Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

3d1b9631c5...dd.exe

windows7-x64

10

3d1b9631c5...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d1b9631c5905683931200fd58d783dd.exe

  • Size

    512KB

  • MD5

    3d1b9631c5905683931200fd58d783dd

  • SHA1

    2e95612519872978c8675b7e8bf452f99c89b91d

  • SHA256

    7cec07093cce87a490295124a8bf53a101d6d4452ec5c4c82b273cff23db0518

  • SHA512

    f3123bc89ad9bd7d4329b954abacc8b357ececc1941cb821abef6515bd655aa84dd77e475f7e3bd46338798cac17292b9f8dab8e97bfc7b48562b1607e8cb1a8

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d1b9631c5905683931200fd58d783dd.exe
    "C:\Users\Admin\AppData\Local\Temp\3d1b9631c5905683931200fd58d783dd.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\wmfazrgbug.exe
      wmfazrgbug.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\xsygsvyy.exe
        C:\Windows\system32\xsygsvyy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2588
    • C:\Windows\SysWOW64\yrkzoewlarslv.exe
      yrkzoewlarslv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2848
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2340
      • C:\Windows\SysWOW64\xsygsvyy.exe
        xsygsvyy.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2832
      • C:\Windows\SysWOW64\tyknustmxhmwqvo.exe
        tyknustmxhmwqvo.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2836
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c yrkzoewlarslv.exe
      1⤵
        PID:2700

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        924B

        MD5

        8a20e6938e09bb9d8a62e981b756e848

        SHA1

        911e5af322278feec49a5a27fa76414f1ae41162

        SHA256

        db4c81c378dbe17c9d002c5c9ed49faa1711f2fc924edbaccaa7e4caffc3a641

        SHA512

        d22f7a5b8db856d9be0eb2b20534d5912c5c4b0b08220ac6b39849afae724a051240bc6ed871059f8eb0cfc5ab94be2cd1d88b304084594952e146347f037d25

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        031fc17919629f0a8e7496de9aaef160

        SHA1

        c735c3fe3204aaa1cb51c80c3731baf7c789241c

        SHA256

        3e30a4d16f894d14cc09eadb95acfe0f70a2c4262f6a943d6959a553e728ed02

        SHA512

        dd4e960a2c3fd655da90deba64839f9e066009361e58b6c298a5a480866c4ac709831b9447fe93fd323664ef49a4a9bf66ce9456f5dbad1c58ebd9873c46c9bc

        Download Submit

      • C:\Windows\SysWOW64\tyknustmxhmwqvo.exe
        Filesize

        92KB

        MD5

        6c71714668e41927f306d0cebf36ce4f

        SHA1

        985d9063192bae2797de69aba91748a3b3b2513a

        SHA256

        0b10c39c81d092c73145c18df615a74100fba98a44caa79eb9adc994d1018358

        SHA512

        736a56f3b0d1e2b25aa79af8e23fa6797b05e8ed13fafabb35f62149b1c238b25cd51f09ad13720fc3d8db91828b38b390f5a39f0cf1dcb259c11280c74a6727

        Download Submit

      • C:\Windows\SysWOW64\tyknustmxhmwqvo.exe
        Filesize

        159KB

        MD5

        b54d438321342ff206752549562d97b8

        SHA1

        615131a3d37c2028c768ea4f2eae15a877084b24

        SHA256

        7e028dd6259af9edbc3394fe00c031f3755eb77a9597a2017e182d8582b0537b

        SHA512

        8d19498c1a6fec2471abd75400fa00dfdde4c8a411dc39f3c3bb8a76d06562844f5b713295c0fdb13622e0e1f61649c36d1f96d61d8b8f74bc506e6410f91c19

