Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    3s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 05:20

General

  • Target

    29c550be18671e1c38bf1726ec71da44.exe

  • Size

    512KB

  • MD5

    29c550be18671e1c38bf1726ec71da44

  • SHA1

    7cf7e29d1e77b71eb45bf68c5254d8b14a228d64

  • SHA256

    74cb279926b4e3b7d64b6bbcf88b7303650cdb4e84020f1275c9adfba67dcd48

  • SHA512

    338a1dd60ca37722560d58f9e603a98a5b0ec8950ade3959e57c95d492b830fdda659ca1f1f9fe1f2504b0b9dbecfa3c47208dae82e6b5757119ac0b394007dd

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\SysWOW64\vhocmvlf.exe
    vhocmvlf.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2256
  • C:\Windows\SysWOW64\jcbwkyramoyrs.exe
    jcbwkyramoyrs.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2660
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2684
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2836
    • C:\Windows\SysWOW64\vhocmvlf.exe
      C:\Windows\system32\vhocmvlf.exe
      1⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2668
    • C:\Windows\SysWOW64\wblfkflwgrmnurv.exe
      wblfkflwgrmnurv.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3040
    • C:\Windows\SysWOW64\sgzuedrcxq.exe
      sgzuedrcxq.exe
      1⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2008
    • C:\Users\Admin\AppData\Local\Temp\29c550be18671e1c38bf1726ec71da44.exe
      "C:\Users\Admin\AppData\Local\Temp\29c550be18671e1c38bf1726ec71da44.exe"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\sgzuedrcxq.exe

      Filesize

      27KB

      MD5

      bc53f71bc2d39dd0ef5c8e2e072309f7

      SHA1

      1ad8c6066f0bb4633db61f6812485bbcfc42918c

      SHA256

      c3f399260296c4caf2eae3bc92f53bcd111d8d10c0eef342d19cbbe8cdd6ea28

      SHA512

      87ae96162295c5735b9536c64374785fb3ce9e5805367544529a1412bc37495565e80dc3251be52c4330d3c8d1fb48ae708d19a338cbd14ef5d427f7ae4b6604

    • C:\Windows\SysWOW64\wblfkflwgrmnurv.exe

      Filesize

      388KB

      MD5

      3a9115612aa1839bbb6d2674d0c99867

      SHA1

      a3f844c661a54c1ba35d22dbbad1fe046876348d

      SHA256

      0e11bb4d1a76d4560196d809459c9e4c0b304deb73db83731e926c6e33e7f1ef

      SHA512

      7aec9e96f49158465c53d24ffd19993e21ff06b9ecda6f9948d10a78c96a02e9848da84a8d291d20398fd9d47bb23b5ac35710d49837c168b596306280bae03d

    • \Windows\SysWOW64\sgzuedrcxq.exe

      Filesize

      304KB

      MD5

      c466be02a8b12c54773c4bf78d936b21

      SHA1

      eb02e9b00e51526fc10d4c7a3165d1a60d4959af

      SHA256

      e1b3bbf99ba00fdfda0a99331128750a9a1429604d158047730142f7bc69bce2

      SHA512

      df33527fd2134a47c20752007e03d9f091e89c35c0dac18843cb6d853eed4b3de14d6c31ee2f61ad2d4ec1f17fe708ab88bce979e6b386ab82e9f7264a955794

    • \Windows\SysWOW64\wblfkflwgrmnurv.exe

      Filesize

      4KB

      MD5

      ed1c60e9a7a92edcab339f7ee087e387

      SHA1

      88f8f6c911931da7e87f20ba56d19ccf2c015417

      SHA256

      ef9e1d6f16e23f8640444b0070a2f899eef71f15354263a7d8fb43451b8810b3

      SHA512

      2ecc0b336db1f9d6b3d4d6880980f27a8a4e9ce7eb25a12b095beb28075d793fc7667f06d7bc4512548393d0374885e8739514b96173aaefa44d7baf434f24a2

    • memory/756-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2684-45-0x000000002FDB1000-0x000000002FDB2000-memory.dmp

      Filesize

      4KB

    • memory/2684-47-0x0000000071A4D000-0x0000000071A58000-memory.dmp

      Filesize

      44KB

    • memory/2684-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2684-78-0x0000000071A4D000-0x0000000071A58000-memory.dmp

      Filesize

      44KB

    • memory/2684-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB