Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

5f3ca048a2...82.exe

windows7-x64

10

5f3ca048a2...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 08:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f3ca048a2b085e7ab53d25f2f565682.exe

  • Size

    512KB

  • MD5

    5f3ca048a2b085e7ab53d25f2f565682

  • SHA1

    eaef69141dc9a347dcb9af36d8afc1e57e426c02

  • SHA256

    c93dcc55a1620214857eb4862bc0467424047ff13ede76e9414e5b3d1e968845

  • SHA512

    b60b936b9172ae56f610599c554961865c01baf2617fb89dcd474f14c8503a9ad0ac5aa63cb31bc410bd246909e1a4d72efd16f84e9234553cd2c6fceac233ac

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 20 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f3ca048a2b085e7ab53d25f2f565682.exe
    "C:\Users\Admin\AppData\Local\Temp\5f3ca048a2b085e7ab53d25f2f565682.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\ipuydnhprl.exe
      ipuydnhprl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\qwmumhxd.exe
        C:\Windows\system32\qwmumhxd.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2272
    • C:\Windows\SysWOW64\njguoqzkxlkclsq.exe
      njguoqzkxlkclsq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c rlrlsgbcqergg.exe
        3⤵
        • Loads dropped DLL
        PID:2856
    • C:\Windows\SysWOW64\rlrlsgbcqergg.exe
      rlrlsgbcqergg.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2540
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2924
      • C:\Windows\SysWOW64\qwmumhxd.exe
        qwmumhxd.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1904
    • C:\Windows\SysWOW64\rlrlsgbcqergg.exe
      rlrlsgbcqergg.exe
      1⤵
        PID:2752

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        18KB

        MD5

        009a35ba6f667971597d9e0a329b07c8

        SHA1

        85b627c968cf5cff19576f91ed03a81a5b1dcaa7

        SHA256

        40c347abd88b9895323d240ce5899684c4fc780f460334ad51fb845cce8129a5

        SHA512

        e38fab02b5d14dc1d62c760a8c12f545890547368fa3325ec0a5dc3e76cd865222685121fca953c54843c3e50e0e6eaaa8eb1770059d9735db04f602b2080644

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        25KB

        MD5

        4424637682ceb966732f11183e97a207

        SHA1

        f9d7d88dd1663cd8d712aba92437c3dc928dc6c2

        SHA256

        0e5aabe24254910e7824404eb676e03297117f5139417ef71dac35929b1a5e3e

        SHA512

        af29412ca0b7a87a3f64be7d5bb84fdbb390c83b3a9cac90301bc6f45d832fbb8922cf75d7806794382ac2e74592e947317fd1a29e8ed585b78a4409b4f8baf4

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        11KB

        MD5

        297ce1fd8478151667d1717b7e6327df

        SHA1

        ae737f1adfe1120e7f196c0395538265971ebb85

        SHA256

        b4dab32fa68f717b2ea035ffae7b2eb5efe3f8663261cc8b0e48b8a17a768716

        SHA512

        14c361be352611b929e3db491c22c3eea2457303f0fb368be5cf5b40baa11a3d2cade06895a0efca4aa2cb27883b77c5307ce77b33325aec80a3eaff3a12b87e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        76f690c8cbb5d7c8c025ed23971fb407

        SHA1

        e5e01dee0c15b1175fedcfd6d39896d6f06ec7e2

        SHA256

        05d3bf68eb1b749fc1d8113cc31b74afbd64e181a8ed0b75aee07f64cf6858e9

        SHA512

        edeae179eb47a9cd4050479af02abf414b7787be730309ecb805dbf0f6aa218473caa705630bca58c72ceabf9ba95ffc2fff711a3a0080e569f1f5bf3d10b485

        Download Submit

      • C:\Windows\SysWOW64\ipuydnhprl.exe
        Filesize

        89KB

        MD5

        98307d376ea089bd2463d9729b3a715a

        SHA1

        83bf9a66e5ffae0eda7df9ef409fde57ea92e272

        SHA256

        f92c0d866f8d72039ff5bba79aae0fb993b08dc1aa62ed71415a2259af05ba16

        SHA512

        18b4427fbd2e472884ca520f037ef37bc1a70a9b62b237062f1420e2b9f4b7ed4edf4c40403219d7c24fd4a6bf1958c11652cab9c25de6c24f18b587d1279eaf

        Download Submit

      • C:\Windows\SysWOW64\ipuydnhprl.exe
        Filesize

        49KB

        MD5

        e1792e11aebc7a53f92359d5df32f3ca

        SHA1

        a949835ba491daadcaa193868749e8057a449b69

        SHA256

        a28d2c640d42554e743ed6d119c7fbd40410c388f2d6c423d49c8b295cb25cc7

        SHA512

        af2cf87be1ce4e314fd3823cb8ed2d97a0e28e055b90c6971463cb07ac9584611e6e019f54158b68efa0fead0b1f622b4e5c8f8384619159e0b12b08ff5bc875