        Download Submit

      • C:\Windows\SysWOW64\tyknustmxhmwqvo.exe
        Filesize

        74KB

        MD5

        0ae1aff2dcef61ba5026a54945f66d9e

        SHA1

        8524dd70bc04d050dbfa34c40c39ede5bc4e4375

        SHA256

        b7969e46116a974978b92fc21d0e911f25f7a7ff163ff9803cd8336720fbb75c

        SHA512

        063c940159278ca0715f6783c0c157f3d8a748ce9ca4138c3ea271ab0f4389d0cab861f3184759dce28369b94d847215a6ff25d1518cabb9fe4bbe11bf577878

        Download Submit

      • C:\Windows\SysWOW64\wmfazrgbug.exe
        Filesize

        298KB

        MD5

        20f8663b9b4667749fb8added949cfef

        SHA1

        eb1f8f4c67dbf4f00422b42f0deaf3fe7dd2c0ce

        SHA256

        34e0f7df8f76cc68659aff55c65b15c0476d6d08484c8169d9b0aa51b6a4e3a3

        SHA512

        ff0a17a9e3d232b0e9aac077b02cb4810a885cb95205b36163e6f3179621f247033d5d998493628ba75f8e407d0d4fa1948db06b491a51c21073a403d8dd3519

        Download Submit

      • C:\Windows\SysWOW64\wmfazrgbug.exe
        Filesize

        205KB

        MD5

        55481cdba879a7aef38a3326b3440f54

        SHA1

        9ef6703755a511d691444f4fc9ef611e13f08657

        SHA256

        3001173b125e49949585c58316cf4917e2969e0ab5ae94ff005cb44c2c95f30c

        SHA512

        5defa99cb48635179ffb568773790fcea7182919fbad37df72ce212f6ea67f51ac03c6de7f784010ff1432aa5405c22653e674b47ebd00b69860e808777785b0

        Download Submit

      • C:\Windows\SysWOW64\xsygsvyy.exe
        Filesize

        256KB

        MD5

        37da9fc3ad51b33082ca3aa0b4393289

        SHA1

        ae24ce1cfd05ae7dea192a34a172a607f2ce5ace

        SHA256

        783d6ffa260952437e58d889febe32c2f679d78a8d0a16f4f48dedef85b38793

        SHA512

        233b0313cc74986c9ca02b587b2a821315e6916b815f619a3b0c831fdd6711ccd0c1ffe1f7b78161d7f30fbe13568f7f5a22daf1a9b02cab5eee5255e55e5ea3

        Download Submit

      • C:\Windows\SysWOW64\xsygsvyy.exe
        Filesize

        40KB

        MD5

        4214cd407201f93d3baf8f75c6f8167d

        SHA1

        e6b33523d560c93f39f6586acd1475165d1f67ca

        SHA256

        19e823f9f58e9e6199d1d635987818e96ced46ab6552df416ad473efee4a77fe

        SHA512

        863dd788bcdf6d947ad5ee2f9bb25006ae372f93bdc0e54bc758abac5a649234540239a129f6a5651b86a1e626e5c023691d5fe394e748f4c46be742d382a9b4

        Download Submit

      • C:\Windows\SysWOW64\xsygsvyy.exe
        Filesize

        33KB

        MD5

        b6be05f0dd50842b75e4587e5f851f58

        SHA1

        07d8e91a90d7f900c1faf9b3bfb1a5c6a79d7972

        SHA256

        ed55ff9b20056f71a9f23532d12ecf895875cdf84a17a970ffc202c51abb174c

        SHA512

        08e0397c8a505d2fba625604c82c2306574e7ae7ab2944603b8714cab28406c60f3fa8607496bd072964364a74e791656d3a293b9ea2af4362d8878681b9c26a

        Download Submit

      • C:\Windows\SysWOW64\yrkzoewlarslv.exe
        Filesize

        3KB

        MD5

        6a8c4b146ecf4cdeb261984ff257a701

        SHA1

        0bf68d438aa1143541ce5e776c8baff369c5452f

        SHA256

        8ae4fd77d89cae193fc05431cefa0fdc10e513753b258f608beb9598cd302240

        SHA512

        077eea4f0dddd6d441a0b2169756ca6c6798d2acf856e4f56655cccdc39ebdabccf7d84f8fce4860c68d4c62859991f5ba570ac81ae4c47efa084c5f65c62682

