e21c64aa313cf21e39e

      SHA1

      1bb2b9bb522227c8f5fb202d92ccfd7ecd3a6a9a

      SHA256

      2e83010b1c58aea9c340d79532db45adaeb2240b86cacee4246451f81c8a2092

      SHA512

      b09634da3cacde9437547980a298151aa2d7761c651fdd05d148ac5d5dc11761f146c9f880ca04f531912bc7596ef2be67c1f03427bc2d8288b1eca636853248

      Download Submit

    • C:\Windows\SysWOW64\oysrrpki.exe
      Filesize

      512KB

      MD5

      e7d9dc96af00efe0454050d202d31c4c

      SHA1

      5cf9fdab02068402d4f3faf0a8219d6fa7cde3c9

      SHA256

      b5fbc29bd64b86caff8af917d1ff6742b7e65aa40f025784d54bdffa7745297e

      SHA512

      12e1ed42c0c9dcf78c319054eb612a2cdaf7354c97c3157338ed279891472a711750773ed1dd1466154d8dd353be4b045dae364f3147ce557a3022733146b9fd

      Download Submit

    • C:\Windows\SysWOW64\oysrrpki.exe
      Filesize

      467KB

      MD5

      89868ae7a735bf60c60bda204b29acfe

      SHA1

      4d7a2a0a936885e1f8913a09db79372091c88f63

      SHA256

      9cf38c79bdbc703551860b03ee33674abe14ba01b95d719084faf8944ca2e3b0

      SHA512

      adc2c8ceed1f588d3a306b4ea6dee90fff26bcca8d9668ce33ba073a891e92abbf3eb910a2df1693d42a563e93d332979fcb18ad0f06a1a9d6649598d1538e87

      Download Submit

    • C:\Windows\SysWOW64\oysrrpki.exe
      Filesize

      413KB

      MD5

      3c732c82d843bbfc9e6cda2b8460991a

      SHA1

      14a8632748f9d7b64627f15f9d9a5220653b8331

      SHA256

      869ffc1a9d336c878abdbf4bdffdad0f32b38ff881456117c9f0493fb1008087

      SHA512

      849814ae4bec21c2ba5460226adbd7d2cfce2648ed5dad6d969de9b984c36b999ade88dbe0fea45fab6b9fac7a3a65988099e41f5361bd999bebed387417c925

      Download Submit

    • C:\Windows\SysWOW64\vhoslazrxwybckj.exe
      Filesize

      434KB

      MD5

      8bfea752eed03082538e86d06917b5a2

      SHA1

      f14d3c310b7f46e7dc88ee03cbc2a5e82ecfcdbd

      SHA256

      44ef964ed0ba4fb8cb1a947355fcea85308c0c0cdc12f42e25afd147adc8745d

      SHA512

      4c71c455aaa8bcf23382c2d3d564e2ac67f3b06577e5611c2d7713f6bf7abdaaa0cff40b561e479f791a94041e71f77133dd220461723f77f370ea66b0b9cfbe

      Download Submit

    • C:\Windows\SysWOW64\vhoslazrxwybckj.exe
      Filesize

      320KB

      MD5

      583b05aaabd49291e331fdb77618322f

      SHA1

      d2826f4567e4417b1350f6b502621efc97bbd24b

      SHA256

      54aac0f617a649f4ade86e7271149d67ffc92438189e0fc0d9d280899ad45ac1

      SHA512

      61a325904a0d766365a9fec4889699b1783d6890c74ceefa54a803298a434c5583b90bb03eed8e73a6e8b8e811ff70024c3e893fa6bad5f4e3b7d2202b1a490d

      Download Submit

    • C:\Windows\SysWOW64\vhoslazrxwybckj.exe
      Filesize

      512KB

      MD5

      6bf356c24afd66120493e8063f07dd22

      SHA1

      9b7fd7c1df9fc151f00025146bf379a5672e3d47

      SHA256

      bf07cf8aca64495723ab04aecaf227f02c722683e58126774e10373490bcb1d3

      SHA512

      893040842d5048fbe6e780df09507ec14749a61729c7dd3b97e99535e3e0c1fd36c446758073a6d15f3badc73f98143358d7c73e074b639dc0267b5f504efc9b

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\crvvpqutdfvvr.exe
      Filesize

      512KB

      MD5

      6d7fa705ba5eb5fb8386802875c3cd98

      SHA1

      ad028b4335e8404f4eebbc4102fab1c68fc18f3a

      SHA256

      cb61c46d35e17b4c96b84e69b0b1ece1a55dc706997a2efb526401275b3812e1

      SHA512

      b7a8e172e86f63008566fa90867030dd8d32e450e290c91aef606c2f46b7743122896db281a3faf771d69749289a962371b9960e9c8fa6618329e0a34faff0d9

      Download Submit

    • \Windows\SysWOW64\oysrrpki.exe
      Filesize

      506KB

      MD5

      36aea56d170f7dcb608ec46c0f226bc8

      SHA1

      31d75e827a732403fc398387e04d6940231e39e0

      SHA256

      350636734a31704b5f2fc8875a9ddda22895dbdb75a15a088427e6b3683af1d6

      SHA512

      d5af34e03191307ad38b2ddc3fd6e4c99527c90b0c42fc425c9aba0d1890df05b64b2764282d8eb7d6cccdc939ffb635c5d6a8e4bae218f8770598d543832c1b

      Download Submit

    • \Windows\SysWOW64\oysrrpki.exe
      Filesize

      361KB

      MD5

      5a6a1f280ce04ed7f6f7b6eeb9c768f5

      SHA1

      bf33d06422bb5cf25df871c3ebd8f9047a67a236

      SHA256

      8c4eb2ec5a9264f2a037a6f738bd7886452a8173bb7ac8aa6f1071f87ca5eef1

      SHA512

      13618ef5360acc423006d352097b870409724f44953ed3574946072dd176db87281d9100b29fb78d4905cc3de61ad4a7daf288c23f2ae918fc57d3f0f0fd59d8

      Download Submit

    • \Windows\SysWOW64\zrivutddov.exe
      Filesize

      512KB

      MD5

      fef2feeac60198b9396287da0e62e79b

      SHA1

      9a42dee00a2420e68700f48a1ebf25d1d3fefacf

      SHA256

      184d45500ebbb91bd475bde87d86b9531b330398af0e43f23ac091dc97ec48c0

      SHA512

      85c7d71d809f488359c62a1a8a88d0d42e689e7388f0962291e2e4c2953fe692b95cfa9802be3bb2ba229175c2fe1cc634c337949f1be8bfa31b0fb36e4ced61

      Download Submit

    • memory/1364-45-0x000000002F6C1000-0x000000002F6C2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1364-47-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1364-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1364-61-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1364-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1364-104-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2908-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download