Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
0s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25/12/2023, 17:18
General
-
Target
3046f693f07ef5720f685bf2b586fcb2.exe
-
Size
512KB
-
MD5
3046f693f07ef5720f685bf2b586fcb2
-
SHA1
dc28149b45cbdc89ecc8daa2af16668a3bf037a1
-
SHA256
77ff0c8a05d5ceab36fd6e15403c82b5749f67cee085fa99a41d10e6886e770f
-
SHA512
a8ebf07b59cb28277b4eeb14102b7289128fb3fa3849698c6fb65c9a9fa110770376248d96ba3f524b039cdf406429ea3ecbe0c66c334ab6c74d806e87241440
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of FindShellTrayWindow 15 IoCs
-
Suspicious use of SendNotifyMessage 15 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3046f693f07ef5720f685bf2b586fcb2.exe"C:\Users\Admin\AppData\Local\Temp\3046f693f07ef5720f685bf2b586fcb2.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
-
-
C:\Windows\SysWOW64\zrcbagboktpww.exezrcbagboktpww.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\wwikdvgz.exewwikdvgz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\ecctikbmfjcaxwn.exeecctikbmfjcaxwn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\gwaxgqxzle.exegwaxgqxzle.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\wwikdvgz.exeC:\Windows\system32\wwikdvgz.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
512KB
MD52e660f85d42a73687b43c1aac102694e
SHA1a77481bdfbf568baeba0e845666bf9b5fb37f017
SHA256cbb75f5282d55ef70e1936322569132a60a45867cc113fc1e3ed4d234a5c4aaf
SHA51252f94b0b0e1081118472066834416c5243633b5b1dd4fa6477b079fac6cffbd608bf4a445a77fd85bff93f8035d48f3f86d59178ac727f231838ddba767739be
-
Filesize
512KB
MD5a01c0e8c75203d73a2d2c178cb2ac227
SHA17c5eeceb4f9a6c678793465383a8105be8f711e0
SHA256fe5c7ff22d3aaa225dd25f9b87062bb2c5899c9dd27b571c7a30cdaa2dc15455
SHA5125769634ac557b23764a9a5a3a8dd5f2ebaddafd4690bb1b1b5ecebe652b72ccc0856b0335f547d457703eecd37b7b76305ec7ad5c02450c1ff774cb0850cd432
-
Filesize
512KB
MD5fb09bb84529db0105230069f68bf7e1d
SHA147a39bdf8913b174fe62b594940fe0a8ca438849
SHA256ba36f999119c779afbcc425a3953d90c0587c9a0e30fce3a370a52ba6078261c
SHA5127d88c170bbecc28124dabfdfb88d19c666f33e835da0490f76a802777c6593f00634c4b90795672459c7fb5c0dab83911c3392c0a5162e0d10e20ec28fadf03c
-
Filesize
381KB
MD530aec9e0b33fbd99234328357879f812
SHA13c9d37139d4ccfe2b694afba9633170d0f510a92
SHA25615aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563
SHA5122060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
600KB