Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

69e0b698b5...d4.exe

windows7-x64

10

69e0b698b5...d4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 11:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69e0b698b55ec6f5a0fbce20d487a8d4.exe

  • Size

    512KB

  • MD5

    69e0b698b55ec6f5a0fbce20d487a8d4

  • SHA1

    dfc5cc42fe6b29a619ffb96926f09e39786572e2

  • SHA256

    9ce290a5cff2493a8e029645c1e4e7b15fd9bf333891db0b1c743aef8e977fda

  • SHA512

    aaef2305d53d4b809fca612cbc02e386f4772d97cd94771e8c8dfd71e15e5e1095c1339f75b6d624aaef48fb245fa3ea5f2b482e0372875c930c8a914c518bde

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69e0b698b55ec6f5a0fbce20d487a8d4.exe
    "C:\Users\Admin\AppData\Local\Temp\69e0b698b55ec6f5a0fbce20d487a8d4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Windows\SysWOW64\moljchnjaq.exe
      moljchnjaq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\pjkwndij.exe
        C:\Windows\system32\pjkwndij.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3012
    • C:\Windows\SysWOW64\wsrevpwnnvnmrxe.exe
      wsrevpwnnvnmrxe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2764
    • C:\Windows\SysWOW64\mrwaypylfnivt.exe
      mrwaypylfnivt.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2664
    • C:\Windows\SysWOW64\pjkwndij.exe
      pjkwndij.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2676
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      4b14af30f5ffc4ae33d667e375f5e973

      SHA1

      a6333462026f9a0f3b96313713fb4689abdc0ec5

      SHA256

      02dbff61880208bb6b617d3d6467c1c698058caec57d88b587bc64987a45fa5e

      SHA512

      f2366fe87ce8776d0a82e6dac5c0571609d495f632fa657bbb6a85ef96f56e0886879618c7ef3275cd2d8849872c21b5fff3717fd93a543bb0e8bd1bae0a046a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      b456281a684081f20dbaafa1ed3f99fe

      SHA1

      449b76870a6a8f84dd35fd1afcd0575e00cb5956

      SHA256

      a851f489556eea298f21eba0e073d70217265a3a4a32a6d3b85314dcb6b11fdc

      SHA512

      2e7a54a59a4da07af6221cfcd7101f110037236dbfed0d3a274c2863f8e465f01c89b6c7b82babe02b6ff14a5ccd8e49040c6ab6106b8a7820bc9b1b6bc9becd

      Download Submit

    • C:\Windows\SysWOW64\mrwaypylfnivt.exe
      Filesize

      512KB

      MD5

      e234797a0973eea83cbe10e0a2111bd7

      SHA1

      905fadcba778127a2ec9d11f4278310daf150e03

      SHA256

      3a56a272cb9f803b700dfcff722e38f7b843b73e56f64337015db9d96bcb6b05

      SHA512

      1a63ec5ad200f6dac86ccabd72753572aa53d3b3e927c223776b0c9997cfeb33976a00ee7a5c91df33ce80dc9fe32d47548939470cd370a488a2651907476b8c

      Download Submit

    • C:\Windows\SysWOW64\wsrevpwnnvnmrxe.exe
      Filesize

      512KB

      MD5

      17f399cc05d3ce8b0a396c3c3500f454

      SHA1

      8bd81c1f8a458334a054f4f367e535291cbe59dc

      SHA256

      ad425277ea46d341fea7f68553c71e74acc00014c0380a367b516e7973f203c9

      SHA512

      1cf318778c620226c7efaed6fa7b7d78d661c091191216a72026f74f60f4d0904222e2887bb66d05476589760b3d6caed2fc1e910ac182d3a9e115c2a1b92794

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\moljchnjaq.exe
      Filesize

      512KB

      MD5

      e0306a46ffee27eaf5dc7269632f694d

      SHA1

      83010eef0c42b136807b5542ced0f0d4e8169234

      SHA256

      f66b47d1e81111abaa4aa6fc0565c4124100bbd750d12cf6e81ffad3a73a3bc2

      SHA512

      1991643301904d4ee1ace8c4e5e8d80a15774e4abe04ea3346cb2f29a3e978db2934bf7cb0510f5968a2237f7b02e19ebd3b0bfff5c723ad4a2fb1a925773385

      Download Submit

    • \Windows\SysWOW64\pjkwndij.exe
      Filesize

      512KB

      MD5

      31a801e21273adaa1ef2b46668d4c416

      SHA1

      396c8ac5f5b02ef0f4f5b74b0a1fc5ef58973bcf

      SHA256

      45809c2608443f08618a3bc04c2449eee5fa3c02d9155e38ba6339a1ee415dd2

      SHA512

      dd2f4d1df6a4df440706e2e55178763e33fad3f0b857aaecef1c1fa6708b2a7e3ecec805ce8f8833bd3a03b57098b9c0983608375f0c110b34b191e1ad6043a3

      Download Submit

    • memory/928-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2528-47-0x00000000717FD000-0x0000000071808000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2528-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2528-45-0x000000002F461000-0x000000002F462000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2528-80-0x00000000717FD000-0x0000000071808000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2528-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.