Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 06:25

General

  • Target

    rusik na kuhne.exe

  • Size

    564KB

  • MD5

    f44445aeb63e81045e17563a55e76f13

  • SHA1

    7b5b8cba606b2d28236ae6801ca0e1be4b391455

  • SHA256

    938cf550c7f4f125804d8a1d7bf9ea9ad72facedae6a01e776bff846f948e6dc

  • SHA512

    3bde94299b855b57faaa2d1bb9e88ce693bbdf7a00d1849e45806e28c2d85afaa67e39f3ca774ab2993d7bc488904233745cf01321af26225c68da2e25d62b50

  • SSDEEP

    12288:6pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqss3MMq:6pUNr6YkVRFkgbeqeo68FhqxMM

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
  • UAC bypass 3 TTPs 13 IoCs
  • Adds policy Run key to start application 2 TTPs 28 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rusik na kuhne.exe
    "C:\Users\Admin\AppData\Local\Temp\rusik na kuhne.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\nnnooeelxxx.exe
      "C:\Users\Admin\AppData\Local\Temp\nnnooeelxxx.exe" "c:\users\admin\appdata\local\temp\rusik na kuhne.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2232
      • C:\Users\Admin\AppData\Local\Temp\zbhwafn.exe
        "C:\Users\Admin\AppData\Local\Temp\zbhwafn.exe" "-C:\Users\Admin\AppData\Local\Temp\yjywjxobshwbgmrm.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:1092
      • C:\Users\Admin\AppData\Local\Temp\zbhwafn.exe
        "C:\Users\Admin\AppData\Local\Temp\zbhwafn.exe" "-C:\Users\Admin\AppData\Local\Temp\yjywjxobshwbgmrm.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1996
    • C:\Users\Admin\AppData\Local\Temp\nnnooeelxxx.exe
      "C:\Users\Admin\AppData\Local\Temp\nnnooeelxxx.exe" "c:\users\admin\appdata\local\temp\rusik na kuhne.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:1064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\bbfsuxdflptnhcwgabnnregjprx.fzt

    Filesize

    280B

    MD5

    e20e3adb2afd4d5ebda06911fbd01786

    SHA1

    2bb455f0a145ace61fa7c014625afef7090ffc67

    SHA256

    5956bc6e3a013f0c446734a3d774652c12c0ff495a5c300804e3bc6f0648cc12

    SHA512

    76bc8c75a1d0b2b187684a30b42f194140ac393a8fc14141fe3a6baab1f364a7adf18d637ded4aff4b35561b0c52cc073b06ce1b866ca457320c0a86dfec9953

  • C:\Program Files (x86)\bbfsuxdflptnhcwgabnnregjprx.fzt

    Filesize

    280B

    MD5

    4ca1ad3e3b2a3f9e7f73d6154f2748c2

    SHA1

    babb6875b2a2377feda4958b13f963803b3e0f4d

    SHA256

    449920e93e877d9dcec288ddb4cb6548f6985a21f5832ae5d890190b6799f8d7

    SHA512

    b7b892e0eebc9bec72591643acee22d69a66aaf3d7b23416cd37f7a9f9eaa76d6bb4242ed29313029aab148a2da9c36ff1646facd870fee69bd4d89be07b5b1a

  • C:\Program Files (x86)\bbfsuxdflptnhcwgabnnregjprx.fzt

    Filesize

    280B

    MD5

    0b0ab3093b2e061de7beb83feac15e96

    SHA1

    18096684c4baaddc1d74fdd9b8bb974c899761ca

    SHA256

    b48fda82e83947b097cd5f677bd7e96e00b077b87b1f6d9c36eafe6c167735ea

    SHA512

    749717568c55185dcddc6efb10571a5e7db88480b5aca362f6c675485daf7341a7f75a69fd7228a5357df5bf18865d4faaab045e580f20c1d3b28360b0a3e5c0

  • C:\Users\Admin\AppData\Local\Temp\nnnooeelxxx.exe

    Filesize

    320KB

    MD5

    d52783842a8dd58c3f73dbec2fe9f9d6

    SHA1

    e825ef51aecbe7be28d31999c8e90c2363022916

    SHA256

    ff236df6261a4edccd62b9426cb1389ad26ae1f78d20ac37cd061f3236e8a359

    SHA512

    90495243bf88a8469b3fe67eb5ae86204eef0bdaf30c3e15db03ac66fb7ba8d225e83d867d8cc354d270bf1a4d12cf60a005d6947d1be3b2b17470947f857f7b

  • C:\Users\Admin\AppData\Local\Temp\nnnooeelxxx.exe

    Filesize

    192KB

    MD5

    eecc74cd3cab6148ec5e19a18e4970da

    SHA1

    23b50b919435db3dafbb7cda1ded26617bc25aee

    SHA256

    93c6e4b5c9f2b55852539bf0f4b5b5776f20f229d333a10daa252e8042c0c73e

    SHA512

    26c9bbcb083f7145734766c9599cab217128ef2831d4b4b989ac20edccd6adaae4088daf77a24ab3eab2e3e5e660fbbfe9eebe5feb2d7607dd00cd25e10e7cc3