        Download Submit

      • C:\Windows\SysWOW64\njguoqzkxlkclsq.exe
        Filesize

        71KB

        MD5

        49412c188533f92f8c7d185fd516c3c0

        SHA1

        172e144aa86022cc981fb6e92df4a4689196c9ef

        SHA256

        bd26e3fa562c6142d0b139a822bb39e556d36c67cecf9b3fd989228ccc6d76d2

        SHA512

        5fe5152b8f6df1ae85d3e009f9cef69ace0003ccbef978171023a2e0dbc2a7a65cf21acd9fe33afa32a8644b5e4ac51efc854c74d91fd1daf790d1b9a675cd75

        Download Submit

      • C:\Windows\SysWOW64\njguoqzkxlkclsq.exe
        Filesize

        63KB

        MD5

        de0c94c13e7990ccb073b28fbdc92905

        SHA1

        2f9009d97ebbb36589bd26b74ab406ecff11918b

        SHA256

        4918306737c96c36665a8892b74f05e644e328178e0922971bf2920623dd453f

        SHA512

        5867155182ec71d4412f128bc05bc4465fb52017bfd7b691dc50527f036be482a7a9315e1e7eac8b15ad60f8c6fed01e5dd8e1194bad03454214b65404dcf0b4

        Download Submit

      • C:\Windows\SysWOW64\njguoqzkxlkclsq.exe
        Filesize

        512KB

        MD5

        68c314131b375e0341de652f47b31567

        SHA1

        d79882ca5a44e664391bd4826828dc1497ffddd2

        SHA256

        b7eb84fec49e8dfdb58320791c01f69fe9370859e3a0b9f21e4ff4cdd60637c1

        SHA512

        702c71e73d7c5c2b83f0f98dfb9021f9b1d2f185c18b7abd0735a123d60051eec3e0d1b2043df23ac5cc96e3ebfb20f95a852e8778d8dd85886445fbfcdb7405

        Download Submit

      • C:\Windows\SysWOW64\qwmumhxd.exe
        Filesize

        51KB

        MD5

        628b9eda9b7b89ae3e60ca8066b24cbb

        SHA1

        c523a1e5c752e898949cc7241193bdc89b2a3ec9

        SHA256

        5f325389a2adc1328c02505a0ebc0cc255b2fb6b32199e5d30bac2501664be9e

        SHA512

        c48132a11a536d09f22ddb856c8ff8e7a5f875f60065c64f62a39f328688f2d183f019df0a737db3fa7089c2e5ba1b75b935ca7a127947d2dfa568758b6f9438

        Download Submit

      • C:\Windows\SysWOW64\qwmumhxd.exe
        Filesize

        90KB

        MD5

        48870f9ac7dddada77c46642ccbe71ca

        SHA1

        953a2c3a2e04b26a9cac5c786c73e65795c69477

        SHA256

        d6657c261b622455d86a8ea90fb6de4fe03f801def54c4dc4115b4f7707781e0

        SHA512

        a8366cbcaa4f2ffeecabf71a1828ff1b4f69a1aa9feacd7b3b5c7f17ccd57bfc867722910fe794542b06f383d14911e95bb3a78b5836caad38041fc4c0ec1a4f

        Download Submit

      • C:\Windows\SysWOW64\qwmumhxd.exe
        Filesize

        49KB

        MD5

        d6285bde9e2ee885acefcf12ddb911fd

        SHA1

        0def7851cd346cc53bdb846b1e952d602d477235

        SHA256

        232ff92151bc4456507bf1c3e7bbd0f04d43b7b418720bbe89481e86932aef93

        SHA512

        1de59168d45434a18ee6715cecc81d4e08f76c17c4252dbe4c1ba88a7010c9b464ef4c2f1ce5e78fe9d43b310f121505aa161eaada3f70dd8f84c679cdc93c57

        Download Submit

      • C:\Windows\SysWOW64\rlrlsgbcqergg.exe
        Filesize

        74KB

        MD5

        4f8b8ad8113bcd9003b8ade90e907571

        SHA1

        ad0ac196df29cc34fbbb8f72a0f7305c4e8dc622

        SHA256

        0d125192ac1b19fb7e130bdb8f16f6a14df5565bd9f7193d371aaa3298aa12c9

        SHA512

        010d7cb75a640f7e1ab980e818e8042e18889b5522e8472490791eaaa6011ff6851aad14c9da697963bf0d664ca224abd5e0ba79227da8ce2f5461fe67e173a8

