Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
31/12/2023, 07:06
General
-
Target
2cb51ba4e2ff06f522ce4f5beeb2bfff.exe
-
Size
512KB
-
MD5
2cb51ba4e2ff06f522ce4f5beeb2bfff
-
SHA1
5c1e980a851438111df7420989a1a6dc1c6a930e
-
SHA256
f8230fbfb661d9749b10071ee16ffc0220e3d37c5b344241368ccf6c042f9923
-
SHA512
5e6320758901400882216835d05b87e2002997a2a656af4805b1d8f36800436b6061dd96b1ad2596894f3bfe65967541a0ac22b7d09a0cbf3f14fea7cf1894c0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cb51ba4e2ff06f522ce4f5beeb2bfff.exe"C:\Users\Admin\AppData\Local\Temp\2cb51ba4e2ff06f522ce4f5beeb2bfff.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lgvycsfyuv.exelgvycsfyuv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ivwskqtv.exeC:\Windows\system32\ivwskqtv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\ythqstgbzbakl.exeythqstgbzbakl.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\ivwskqtv.exeivwskqtv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\fkhblpwddcvnreg.exefkhblpwddcvnreg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD53389f632f0488e2085ab5d5009d08939
SHA1c6f029d83bc90fb7e908a3c3de292d5553bc65ae
SHA25623873784bea8b2a2f92a5cef5a79b60d7f2b892c6ebf48c0397cf80186ac5610
SHA512e499a98baa1405b684df40d4bbe10d5bfb2b86c77e87c4e5e751dab5cfcb2464ec3ed14105bdcbe0f866c82dc31b9a937a3a9edc2666b0f246cc888c89d28296
-
Filesize
239B
MD549cb7e42e96246112deafefe11d534b1
SHA127d12e47a95b587790ad980cca2db9ffdfa79caa
SHA256ec903863f323d8efec74a708b93951e7e0bb12faa5fc73b4ac295e7d094d17fb
SHA5129a744593b72eb0c5b0b0548e67beb1676fb4d4ca9750a5d72b8d2a3846ca3e6ebe50ead4f45df68736c4a3779ad9dbb7aed2a7ccf6cab08275a780c6f264376d
-
Filesize
1KB
MD55a9f75577f211887c1c347e2f8755252
SHA1a9b3a3951401e1d582e8041812753bb2c12ba142
SHA256532c6e79a16659bf91d59660ebf85ce72d60b8727d0e02c320636598fcd1cc63
SHA51256fe9b2dd4a38444090014fcdba680525324ecc72127ad1896dcd604455079e6a8846f79f546156abb9393d3307cd69b20342c64c4dd81b3210fcb0deddad2e2
-
Filesize
1KB
MD5ffcb25e9fbd9df30bdd9c6186a757cea
SHA1dd370a1640a1ee8a28bf9b7dcb68f1053b90f39b
SHA256aafdd7b2bcb914923b46f49aee991341feac9851f867296d10bd12ba8a6ecbac
SHA512bb988e54b1d00187f1df97b4092913d842d39617880aa891eade4871eeda547bb9a226eb98f293e1e65ba8f0576f46b7f55d8e5a618605b7e4c8257aa31d2e6a
-
Filesize
97KB
MD597ef2fa2bdb4cb136ee8af8985673e04
SHA1f50deff11374af26211c346b3eca1642ef5a083f
SHA2564466ab50283538f8e82c19b28bfea6b2a4c681b47955e4dd3f4037272c789536
SHA512e047c293b737d9586fd19d89578665cd9d8507f1a10bee57785d8aee2978b8964a9fa16ee522bb92766a7508519b97e0d0a84f4c55aa9e6c15de3f4df0bef786
-
Filesize
29KB
MD590546a5b190069b3fdb5398e6fbc56d8
SHA134679e111bdb54e212a960592cfeca1839714580
SHA2568fa9eaa112837e82cde011be3ae09ac414dbd9505f8fa19fb705c8163064151b
SHA512235cc4b9276ed24e9a5e78d93439e46dac2220113a46490dbbf6ed609c47c931981cffa5de57e4b6ab5d42402e9b31c80761c0bb9406e6400002e0350a98c0c9
