Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
28/12/2023, 22:40
General
-
Target
fd63cdc6ad0b5b4a7500a7084e112b1d.exe
-
Size
512KB
-
MD5
fd63cdc6ad0b5b4a7500a7084e112b1d
-
SHA1
a761149a9e8add86b0639045388fae73534ad4e6
-
SHA256
d339d5b92f7fa93f65e87a24a565d37ea3ff48d4818f04fdab0455848fa58b34
-
SHA512
062ff33d11a8fb71a027a7f0999ad86e12ee200e3f6b3c980d1451da8a5750ca8fb47fd7a8165beb68198a5fda6e24b16ea8a845aca96d48bfbc3062f4685230
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm59
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd63cdc6ad0b5b4a7500a7084e112b1d.exe"C:\Users\Admin\AppData\Local\Temp\fd63cdc6ad0b5b4a7500a7084e112b1d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qmiswfpgfbndn.exeqmiswfpgfbndn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\gowidfvt.exegowidfvt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\rzwzbaawepywvbm.exerzwzbaawepywvbm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\mbvimomcss.exembvimomcss.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gowidfvt.exeC:\Windows\system32\gowidfvt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD524f623875fe84e4213b5aba3acd94e0f
SHA1d3844313fdd17bca5f26bf87c8a731be37074bbe
SHA2566cd811e88ef3ed6ffbac89e664a7a9fa119181b7bbe393ed2ba35fd8a251ed23
SHA512e35a5253cb0f378d83bf1c20c81b63c35386e21216fd2b8facd241354c4c5817bbf1b57c58e881fa653409256d1e2ac20389f7a08db149cd1283c2fc2655cf1c
-
Filesize
512KB
MD5a9ce151693cf9baac0a0612e0bef18c4
SHA137244dd9f504ead9ff71953d1715d1c1a3ec5854
SHA256d2be773d8ceb80969480e33841c2c562f67bd3698bc7f3cde3b128d595572630
SHA5128c2589307c2d081d75cbb1446c542826239f79f2f5e56361ad8c661c4e7ec8d7d4fa8d61f6ed993cad3b242e3580a51da5426786a34a18ecd3ea8f3d3c1cfe95
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
3KB
MD55fdb6f98bcbb1a99618256efe2246bb8
SHA179cd347616449211d5f8891dbc83e2915cff8055
SHA256e2f3732db5e4fcb6b8dbf68100cab78d798eaaa6b771acbc1b0aca1324a2db90
SHA512c6a711db99785ec2c87d58d9f91dd1bdfa68848dd7ad6aac821a12013f6dea6c3a064c338a0f0bef695fcdd44e1813499fa720c8efd67dd0d00418951cb4ab5d
-
Filesize
3KB
MD5958d966fcb41daa8c0c394aa7b6337d0
SHA1972b32ad2108d92cf0d5faeabfc43792aaddeb3c
SHA2564d7dcaecbd7c023d77f33f3bec0fed2b2c2bf8b12826a1607495656fdab90f26
SHA5127426902a504660b78ad47f0adbba6a8883ca46d10009966b5baf5adf76a41a9eb3840f5737d48d08797f1c2d453978b6bfb2285c217f313547298e7992d265be
-
Filesize
512KB
MD5a67043face8f696bbd86c255bdfe3ead
SHA18b0c483ac655b880821f529f74a5ef2e3eedf428
SHA2564dac901021d50ae14fd881da76b24186a06527a48bc3e6aef32dae99fddede3a
SHA5125326fe7c1a81e1510c05436779181e6ec0977630f2eaa6c57f4197246d66441358cfc88f4fd3ed184f3c7a2f13c6deda0f167dc38a4c38c75c0ed28b1865ddb0
-
Filesize
512KB
MD55e2f8be176fdcaa21bddaa98e2c86fb8
SHA1fa92c2ce0ce4a4db3fb0132a6cdcab689b66403d
SHA256343632e91566e586841352f84ecba06cf3e48b1fb94c9ba2b76cd7a6b1ae46c4
SHA51271d4e8554a72399df3984500e671411d49ad7a49d0fbc85f1b669d881803d2f738bbcacca1c04e2879b800cff1f9f77c0c8c1638bc4bbf0fb100e25a08006815
-
Filesize
340KB
MD582ccdb21ad2872ccac9ff3f44d509e98
SHA1b7b54a11112e3d68f8adf800a3f139881654c795
SHA2566f6d2c7e2fd084736607cdd5e63d98a17278a3b2b94ffad50389b73d4a4560b7
SHA5126b4e87e705741860ad7b14bd75d4b58fd33c5d42444a7336a49f95aa96d2cb0c3f3cbf7dfa7111e8dbe878869d0e6a49cadd209a8d89d90e982022dfa934c40d
-
Filesize
432KB
MD58007bd8c672da930bd254124aad085c3
SHA15bf0cde877809e66ce658927b54d1b83719f9bf9
SHA2567e476ba8cb550b4184168519ed3370ed17a2d1d830fc8d557856ecf2693df92a
SHA512198060e83918a309ea113ad59acc0455d688ec3ae7b7f1f9d248a8ddbc871db1115db8cd26c48f643ac983a8ac6a06d867ca1edc1764b188cad4e2a1f18d4649