  • C:\Users\Admin\AppData\Local\Temp\zbhwafn.exe

    Filesize

    700KB

    MD5

    a856afb7d867179e770f29e02be4ada7

    SHA1

    419a50d4f3ef6a35f3c9cd08fc803a97d9ad9346

    SHA256

    a1fe4dfd57d495c62e1f9306723553e76408c0d1cd2a5d2dd5aa2e86697f346c

    SHA512

    0465f9081246e3542a6fa67b2566cdbd69485706099eae021c558aeddd8629e35b9bb11ff6c7f3a4e1612d1ece3881039a516360a398d8efc59308abb0f9e8b3

  • C:\Users\Admin\AppData\Local\Temp\zbhwafn.exe

    Filesize

    193KB

    MD5

    2bf85be8c1e64426bedcd3e53e84ab54

    SHA1

    9c98dbb39d30046bdf852d846d248ccc52b4c6fe

    SHA256

    726ad0010cc6f2629fd8b453aee05b4db785617c507605f3194aebc9780255e6

    SHA512

    9caebfc8d136f362e5cd266e0b8cddbb0152151ca8bef7403d787654362d8694c367f59f23c001a045030a57c054a9c98ea8a3ecec751a7f029ab3554e50fe01

  • C:\Users\Admin\AppData\Local\Temp\zbhwafn.exe

    Filesize

    66KB

    MD5

    c1593a24524860d55d0c8f0cd0cfe89e

    SHA1

    a2abe5521ed65fc7064d3e0de0ce03675c351d49

    SHA256

    a9fbe4177dc10b83e3fa378ae1312bb3a72f9248c298e936964833b4ed029fe5

    SHA512

    63fb1f7b03599771be6f63b1e9eae4ff2bc1a30afb581d31e37e447f82c6482477c48ee3102f758ea352ea5cc16c2c1ae9f13a5ff4dd1288d8ae0e38fae4f2d4

  • C:\Windows\SysWOW64\obsshxqfypgnucjgnb.exe

    Filesize

    564KB

    MD5

    f44445aeb63e81045e17563a55e76f13

    SHA1

    7b5b8cba606b2d28236ae6801ca0e1be4b391455

    SHA256

    938cf550c7f4f125804d8a1d7bf9ea9ad72facedae6a01e776bff846f948e6dc

    SHA512

    3bde94299b855b57faaa2d1bb9e88ce693bbdf7a00d1849e45806e28c2d85afaa67e39f3ca774ab2993d7bc488904233745cf01321af26225c68da2e25d62b50

  • C:\Windows\SysWOW64\sjeibvslidyjugrsdvypko.exe

    Filesize

    128KB

    MD5

    780ad0f3273c722f82c1930c40afda00

    SHA1

    30632c0b9c40425eca8555051c0e5ee2e79581b9

    SHA256

    4588d598902f22bd4edb5e77a029ece19ecbc5a8550ed9ef616151dbeaf401ed

    SHA512

    854a26392f4e58eca6bbef7cb248533199ec161355336dd2dca381f22e022ee6f2121896faf279b5621ac9a23eb80e305b0b15a773d78a4c258ca82653b29b88

  • C:\Windows\frhgujbphxntzgmio.exe

    Filesize

    93KB

    MD5

    c996d2eab6eb7ed76bfca74bed1bfbce

    SHA1

    0c8368047e321aacfeb90e4cc55d528a90181b20

    SHA256

    5ca8f1e8c505bc54ea7fb60cd57006b09864ab4622e4f56d3cd8d49e45778f90

    SHA512

    c5b4733b80f1cf2ec2c0840891f37dd64a5eb2e12f7da047343ea453760aa45bab326296e904f21ccd8321f61b04fa73ef93b9b82f2a2cbcde6923fd0a20572d

  • C:\Windows\sjeibvslidyjugrsdvypko.exe

    Filesize

    193KB

    MD5

    5d467ef0ee59a579ceafdadbb36916d5

    SHA1

    cd6954108483ac7d18987c00ce9bb24aee459e7b

    SHA256

    868f6179b043f3f49ec7ab6f6c2d96898654a6f59126fbc101219d693b66e797

    SHA512

    5983664bd6c9768d792d3df9557e844c0fbbdb7971c949aa8eda6096255581359d4a58984f5099f5a4c8cb194c5d1e0c1adb698e5428707a84250c00f48d553c

  • C:\Windows\sjeibvslidyjugrsdvypko.exe

    Filesize

    92KB

    MD5

    3566599d12a144b307d867d1bba99ee1

    SHA1

    0b4c09415c68c2db68f4e0073278d41ce927315d

    SHA256

    3d53e5a1e786b22cb789141504a7997a178bdfa1625e30ca5288a4e934e22c74

    SHA512

    87a30f0d17c211480dee69a295b677a857e4214d18cf745a43f6f30693a7a6b658af4603b0863d1095e84f156c1033193c5c0b368b2eaf896ef5404a64f862ec

  • C:\zbhwafn.bat

    Filesize

    484KB

    MD5

    8687abc6eb625cb413f6b2b2dee9807b

    SHA1

    c674ac45e1e6067924630281777eb912fc154adb

    SHA256

    c87e0c8327d31b3d98c5f4f623e3acc5634071322e6c4dcca514519ec5f14ab8

    SHA512

    2954c6c8f9651d010afaaad5f859a66927d5e08e165866080b076d1b7ab8e037e434f43297aca419c9be8fbe001131531dc062848c3656a35fcb4825044451ed