-
Filesize
14KB
MD5620eb4462e7252093a354143d87d5d64
SHA13e73efb5c3ed3f39490fe8d39414db556e15d42a
SHA25647f9063876aeac06849eab05f0b6e5d8db9b39cd8c7467e0bc1e5e93611e80c8
SHA512c056e66207f10668d054fa58ae7f96242bf0f04e9e3fb6283083e25f5578ea82096593882fbaaf3f02fabcf2998954afe5af8ba825433fc0d57b06860cb5573f
-
Filesize
17KB
MD5dcf4c4b48b96ad557f57171d2056ac27
SHA1fcf6f953e31d5f4c2e6c6ebe34cdfe780dbe1b4e
SHA25670379f1765ec0972e064b9746cf94191df577cf6eab3ecfd28439e0cb9294a4c
SHA512196726c0993cf660c04b44a708d8019d08959476464171c2e50774ebf221860e49cdfe106896ee82db157e35d4943e91b6b17dab380a4d544789df4e5447af2e
-
Filesize
28KB
MD5e92aa768761af4868374b1cf2c5932b4
SHA1ab8fac618baf2e0913c7324355f2bc10838faba5
SHA2567b78abf2e002fb9d77c5521e1109ae3b1e504c98091f59e9d2675f74a6b1bbae
SHA5122d863a424a9709d783f06316b88b55eeab4dd0e562678d269257ba03c677c332479437b2121fd07ac331a9727a690950708b5b1d7dd3911b7deefb4d20117c1a
-
Filesize
14KB
MD5d0211b641498db052379f0b015706b7e
SHA1188a5e386fc2956caba29468825b04523505a36e
SHA256525e1b647d9570a90fdc42b8770bbaf1f97d85f225232b80d0dba267f150e93e
SHA51286c8587df318ad6196f1c09d4d91f11582b2c27b4e035cb1f829a4cef948b3ea7067b2d76b47d09da325f2816788f06d4e5a700383ee6284a29580e9c6c279e9
-
Filesize
24KB
MD5465f41fddedcb32147bef2a09614f792
SHA1ddb5421a58982cc564a02be1beb3620f03b913b2
SHA256c28054d8af6c85446c961c94dc1888d88555bba3118584c50f9ea3186495b581
SHA51222c58aac7566a1da1a7213555267d74d0a0133fc5ec1fde27292bbaed4144bd0b9a31f775dca352652db0b69a88174854510123edc1454cc89d4933e9a95cc41
-
Filesize
51KB
MD571dbce254726d1ae7045c7b064e5185c
SHA17f0f8e9f1fbb3fa302040ad7d45d2e3ca4e940ca
SHA25630a95a9f0bad6e09685a2b423b8f33d9d7225d859666dcddacc282c56b73f74f
SHA5124a18dff5f35148d611e0f42fec3890d0f5d9869f5c560b74c7fa65111c1f929f39417a258172b9b9da896baa222ddd11e2bea4fe039e7a01cbf85f32eb04854b
-
Filesize
26KB
MD52f9a7fe1d175f9e7125fed629c8d478f
SHA104f295108d837e54e819bca93f54c57efbd076c3
SHA256f75b46571f7fef31c9f47f5b4a754d99bd73634e7b73cff796f1609b07bf739a
SHA5126aaaa58d5a0b318862cc18edec71706418ec7c4ebd98f2366da5daa417f328cad11a80e3bfa916e77321475972e783bd203c2621107eb762538c6bffaf86a46a
-
Filesize
25KB
MD50137c58572dcee498669bcbeafd4c58f
SHA1cc2421f538d4ffa07f0a169a100d59bbcdf4ea01
SHA256dbb8ec94cdbf3dc3be1ddc80756a7d07b72083cedf0cf4abc875ac2e1b529cb8
SHA51279e6df73044b0804968890261a30c71a3125f7f9203c525413f34c3552e4295ce9f32d3121ff318694d33135d531ce84301650700290f9261916a36f06e8ac08
-
Filesize
30KB
MD55c5dabf4f7d699d296ebf98ae96ccdec
SHA1ff87bce5b611a14458e2af5ca96af53efbdf6bcf
SHA256752b39f0f2c45536684eea12d5c8ceb8ea6a6cdc1c569821f614042d1106ebf1
SHA5127a70e099cb4d7134139a5da2840e652ea67b69029ec3a98d67bbbd8c1f65b867cc7548fb39551160572f50c0f5593048f3f005672096f65235f2754c6858727d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
600KB