-
Filesize
238KB
MD5453ff2792fd2d92ea22fd27b894ad4da
SHA1ad9317b08973ffa461dda8d2cf23e7b2035a43f4
SHA2568fa98362ac6fff5ab38ae22fcf1a852e70881a99402638f78fb16615ac2747c4
SHA51245da067642397bf28b820158b99a492849b2837d93614e8583747b2df9bd967a90934d9283652c5962276a742c6c0442db9480cf45e60d4653e7b8e50ec7e566
-
Filesize
474KB
MD5c2dfc11aac04e2f3ad7df65693cc5eb5
SHA1d03e413efb205f49f3d88e9530dd9131794e1f00
SHA2560e1bbe91d41a3b70f2fc439e501930d3d6c2c55c7081c425f078c1daf66f7428
SHA51216fab7c13c5095fa54a1922154ca3c19d53bb038d361043d49ec7156d7e22d0b8200ea43b811f0d79e29ab75cef53898748efd25ba1d07455a36e9509fd241f5
-
Filesize
305KB
MD5c4644c8cb06179c3155f0f46448e2c53
SHA1fdc304c0857ecde34ed3d85b4e0aa04fe165d764
SHA2561a0f92b39060cdea0a250748018310f0768cb7d05dd233b038f9d86e4bad080c
SHA512c1bab1645d97ebd9deb972862284ab3378120ba9a2ec57f71425de5568c1154ebe5f9b3acc07f6f1da242559157c68dad4d3b7b5406cb8425ff7c6fa4fd3f4d8
-
Filesize
204KB
MD5dadedd389da85877662eba2d85c55fa3
SHA1204ac06ae8572548cb7cabe440c8f4eb931ada0b
SHA256a5b02bb1040c7214ea0d8e8b9f2473602140d9a2d710732d0ef3844e7473fc68
SHA512baad799e7aae2f84ef691b6afc58ff364357cf5f09cb5c41efa31b71105de2b4cd717baf0693c59ea2298b9fe0c24ac22d4510d2259dc95d2be86b1aced9959d
-
Filesize
219KB
MD583c27ef643ad8cf6b43ed5c5fa297185
SHA1cbf7b16b0886c9a6c6a1ff7dd6926c003dd25bb0
SHA25684d54bf45e1801b3ba60dbef303de370e8bc7be359f005ba14ca5a65de653b78
SHA512a7b956e3b23d9bae8670d31de2f49df616fb8fdaee4c54d8246948201680b0dff7938d791c03891d07612033d66402eeb3646a57f2125f8106d5cb1ca134d1e3
-
Filesize
333KB
MD5959fc1527417a2ba7f7bb33696a5a28c
SHA1d0357b0116a007a3516d6598b4a9cf5fd745cdb0
SHA25671420db950b18c7ed11dfcec1d2424805f3eeb1781b99fd781d0959f0ff34be9
SHA512bbf0cbbab1be78c53e567bdd54c5acbcbf590a0dc93ab20404a8dc643f09e23c38ed3627f618dccb7051ae7dd0e6ba4166f2701cfb0dbba7f89bb0de01d915f3
-
Filesize
360KB
MD5729261ca5475f71cba8f866d55f06cdc
SHA1a8bb26a5eb78b2d41544cea6b2dbde39e70b38fe
SHA256139cba3fc4a2e5ed6b22378a95b4c90202b69da6f6a7ebfc8a50b481761792f6
SHA5123c9d20fb44a234913f7811e740252a784c5e80569fbfb02122d879007796bbf8cd2d994d143e70b5b54b4d35e9bf07084095faacfb52748ef61cbd7735264cfb
-
Filesize
470KB
MD593f697d015930fae33947f87f1441504
SHA1ce730379d56a30442b3dd0d0601169519f0dc445
SHA25610e571f176b3f1d3d9f377ded7ebdd1bb028d97001f840521df39df6d660bc76
SHA5129a55f111e3954487235b12772e746b4548261f4769314af8e6f621c2ed99749722c4bf223afd93e1275917ebce6a51915e5256912e809bb346d907bfcb0d99d5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5304b9429e6c9e884f577d8445f2570cf
SHA129b7e91d9f9e4f0c383d9e78bdfdd0198bd67200
SHA2568dd09c14d98d329343944e497fcdeb813acefb647173ff7925c7dae829cc6801
SHA5129b535de254f6330d372a2e58a84be9cbf81cbc27b10518685dbd2755a367fffd3ad2ce3fbf5db7e2c13a0da5f7afd9091c3b7c6123d844844db0707790ffcc06
-
Filesize
263KB
MD5645a670fbb21c136049f10b236bb31db
SHA1f84cf78865828831fe9baf86cf8b200b76d4ad01
SHA256c7ebde0b47834e561dd7d3ffd2b868331000fdd68f0fc10f1b86069f84bb76b5
SHA5122d81fcda156324b8789ce15e05d99279ca8f3ac246cec8f2f3acb3cda3eda905544c1912e48c634ffe228e4cd67ff527e3e76adad54214a78aaa3b4c6f136239
-
Filesize
512KB
MD5d54b9cbd695e3cab734506d0530cce26
SHA154f28915f9109fe19c8408c5d412ab362a501329
SHA2561dafde3cd0835bd5b5532a9fe64cfb2904ee2e20bfc1dab721b223335b7dda3a
SHA512944a0e83df9314947f591819d0ba1749c7022777af00416f80986e09b279e7b5b30093c7dd92ff2b2a2010214c988292023abc1f1f7fa271592a053b715fe397
-
Filesize
600KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB