Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    162s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 13:50

General

  • Target

    38b36f71998c3391faa39cbcfc7a173d.exe

  • Size

    512KB

  • MD5

    38b36f71998c3391faa39cbcfc7a173d

  • SHA1

    3e0f1cd2a65e69614abd0da404e8e4b99a2249ac

  • SHA256

    d26596eaf05f5aae4292ac12d822047e5c9d19ebbafe0b9a46faf5b5b1a4209b

  • SHA512

    3d6c8780f7d8f264323417bbadfb0d774f93fcc6a78c3e9d08bb69d4fc265fd80fe540881180f86ec63ddfaf62c2a20b25947d25faee0fb7c5681f15344a6c1b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38b36f71998c3391faa39cbcfc7a173d.exe
    "C:\Users\Admin\AppData\Local\Temp\38b36f71998c3391faa39cbcfc7a173d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\SysWOW64\feswdsmmtf.exe
      feswdsmmtf.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Windows\SysWOW64\cddvktuy.exe
        C:\Windows\system32\cddvktuy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1504
    • C:\Windows\SysWOW64\jrosassqvyavmiu.exe
      jrosassqvyavmiu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ktouhyqnlhmks.exe
        3⤵
          PID:4516
      • C:\Windows\SysWOW64\cddvktuy.exe
        cddvktuy.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3512
      • C:\Windows\SysWOW64\ktouhyqnlhmks.exe
        ktouhyqnlhmks.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4524
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      22e452f487bbc19e24b82ee6a39504ec

      SHA1

      f2f26a8280df3563888123b0952ca72690055462

      SHA256

      c58d310b9a578cf03125de571e79c14344cdae49129259fb3e14a2bb6f9492ca

      SHA512

      06ae78e7dc1d39f568c627acfcd9e3868fb93b163047eba60b515646cb329b17ab4d3a07b03b378d751c5ca6dc10e8c5132345135870eba5a1c3c89a950334df

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      573f930a33754e2bc33b85665e32112d

      SHA1

      be587ca5092bec73b56f45fa0d4acd9400898dfd

      SHA256

      74cf3138071d407df6176f0c8478cef450da3a6fc213bd3c465345aeb09e8fb5

      SHA512

      7f073ebe1bf5c58e94136a012b01a3f7d550316b233f523f3b5406eee02bf227ef39a55f676927e22cef4b1b9e0ba6575345deaaad3f03ef3299fde9233e73e6

    • C:\Windows\SysWOW64\cddvktuy.exe

      Filesize

      512KB

      MD5

      09d8d7935a69ae42bd0596a7d8156946

      SHA1

      f34ceab60951bdf15639437a7e1858e8d6c154e8

      SHA256

      a59347c56e1cc5663e0bbf69774fc5579d719054e2d60a88f55c0125d3ab1779

      SHA512

      592bd8eca1326c0957c56643aa6e202f19b99e31739710fb86c497fd58f9c671831320ae940c8c653c56bf997c743ad31fd34af3239104dbed4648df669ee5e1

    • C:\Windows\SysWOW64\feswdsmmtf.exe

      Filesize

      512KB

      MD5

      35c6f1ff0f5e55dbcebd089f915e31f0

      SHA1

      c4da2e05b87f934f61e56cd522d2ce592d81432a

      SHA256

      40d848f7fe3e2cda28c02800d7defe95e1215e054149add5d115fe248e4123bb

      SHA512

      69e5d781e5a1cf0dbe7a69a411842abb8092c25c1bc62bf8c220b7e34f865e22e5c55cf4ed5a7c5f5c25ccee033c2b9c258fa6c8b2f04b981a31eec73184307c

    • C:\Windows\SysWOW64\jrosassqvyavmiu.exe

      Filesize

      512KB

      MD5

      349ffcbd896fc8db9e36dcb1a92d4d67

      SHA1

      91bad0150e3a50aaaf18616c2055c3de1fea6f1a

      SHA256

      2fa4241ccbe2542c24e2dc415f2df644a09bc8d966a6c57b99831a0625dedc1c

      SHA512

      9c896f709c577bc0b90f80c9ee3c53018daae5a9995d7ed0805b3492df3f664944a130f4777d73bff47a3581f93c117969f28d558471cd527583e2fd47becf66

    • C:\Windows\SysWOW64\ktouhyqnlhmks.exe

      Filesize

      512KB

      MD5

      1548769ae72b26e7ffbc9d4bd912b82b

      SHA1

      9d50bb069a336f2f81bcbf84b2d1e164c063457c

      SHA256

      b8627c31e138ff3a2f2981a0987b26787004b7651ddd98c870c69257a8246e44

      SHA512

      5070fd0df6cfb46778dfaa0bd712769234bdc25e9efb3c22021f3b6c9ff83348ef1fcd3acedb67d669630f8a52e2cc229203d899cc3385552906ce5b93fe6db8

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • memory/1808-40-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

      Filesize

      64KB

    • memory/1808-41-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

      Filesize

      64KB

    • memory/1808-42-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

      Filesize

      2.0MB

    • memory/1808-43-0x00007FF9FE3D0000-0x00007FF9FE3E0000-memory.dmp

      Filesize

      64KB

    • memory/1808-44-0x00007FFA40CB0000-0x00007FFA40EA5000-memory.dmp

      Filesize

      2.0MB

    • memory/1808-39-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

      Filesize

      64KB

    • memory/1808-38-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

      Filesize

      64KB

    • memory/1808-57-0x00007FF9FE3D0000-0x00007FF9FE3E0000-memory.dmp

      Filesize

      64KB

    • memory/1808-37-0x00007FFA00D30000-0x00007FFA00D40000-memory.dmp

      Filesize

      64KB

    • memory/3800-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB