Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

1c74caeacf...32.exe

windows7-x64

10

1c74caeacf...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    213s
  • max time network
    230s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 21:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c74caeacf0bca43de75ba57e5f36032.exe

  • Size

    512KB

  • MD5

    1c74caeacf0bca43de75ba57e5f36032

  • SHA1

    85deaf42a1bf39f0c5d15c0988b89a42a3d37385

  • SHA256

    8c3f0a9bb8fc55f0edddd22d8983fb66f712ba9e43c89126b54e1d752c5d8c3f

  • SHA512

    b8fb038beacaa27a5ebb503491fdf299f094429e8284bd9c77bf337fd70297308181a30b9810661f2b07a8756f1ed7ec44f97a7a959f6edbbb414e46a2820300

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6R:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c74caeacf0bca43de75ba57e5f36032.exe
    "C:\Users\Admin\AppData\Local\Temp\1c74caeacf0bca43de75ba57e5f36032.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\SysWOW64\zexamkjhsv.exe
      zexamkjhsv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\vldkixgv.exe
        C:\Windows\system32\vldkixgv.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1036
    • C:\Windows\SysWOW64\vldkixgv.exe
      vldkixgv.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2928
    • C:\Windows\SysWOW64\bcmshkzwjysst.exe
      bcmshkzwjysst.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:732
    • C:\Windows\SysWOW64\vybuxenazgahqvm.exe
      vybuxenazgahqvm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4516
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    49f74cc177ed54cfe3ef5b6f015ab77c

    SHA1

    69b1509d8bcc7dfe19224e0f66dcec720f458332

    SHA256

    675674eeb50c03efc58bd6165ef88f59408d56c7e7ddfa8d1a61bb264df26112

    SHA512

    40eba13830b310ab6345a0e5b713f5df8023b7c38058dda21f390b949134bfaecddef802ff0297d27f7f4da99cc872c6c5eaa15f7ed2d84bc54c653d888cc67f

    Download Submit

  • C:\Windows\SysWOW64\bcmshkzwjysst.exe
    Filesize

    512KB

    MD5

    81ac272c8fb4b76358168b37b161f051

    SHA1

    4930a6fb52dd3782d51f5644378691d6ad958b83

    SHA256

    46859d8ab41a5b7c4c3128e884cb7493a1a91a93daf988c172ee3594b42476d6

    SHA512

    b89800c08192a107670ca6655e4f5ad5735079cd329caa94a37650d3f643517cb3938568e4bcb547643b4a6540aae9e14dd783bc0629c50afa4d693f94291bf2

    Download Submit

  • C:\Windows\SysWOW64\vldkixgv.exe
    Filesize

    512KB

    MD5

    26d9b8493616f27cc8bcb54d9cfa35a7

    SHA1

    610e055ebce83a78a840e0c7ce37464041a1739d

    SHA256

    ea3de49b927ef4897ea4e2195eb52fda19f27960cbcc31d305c89f1411fb8d5b

    SHA512

    bf34530b9805656eac48befa56de88a636448565f0b064843f41d40a1eda545aa591ae20cd2b30587e8600a7cbb15df8079e68cfdbc87d0397a5d19d6f22ae02

    Download Submit

  • C:\Windows\SysWOW64\vybuxenazgahqvm.exe
    Filesize

    512KB

    MD5

    fc7ae977f1630c9c69eb9423e7df7dfb

    SHA1

    516802fcb280b52849da444d882d9884c99fa111

    SHA256

    9fd5a680bf9020b32c341dc13a773f8f7b65662010de0fbca94f617f79d3d39d

    SHA512

    b5dc1e2933184d46b50d9eeaee8e2766b04781c8ae6d7c71d659fc50acd71d301ecc900e0be6c6c19d05ae06048413ccb5fcebc825dff443e7278651f2ecd308

    Download Submit

  • C:\Windows\SysWOW64\zexamkjhsv.exe
    Filesize

    512KB

    MD5

    6deea612d99c3005ea29564bdda27f34

    SHA1

    00003f58d972fb86460fbde37d14a8cdac6d382d

    SHA256

    0ea00593bd0f6a0363b2d6394f5275067a2774e955439b035e25a74ad43017d4

    SHA512

    8ba490e97d02b0ce2ce4f55065a1e3790d6f6af9225f1a5bfe2682b262291c2d1a5c7bdcd971888e8c1373c194524acbaed284ebe9da3fde19cad3fa3d941e7b

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • memory/3236-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4648-44-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4648-41-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4648-38-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4648-40-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4648-43-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4648-42-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4648-45-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4648-46-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4648-47-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4648-48-0x00007FF7DCFC0000-0x00007FF7DCFD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4648-49-0x00007FF7DCFC0000-0x00007FF7DCFD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4648-39-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4648-37-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

    Filesize

    64KB

    Download