Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 09:59

General

  • Target

    658e7379a10fc02deab35987b5b9c9e7.exe

  • Size

    512KB

  • MD5

    658e7379a10fc02deab35987b5b9c9e7

  • SHA1

    b056a36f59c8f1ddd34713cc4939764e34ef9c98

  • SHA256

    d13e693c2f11aad7e810be1be2276653fc747d3b6c8781af20c769c18eb95556

  • SHA512

    c2b28701d9967e07b620d11d5226f872072ae46a75fde06ccbbb122270bada6596491ed91e0db1dd6192f1e331d0e67a6db922684467be98d25abc7d22b2d164

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5B

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\658e7379a10fc02deab35987b5b9c9e7.exe
    "C:\Users\Admin\AppData\Local\Temp\658e7379a10fc02deab35987b5b9c9e7.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:264
    • C:\Windows\SysWOW64\uvkksscncl.exe
      uvkksscncl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\SysWOW64\lxoiackt.exe
        C:\Windows\system32\lxoiackt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3568
    • C:\Windows\SysWOW64\yzzzhzwhnfpurmi.exe
      yzzzhzwhnfpurmi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2520
    • C:\Windows\SysWOW64\ivnpzjbccuuhh.exe
      ivnpzjbccuuhh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1792
    • C:\Windows\SysWOW64\lxoiackt.exe
      lxoiackt.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4024
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    3c18e4aa67d2b20e6a5935e5c1264dd1

    SHA1

    b2e3073c934e1b2e91b411e330b7cfd24e4592f2

    SHA256

    fc2974194e50f07f15381da93640fe3dd36301fdf1f9efe2a5fbeecfa06fe04e

    SHA512

    98ad20dcb0b7ba2938c004aa76b018cd057fc94df2bc7fd674fd424d7a5b89b7357b3db3276cda8c32faa743020e00aedb8f74be7d1cb4004a56db5091a094eb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

    Filesize

    3KB

    MD5

    80161a87c4203b505ad77a59a1cdca79

    SHA1

    ec65d85c00fa4204db890e61753a3718d5153afb

    SHA256

    5ee175cd2a29588c26775023617abe27decef92eaef0c7b613d3f060ffb2c4b8

    SHA512

    532ad3ce3325a9ce692fa0cfa067518403ec75208e839b8419dc409b0a46d4b2a720e95f98442896047eec20ee6a49269eee7a17e695dfb8ea2af4f30b5a1c20

  • C:\Windows\SysWOW64\ivnpzjbccuuhh.exe

    Filesize

    512KB

    MD5

    02c82309ed9b224cfa35df50f7451fea

    SHA1

    7f6f30f2731c2dbb3202597c1144805cb15b1198

    SHA256

    6a32de6233434eeb117d73696c03152e73fc6ddcdc1cb41d85980707aacb07c3

    SHA512

    e03c969a512234e0d4d8c387d597c55c8162d50d5a58ffc4ea0a9759c06ba5c0b522a4b822d52d7c884daeb3f91f07fc83324da2b4f6035c18da30506d8736b0

  • C:\Windows\SysWOW64\lxoiackt.exe

    Filesize

    512KB

    MD5

    c996ca121ecbcc01bcc6a522a5dba228

    SHA1

    13f77fb41069cf690867cf13777b43964ec98617

    SHA256

    c3ce7c17ae286fd1ff6906a90e36ac811e7b695483dd21160e2bb52a38ab8f53

    SHA512

    a0831a4b7fff306a4888f5574a804dfd83808b47496ebb5da9bc6cc4832704fa2656c11ec5b352c5f5572ef73fb501abf0f0d7d5d50d971e668567e99b221c78

  • C:\Windows\SysWOW64\uvkksscncl.exe

    Filesize

    512KB

    MD5

    d486ee08cc8fb85e720cd6debb2e8bb1

    SHA1

    b82b7b33ba54fd9975bd779ba87306eaccee0473

    SHA256

    acc878f05db16e093f445aa5fe05f8d1a733838cee75f897d507c7d8606ee7a1

    SHA512

    964c719c8f0be4a475fe183adea95acead6a906e5b82a81f307e47f9169a682040c959a13451f9dac3e86a48a40f6d053c2723fbf0086b465e1637a6754d0dd2

  • C:\Windows\SysWOW64\yzzzhzwhnfpurmi.exe

    Filesize

    512KB

    MD5

    b4993686a9303b1be989e72908c351c8

    SHA1

    28b866ab7a71cb74cec1f5fe6ec24c6c52ec64fb

    SHA256

    f6bbff4133888b089c033587bd20e946bd3851980aee725d6c5db245022c3f2d

    SHA512

    e5e95bfd7c69c3edc7004baca628fb122ce574ab27546c1d51139ded4629c78bd692be9300df022b80079c03101bb8906ac705c865942f066824a6391ca2575d

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    512KB

    MD5

    0bcefccc6212f59539c8305f7cba9461

    SHA1

    0b1f641538b7f3b3a415cf11496a970a84ea1a54

    SHA256

    67d5541e020386f47dc6088178216ff31b487523edf14f7640897fc8d7585b80

    SHA512

    3f95b03810aeab4aed4735e0523ee80fc4136a7c2f83c946ddb940946a7c79192e06b23eb42ac404b5ef70d19cbbe4476e7ec293c48b1322b4a80fb12baf6c19

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    86KB

    MD5

    05d53073f755dd677cf809335471ba55

    SHA1

    6f22614c07b7de97e8f4c67c58df004df89bbe3b

    SHA256

    f4c193e283a44e96ee9da022ad2198face202881b3fd8e25b1fb80df74e19d6b

    SHA512

    6f604791cb9588c1d7002a527b9a12ee1437987ca8eebed5c0c78440530be75bbeff6fbb8b4bd10413ec7fa88f2513f0c1aa88bf3621f2b6670ae4332742d3ce

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    85KB

    MD5

    27623bf17711551baa843bbab18a4b07

    SHA1

    2d6d50bab42c5defdd9bdf3f14fb826853558392

    SHA256

    6a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368

    SHA512

    53f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b

  • memory/264-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/3276-44-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-35-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-51-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-53-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-52-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-54-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-50-0x00007FFEE65B0000-0x00007FFEE65C0000-memory.dmp

    Filesize

    64KB

  • memory/3276-55-0x00007FFEE65B0000-0x00007FFEE65C0000-memory.dmp

    Filesize

    64KB

  • memory/3276-49-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-48-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-45-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-37-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-36-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-47-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-46-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-43-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-42-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-39-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-38-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-118-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB

  • memory/3276-140-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-141-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-142-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-143-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

    Filesize

    64KB

  • memory/3276-144-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

    Filesize

    2.0MB