Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    169s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 21:12

General

  • Target

    3cefe1ab8bbea67d4aa326445931b90f.exe

  • Size

    512KB

  • MD5

    3cefe1ab8bbea67d4aa326445931b90f

  • SHA1

    56f7a596f0dd98d48bbf9d2764bd55d420461dd2

  • SHA256

    2cf5c8f3e4255e2f2cb52277fec1759f16c97811ccdcb348afec208fcc124ea9

  • SHA512

    fb23ca25321a1e22d1ff9e564f28eab2d58dd66698614bac1d50da6cc690784d5f5870f14efcbcdedca890228d641ece9b5334cdfd1fe878b4f241f9932baf58

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cefe1ab8bbea67d4aa326445931b90f.exe
    "C:\Users\Admin\AppData\Local\Temp\3cefe1ab8bbea67d4aa326445931b90f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\SysWOW64\bvliomhspf.exe
      bvliomhspf.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\jcbarzzb.exe
        C:\Windows\system32\jcbarzzb.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2972
    • C:\Windows\SysWOW64\zrdxcsruloajbll.exe
      zrdxcsruloajbll.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3936
    • C:\Windows\SysWOW64\eqfcbnvihbbhc.exe
      eqfcbnvihbbhc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3320
    • C:\Windows\SysWOW64\jcbarzzb.exe
      jcbarzzb.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1864
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    08bd821b723a691e3e74ba8f9775896e

    SHA1

    df2c54a61870f4d4829a97a95bec146ed56ca602

    SHA256

    d61c8daf92d9c34e09d15b70d3e12f93e2dacc95155072fee9c4c1b1cc02830f

    SHA512

    bead694dae79068e0b2307af6b0da2d59012c01fba66e9917cafe1955e7703e2a699bb46f7838d795cb92ad72755782c1aaac8547c1863772da25624f76cdc8f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    7197626b6d07b6cc2e0c6529796eb5d2

    SHA1

    cf74eb16d8fe07663b8e817b0f4ec3164343a836

    SHA256

    631df2bbdcb80505979ff29d6c8c715bf4564cba55eb7abccd4b00707d84413f

    SHA512

    fcc7014be4e9d6e03f2b652f9e229225bf7028d83af5130ea5bd7658b3d4f82db3b77cf7ced381847a390b057e1239aa4ebe4a664bc56a6268f4d85b5001391b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    67a843c3d550b8e2bcbac17f5dff61ba

    SHA1

    29eaf6a7242f81fdfa218f87ed5fd4cebb9c748a

    SHA256

    88ed808ad64654219a29ce8a004a3e4f78bbf301dcb68e05836912c322481307

    SHA512

    88cde14d957bd11ba8982ee7b7a0b8150d8f124a92a72cd59db316e10136bd54274d1d75b2a08e41af8dfa2a93320467a277cd8f98fabe52aa8832167a7f194c

  • C:\Users\Admin\AppData\Roaming\UnblockAssert.doc.exe

    Filesize

    512KB

    MD5

    c40eebc5ff61eb3174188f7cc841b979

    SHA1

    424dca2be10a633726089dedd325848c64e89b62

    SHA256

    d9e8d5d1c83ffa57e22d48745d28522d3bcf2fe564ab04e33e81bc6307d29247

    SHA512

    5320729e5d84056debf763aedd311942b2548ccce1d86cd5da849337dc8f799026475e7e3793bce06a0bb23bac3185df97134ae542e8635ca5023c729044548c

  • C:\Windows\SysWOW64\bvliomhspf.exe

    Filesize

    512KB

    MD5

    3dd5e603b387a82a8d3e2e861069eb47

    SHA1

    0e5d356d7ad9488377778ade05acd901160ff85d

    SHA256

    c3fce99585be5e1d2c7f647e788f10080325d98a63ce5e3529401ca41ce72748

    SHA512

    57dc7702e3e06aa6f4344b0f8bdff9c0d87073ab8c66e36891c35beb4ced23f37909e94f00598b27afb2cc5484fbec0bd813bd7580016e07b09232f277447a56

  • C:\Windows\SysWOW64\bvliomhspf.exe

    Filesize

    128KB

    MD5

    33be84de0fa03c6883fec2ead970e3ba

    SHA1

    dbe35ed4343779aa93200c24966ccb805e18f223

    SHA256

    ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887

    SHA512

    3e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093

  • C:\Windows\SysWOW64\eqfcbnvihbbhc.exe

    Filesize

    512KB

    MD5

    a49bf217542826f4acc66c70fc7fa539

    SHA1

    a9ed032c67fd4f73af9e86775f0ce6ab029461b1

    SHA256

    04e4fd01636dbcb6bfa3736ed73bb429b9f1bd873de737e24e6be48ae7206ce3

    SHA512

    175c5d504c0e2f75383810fa915616d12c58804fb70c2e768b1b8921ccb7b3545ccf569a154c88f518737d7e801c485fcb91553460f7799d19d2359814752517

  • C:\Windows\SysWOW64\jcbarzzb.exe

    Filesize

    512KB

    MD5

    57f7109095b8bc3c8d9d9ddf6e771ff9

    SHA1

    c62f9055646fe9b81a198d4a0ddb5f8f92dcb659

    SHA256

    d4cdae5d11aeb53fe7242b86195f71d7c9380e3c3e4b1fedb323e9fb1769ea85

    SHA512

    e6038f7a5b20a619f469e8c510278ff879eaf3248d9f76003f90ebcfbe25b25daa80df3c7f82a0091bc31b8187188bc5e1e54195bb241b9c156199e87cfc01cb

  • C:\Windows\SysWOW64\zrdxcsruloajbll.exe

    Filesize

    512KB

    MD5

    c4d437c382a0214bdce9c54c535acd94

    SHA1

    15bb9bc08a579f48e69821e57631be05ca592b5a

    SHA256

    7f85ccb7536d58d81c541e0984c67ea3b77b267a0f380203a08af45022b962bd

    SHA512

    febe2d04bd1b63307f52dd6e42348a301becc894942a2b771feaacfae5491637b9d11664fe8dcc00ca58e43c82172e02ee3a116dea71bfca74ac907226f09bf0

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    edc650f6525811fd5ff4162b87856f3d

    SHA1

    e8ed28b03fc0baa0372f58af557844c222373878

    SHA256

    63f26d2f6537bd400a92bdd9bf6b85c1e777d30ae11bac43e5cb72ec612545e0

    SHA512

    ad6806a597a3290a185207d73ee7dc10d040400b65c636f0f6b2dbfcdb18f0982b6570fdc3c56e4708eb497ff861ff1b3e23722a2a7bcdf28c40fb7153cf113a

  • memory/3628-45-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-37-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/3628-50-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-52-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-54-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-56-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-57-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-58-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-55-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-53-0x00007FFAFD440000-0x00007FFAFD450000-memory.dmp

    Filesize

    64KB

  • memory/3628-51-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-47-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-41-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-40-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/3628-38-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/3628-49-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-59-0x00007FFAFD440000-0x00007FFAFD450000-memory.dmp

    Filesize

    64KB

  • memory/3628-48-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-44-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-46-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-39-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/3628-42-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/3628-43-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-105-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-129-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/3628-131-0x00007FFB3F710000-0x00007FFB3F905000-memory.dmp

    Filesize

    2.0MB

  • memory/3628-130-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/3628-128-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/3628-127-0x00007FFAFF790000-0x00007FFAFF7A0000-memory.dmp

    Filesize

    64KB

  • memory/4664-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB