Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
37s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 11:11
Static task
static1
Behavioral task
behavioral1
Sample
69e0b698b55ec6f5a0fbce20d487a8d4.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
69e0b698b55ec6f5a0fbce20d487a8d4.exe
Resource
win10v2004-20231215-en
General
-
Target
69e0b698b55ec6f5a0fbce20d487a8d4.exe
-
Size
512KB
-
MD5
69e0b698b55ec6f5a0fbce20d487a8d4
-
SHA1
dfc5cc42fe6b29a619ffb96926f09e39786572e2
-
SHA256
9ce290a5cff2493a8e029645c1e4e7b15fd9bf333891db0b1c743aef8e977fda
-
SHA512
aaef2305d53d4b809fca612cbc02e386f4772d97cd94771e8c8dfd71e15e5e1095c1339f75b6d624aaef48fb245fa3ea5f2b482e0372875c930c8a914c518bde
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm53
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3320 ynvbogbuiq.exe 4628 pzhuyizqydxfxev.exe 4812 rqalfsjg.exe 3208 omndtyaxrmpgl.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3316-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000f00000001e516-106.dat autoit_exe behavioral2/files/0x000f00000001e516-111.dat autoit_exe behavioral2/files/0x000f00000001e516-113.dat autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\pzhuyizqydxfxev.exe 69e0b698b55ec6f5a0fbce20d487a8d4.exe File opened for modification C:\Windows\SysWOW64\pzhuyizqydxfxev.exe 69e0b698b55ec6f5a0fbce20d487a8d4.exe File created C:\Windows\SysWOW64\rqalfsjg.exe 69e0b698b55ec6f5a0fbce20d487a8d4.exe File opened for modification C:\Windows\SysWOW64\rqalfsjg.exe 69e0b698b55ec6f5a0fbce20d487a8d4.exe File created C:\Windows\SysWOW64\omndtyaxrmpgl.exe 69e0b698b55ec6f5a0fbce20d487a8d4.exe File opened for modification C:\Windows\SysWOW64\omndtyaxrmpgl.exe 69e0b698b55ec6f5a0fbce20d487a8d4.exe File created C:\Windows\SysWOW64\ynvbogbuiq.exe 69e0b698b55ec6f5a0fbce20d487a8d4.exe File opened for modification C:\Windows\SysWOW64\ynvbogbuiq.exe 69e0b698b55ec6f5a0fbce20d487a8d4.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 69e0b698b55ec6f5a0fbce20d487a8d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 69e0b698b55ec6f5a0fbce20d487a8d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C769D5683226A3376D770242DDB7D8765D8" 69e0b698b55ec6f5a0fbce20d487a8d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9BEF965F2E584793B3181EA3E90B3FD02F04260033FE2BD429E09D3" 69e0b698b55ec6f5a0fbce20d487a8d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02B47EF39EE53C8B9D1329FD7BE" 69e0b698b55ec6f5a0fbce20d487a8d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF8A482E856E903CD62E7D94BCE5E630594A66476342D798" 69e0b698b55ec6f5a0fbce20d487a8d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068B2FE1A21AED109D0A58B799113" 69e0b698b55ec6f5a0fbce20d487a8d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77514E7DAB6B9BD7C90EDE437CB" 69e0b698b55ec6f5a0fbce20d487a8d4.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3320 ynvbogbuiq.exe 3320 ynvbogbuiq.exe 3320 ynvbogbuiq.exe 4628 pzhuyizqydxfxev.exe 4628 pzhuyizqydxfxev.exe 4628 pzhuyizqydxfxev.exe 4812 rqalfsjg.exe 4812 rqalfsjg.exe 4812 rqalfsjg.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 3320 ynvbogbuiq.exe 3320 ynvbogbuiq.exe 3320 ynvbogbuiq.exe 4628 pzhuyizqydxfxev.exe 4628 pzhuyizqydxfxev.exe 4628 pzhuyizqydxfxev.exe 4812 rqalfsjg.exe 4812 rqalfsjg.exe 4812 rqalfsjg.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3316 wrote to memory of 3320 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 93 PID 3316 wrote to memory of 3320 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 93 PID 3316 wrote to memory of 3320 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 93 PID 3316 wrote to memory of 4628 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 94 PID 3316 wrote to memory of 4628 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 94 PID 3316 wrote to memory of 4628 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 94 PID 3316 wrote to memory of 4812 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 97 PID 3316 wrote to memory of 4812 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 97 PID 3316 wrote to memory of 4812 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 97 PID 3316 wrote to memory of 3208 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 95 PID 3316 wrote to memory of 3208 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 95 PID 3316 wrote to memory of 3208 3316 69e0b698b55ec6f5a0fbce20d487a8d4.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\69e0b698b55ec6f5a0fbce20d487a8d4.exe"C:\Users\Admin\AppData\Local\Temp\69e0b698b55ec6f5a0fbce20d487a8d4.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\ynvbogbuiq.exeynvbogbuiq.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3320 -
C:\Windows\SysWOW64\rqalfsjg.exeC:\Windows\system32\rqalfsjg.exe3⤵PID:2616
-
-
-
C:\Windows\SysWOW64\pzhuyizqydxfxev.exepzhuyizqydxfxev.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4628
-
-
C:\Windows\SysWOW64\omndtyaxrmpgl.exeomndtyaxrmpgl.exe2⤵
- Executes dropped EXE
PID:3208
-
-
C:\Windows\SysWOW64\rqalfsjg.exerqalfsjg.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4812
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD5f9f424d782bb8ba955a489ada125563b
SHA1d2e1141ee39c24d4fe8612ce3d300a0fa0a52885
SHA2561a3e518b49f834b1ce257845d7d6b1763bcac3c6b5b936d493978d899902dba8
SHA512fc95e84827b9bbcb52e314738546e04a51797e6c0389526b9487c74401a39a551edf934408f74d868320d437afd5035aee1896e5b0d669cc5c0c72754596b76c
-
Filesize
41KB
MD5985acfef3b37f60475c3158ffaf26a6f
SHA1b6bd7c2b926750b06a9a0517166e4a17c4cdfad6
SHA2568702eef355c75ed4bc04625b9e332a92596db5aa23728ee0f1eb147951812adc
SHA512206bc3ef04cf52ef574f9c8a57c7b076e9d21ce513089d6282f528039029dacebd7ed0a48a7c483deaeabef604bbd16eb6ecaa9c25f8e1646f2cba2649c323e0
-
Filesize
8KB
MD513efb428d64d5ecf994c768eef7fec5e
SHA118e73d090399e5b0d2db6b709b69bbefc31c417d
SHA256a0174ab2dbb93e6f8e696cc77a0e68353f9aa802c28e9173c15dbe1166c1671f
SHA512635c8bc355ad31bb4523dbfd7d8cfdde0cf5ffef1f3dc649ef3b6e32822c2df134480cf4d254f84c9ffc12bf028ed7cf443a081df85fcc67ceb4887b5cba005b