        Download Submit

      • C:\Windows\SysWOW64\yrkzoewlarslv.exe
        Filesize

        45KB

        MD5

        e8d0a210a7de9cb675e1378280b0b6de

        SHA1

        c2ab939a2766a03bf6c24459cd935c2d580f220d

        SHA256

        c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b

        SHA512

        e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\tyknustmxhmwqvo.exe
        Filesize

        292KB

        MD5

        4fdcbd400b20969c0baf04276dfdc361

        SHA1

        011a76bd66f447b5a1f6c357ed63a03f5ad742c1

        SHA256

        f86c4d3a156df826e3b5bcb7793692220df1efa8c6067ffdc9378727bfa2839e

        SHA512

        1ae94105602d7a2d14b09c74e5b28cca948381dc57abc1448b5017825f98ddf910e8fa7bce115f8c281bf596939a27c1c7ec24d788217da03afad9f6351766ac

        Download Submit

      • \Windows\SysWOW64\wmfazrgbug.exe
        Filesize

        70KB

        MD5

        fe0a8be82bd5c0951846e26e43803ee3

        SHA1

        116b8443771a42c8944ecba2eebefcbfa0aa4068

        SHA256

        2581b75f93e4256f8bad1ac902ad1a0701258577a499c5c7284c0a77b91b0408

        SHA512

        9e6870017213b39ca9f38191b9a9c4b019f32fe1c7b75789a71fef7e723174b03d468fdf750e2b5f1d478aba7ebb5ca11ca0be0b496e206d5a4168a0fcea14c8

        Download Submit

      • \Windows\SysWOW64\xsygsvyy.exe
        Filesize

        30KB

        MD5

        c421cd256a9e458e533d76fe317aa6fd

        SHA1

        5daa9ab36747fedd2d44eca29b846a771d7f0494

        SHA256

        221c96a46db253b7d5974b6b6a3a562e772a0c64a892985be6b4bdd25e8a05d8

        SHA512

        5ba8af55627f3e16df084f3da3ebf0b419d67bb35c2a5bf73fa5325935be576d4b862e2358651f5bbe78cb954f01bccb65186f6cfd48fbe8a22a3adaa8d1442a

        Download Submit

      • \Windows\SysWOW64\xsygsvyy.exe
        Filesize

        42KB

        MD5

        57baca6cb360cc9df0065c3a6803fc01

        SHA1

        f029f091ed00eb52b692ac292b0e70b1bc18f945

        SHA256

        5a0cd94cffafeabb2a56d5c3db008141b6cf944ceaaa445be80d6d2ff42104c6

        SHA512

        df36aba110c8f06675c3f8bb789dd86783c76a1c772649bf18abb6fda83554b7954369ec070c7a519b162ea0f58e488f0db7251c9306d32e545c181777ddf0c6

        Download Submit

      • \Windows\SysWOW64\yrkzoewlarslv.exe
        Filesize

        31KB

        MD5

        79f9230792c209d7ada5fe9bc4bfb07e

        SHA1

        a6162120d5823435bd2f5cb76a2c9e04ea79f33b

        SHA256

        1b502fdf46cf423173cfdc3e0560e6dbdfa7771de29899e14533819c400fa6af

        SHA512

        7ed421ca0e753b33e9cd0220375b8f5a7bd3fe4a1990bcb4c88340eac9c7b5fbdc4a15a3ca9086015a4b893ecdfb0d89daf470022ba9c5764b9223fe7eb4c2ea

        Download Submit

      • memory/2224-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2704-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-61-0x0000000070DDD000-0x0000000070DE8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2704-47-0x0000000070DDD000-0x0000000070DE8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2704-45-0x000000002F661000-0x000000002F662000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2704-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2704-102-0x0000000070DDD000-0x0000000070DE8000-memory.dmp

        Filesize

        44KB

        Download