        Download Submit

      • C:\Windows\SysWOW64\rlrlsgbcqergg.exe
        Filesize

        17KB

        MD5

        8becc7f85fd388aff4438431bf27a7ec

        SHA1

        9c78024c72058e836ca4122b507d30ca109136cf

        SHA256

        888a2a0d5271f660439003d1d838f6ec40a6eff2daf8655c316191126936902b

        SHA512

        935b1106c3dc09fe6672c19e0826d236cbbd03fb1375189519eaf1dc57496150fabea6722597b79b4ff9b3f0286866fbc68c5b914d46ce8f43ac4bd29aa3df3b

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\ipuydnhprl.exe
        Filesize

        201KB

        MD5

        a42fb808ecf4dfc50ea3b292af3291ad

        SHA1

        8018e0c2e50952edbe5e4c26eff9487b84a54e89

        SHA256

        9b4b8ac0b8afe58831ef22c01a3ddd5fa9f85a283ca3307ebce00e5877bd8bac

        SHA512

        2f3a4ec831d61ea59a281301664850c1e8d58f230802312667d481dc29ed0b68b1d97784a531d57f5f66b111b4100651433faaa01e99d98971ac9010bde97aaa

        Download Submit

      • \Windows\SysWOW64\njguoqzkxlkclsq.exe
        Filesize

        111KB

        MD5

        d19e7634163d56122b141918decd06fb

        SHA1

        5479c0cf53c814d564995ebfc341ce93de1dadb7

        SHA256

        0cf01383d883475d399f8d28f8116958e925a7b371f3ca15527e0f1b1a47e624

        SHA512

        da9ad571d7348dd6a0652ea1ca5587bd288db1ed5c85259e46a89c36d2c49e5eb708f1e8b162f05ec8d4cb62116f1775cc7a2d4746c0f53d70fe96fb998688ca

        Download Submit

      • \Windows\SysWOW64\qwmumhxd.exe
        Filesize

        71KB

        MD5

        f44ccdc94ec1419fb4a3861481a343f4

        SHA1

        5ef47ba27b8c08f57bd4e050e0663e991d388635

        SHA256

        a61340a9127fdd0249741be44fd8759d9b8afd7858700b7ed7b2ef154150e54f

        SHA512

        68cdf0609333de7da638426d61c599098663e7adcef94ff79ff4db40859b88564927f30675df85398c6ec6603f96a586f7d7a04a37b2ddabf8e7cb9a4129f0c6

        Download Submit

      • \Windows\SysWOW64\qwmumhxd.exe
        Filesize

        72KB

        MD5

        d0e291a1dababd5031bf65553d271402

        SHA1

        f3dc91e946f6a6f04f28b18e6143baaba98af3fd

        SHA256

        49571e7b79b1f8d792b4f773f3ffc4e1f86a068155ed6ef969b901730854ccf2

        SHA512

        57cea93d7c421456a9e541aebc5121339aa1c162089147ea3608540cb8371c285e8d7c7993eb757baa3e6c4d327fb3244b1ece73f720cc061a49e8eaf5168e1d

        Download Submit

      • \Windows\SysWOW64\rlrlsgbcqergg.exe
        Filesize

        27KB

        MD5

        9e696f19802dd14d5d6b5bd6c93b8cd2

        SHA1

        44d1ed37eef83b84ab752f089b4fcbd00f4d225d

        SHA256

        6da95093c1177f25a593c2cb1cee2320f571ce0d67857385a656c4bfda0edae3

        SHA512

        d13a9797f06312caa5d0314823ae5ee806fd9ee2744e7f393a58381c5463ef215c765e24b96c3780393b14bb34346233cf8fe4f976c142efd2949d256fc95782

        Download Submit

      • \Windows\SysWOW64\rlrlsgbcqergg.exe
        Filesize

        40KB

        MD5

        b4f79c9ec51207583609dc93e31224a8

        SHA1

        067645c8a86172623bb2d281fdefcb8ec9599522

        SHA256

        c8ec0bf8f9c4c4e71166d2319f815df593a221a260a263fab31905adf9686a31

        SHA512

        61b8759b1fa9f4ca4bf45841af5b905b0c0b3c186ea27e788a9e7b64eccb4e4c8a7e4558e442b7b42020b8d3aff15dffd6c7c225de0fe6f422e463420d8b4390

        Download Submit

      • memory/1944-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1944-46-0x00000000718ED000-0x00000000718F8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1944-44-0x000000002F9E1000-0x000000002F9E2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1944-73-0x00000000718ED000-0x00000000718F8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1944-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download