Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    164s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 08:01

General

  • Target

    12e22d7ddba3199c80f284b55a67c778.exe

  • Size

    512KB

  • MD5

    12e22d7ddba3199c80f284b55a67c778

  • SHA1

    4f91a165006d8a0a2b4a27fc0a50f059e4f39b2e

  • SHA256

    a9894fb73d6b45cd1f47e13a0d28e38082a9d81efdc3b725d45dc6c9f3973d55

  • SHA512

    2399d9649f2a1d2db0b2a8d97f1c7fb5335182303e169b2a6d56ab8839d8c90f926352371564701c29b52cb4153e3ec3c9fefec07e83a10a7a5d19db58246caa

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12e22d7ddba3199c80f284b55a67c778.exe
    "C:\Users\Admin\AppData\Local\Temp\12e22d7ddba3199c80f284b55a67c778.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\SysWOW64\blftvtciyt.exe
      blftvtciyt.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\SysWOW64\aaanctne.exe
        C:\Windows\system32\aaanctne.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5044
    • C:\Windows\SysWOW64\yzbexqnacspmwjd.exe
      yzbexqnacspmwjd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1860
    • C:\Windows\SysWOW64\aaanctne.exe
      aaanctne.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1856
    • C:\Windows\SysWOW64\zfzuzqrpaledt.exe
      zfzuzqrpaledt.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5060
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    fc29526c739725034c5e1220f7f4a01e

    SHA1

    401788e8267cec0fee2069c572cbc237d0a6e45c

    SHA256

    530b8e01cd35bb0b4a0217dd2d8a2847de3a16b056c5ddda72c60d910107b80b

    SHA512

    af86466721fbec0ab3d3d8e804a10d235a757ea7143d50f4c3886ee4d47db17bac320510c2de559d38fb0f15a5d4462056b40228477f594beab129f06a9fd641

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    dc85b7f1bd8fe202fbff42bf1255a3fa

    SHA1

    42b60739cf8fb21c5d403535aeb7e396115adb3f

    SHA256

    7f60eef9b197aafdb0129e053ad483be50e4acf69a2f10ca3642a87b45ba03b0

    SHA512

    31570c5cc8eff6261e36b0a64f1f9817f23ba8fb8d927f2d285a1635030ed9411af54bb86758a12441fafbf34814284abda8a6f88af653c879159d7a5f7ca0e7

  • C:\Windows\SysWOW64\aaanctne.exe

    Filesize

    512KB

    MD5

    b9fe2cc3844684b879b0a6fc41b7194c

    SHA1

    95f9d74e6f6ff52580227fddcf52a967ba180e67

    SHA256

    33e26bd4fd1bb62e8662c0380a316510e85c5e8b9b6fd61b4547bcb75e04b8c2

    SHA512

    841d927d2a6880311cbd8d6570d734cd0fbabba533d4314a130c880cae4e8e37956c8a1a8bbd52c356953bc47c4271fe10e127737c37fa4a37a61ecf84a14b6d

  • C:\Windows\SysWOW64\blftvtciyt.exe

    Filesize

    512KB

    MD5

    48ec50caf53235b789be2240f27c0716

    SHA1

    2510bad00638262d0f05c81872f240c5c30cacec

    SHA256

    c7a2fd019697cb501ede96f2f3ae86f7a4f744252a0478f9d9669732d4a748e2

    SHA512

    06f2f512e582a9ec45d3d6465aa2cc4c8b46413770e870e8333b4b209c6bc5d912b1997d5aaad0fe177eeba79a732615d34584d50d6bcb102a037830f5f30ebe

  • C:\Windows\SysWOW64\yzbexqnacspmwjd.exe

    Filesize

    512KB

    MD5

    ac8198d214e8b50f48d3a0942dc9c245

    SHA1

    583fd8cbca936e6361ff85f7713ddcf2d3a6b12e

    SHA256

    7ef5f1bf73a4fa504561625abc0ae5359196d3c20e31ec560586ad567b19392b

    SHA512

    a04ddd22da00a96eb60f6f54b76ab98a04c997d2224c2db794002bbbb3c8b9372e361a8450651043ae0c9f04cc567d08cb97c37f73c7f0b924bcb24197652e90

  • C:\Windows\SysWOW64\zfzuzqrpaledt.exe

    Filesize

    512KB

    MD5

    d0a6400d3855d29f79c9bec99439ebbd

    SHA1

    5bed033bbe0f23741803a88e84bdbb7937efdb76

    SHA256

    4b7002f586c9a245b5392ac9ea2c96bf37db6f8e4b20457056b432e1c72bbbca

    SHA512

    38fa2719a9b5f4c526879e8e51e27b4fd572ed0c34cf4d4b5f26c7ff2a769b087c17cd0208ed0dce5c2118b44f339c578a2ea9508ae270c0c46ffe9296e8a025

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • memory/4432-44-0x00007FFC51370000-0x00007FFC51380000-memory.dmp

    Filesize

    64KB

  • memory/4432-39-0x00007FFC51370000-0x00007FFC51380000-memory.dmp

    Filesize

    64KB

  • memory/4432-40-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

    Filesize

    2.0MB

  • memory/4432-41-0x00007FFC51370000-0x00007FFC51380000-memory.dmp

    Filesize

    64KB

  • memory/4432-43-0x00007FFC51370000-0x00007FFC51380000-memory.dmp

    Filesize

    64KB

  • memory/4432-77-0x000001F240740000-0x000001F240782000-memory.dmp

    Filesize

    264KB

  • memory/4432-45-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

    Filesize

    2.0MB

  • memory/4432-46-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

    Filesize

    2.0MB

  • memory/4432-47-0x00007FFC4F310000-0x00007FFC4F320000-memory.dmp

    Filesize

    64KB

  • memory/4432-48-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

    Filesize

    2.0MB

  • memory/4432-49-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

    Filesize

    2.0MB

  • memory/4432-50-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

    Filesize

    2.0MB

  • memory/4432-58-0x00007FFC4F310000-0x00007FFC4F320000-memory.dmp

    Filesize

    64KB

  • memory/4432-42-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

    Filesize

    2.0MB

  • memory/4432-38-0x00007FFC912F0000-0x00007FFC914E5000-memory.dmp

    Filesize

    2.0MB

  • memory/4432-74-0x000001F240740000-0x000001F240782000-memory.dmp

    Filesize

    264KB

  • memory/4432-75-0x000001F240740000-0x000001F240782000-memory.dmp

    Filesize

    264KB

  • memory/4432-37-0x00007FFC51370000-0x00007FFC51380000-memory.dmp

    Filesize

    64KB

  • memory/4772-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB