Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 13:03

General

  • Target

    4213e024bc4f015c556788cca0b65ecb.exe

  • Size

    512KB

  • MD5

    4213e024bc4f015c556788cca0b65ecb

  • SHA1

    33b9a14783b91d8c5adea252353a8ed1e4ce2d5b

  • SHA256

    f39cb551404435ca1292f4671d84519dac7969927ef5c622009b746338e89c4c

  • SHA512

    3b7c68c575285cee4c837f5e7969f11b650a0f9827d2314dc9426542ec897e5393585628f1306d5351efd00568270488d26cefeec416fe55456191ac7e367b55

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5K

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4213e024bc4f015c556788cca0b65ecb.exe
    "C:\Users\Admin\AppData\Local\Temp\4213e024bc4f015c556788cca0b65ecb.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Windows\SysWOW64\aceduuaobs.exe
      aceduuaobs.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\hpcsstik.exe
        C:\Windows\system32\hpcsstik.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2588
    • C:\Windows\SysWOW64\mzkejitfqiomypl.exe
      mzkejitfqiomypl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2704
    • C:\Windows\SysWOW64\hpcsstik.exe
      hpcsstik.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2876
    • C:\Windows\SysWOW64\cnxvikozwluim.exe
      cnxvikozwluim.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2596
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      12475573c4b147217fcdb2d2b10e4a31

      SHA1

      7d2956b33a93d8c05631797ce49b2cfa86d0719b

      SHA256

      c85db5979977c2dfb2cb5a786d0e56fd09016274ad52454b640e057064d78c67

      SHA512

      f07e595592c0aa673b6b26e597a56c63e7f58cea9de7b05a14085576cf1f372bfd25be28d0b93694f28b8a449a14d5ce8640d7eaa867db5ce9335986714f0928

    • C:\Windows\SysWOW64\cnxvikozwluim.exe

      Filesize

      512KB

      MD5

      2e5eae0ed71de6fdf948e3558535e98a

      SHA1

      4d7e882e8ddc29b3cfe4aacc08a2ecb6a5ce3654

      SHA256

      1ca5ecfbe3db74e0f2face1077be70a140ef146032ff2a2cf70738cca1d5cb56

      SHA512

      6e325bddba80d72d00509b9c30365cdfb7d42f135e6a700ce6580c3ee37c213d26cc3bd2a1ac69c0beae67027b9ceb8294be60d23f82cb5dc2521ab2db7cce00

    • C:\Windows\SysWOW64\mzkejitfqiomypl.exe

      Filesize

      512KB

      MD5

      54f248079fb74540c5a98d6181e8e059

      SHA1

      e4a9ed70009c424fd5a8e6811228581631ecc6e8

      SHA256

      ae70907d4b3b68a566ce27c64c629791119b65b1c34fafe38a63bab04a7625ac

      SHA512

      22354765ea91df3d995941f2121fcc46d6c5ff9258159126f2e2c0ce3fde6b1e54a449e14f040eddd9a930427f35ef3e2e0a86e8eb294305613e637fc0e430d5

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\aceduuaobs.exe

      Filesize

      512KB

      MD5

      f9a23a2873831625997954e8fa32860e

      SHA1

      7cbe5f8cf7e1fa524dce4b733770877de88b03be

      SHA256

      f333ffae589a4180033f4631ae23989fa50f42b89b029ab31094b4a0e2329bc4

      SHA512

      f2c777a23d7304e2883cf29218756d873a7f436c4968d9520802c1a4c52b3048ad09d37a711cb4ca461a91fb1dd234cb0e9d417ba9eae5820708f3b2e09bc872

    • \Windows\SysWOW64\hpcsstik.exe

      Filesize

      512KB

      MD5

      98b817c222f0568998c40ec779b953ca

      SHA1

      63e91433262adf452565815043d0b9720cf3ebfa

      SHA256

      e65bc9c773f75e3f2bb35f25cfdb5cad5649f087ce37f3cdddd13d87e0346867

      SHA512

      e1f541f5469df56e891a571c7f8735906936358cacdf0f335a49205d23f696e7c40273a6ecd8244910c6329370015736bdcefb382f0f7d8c62dbc006fee5f1d3

    • memory/2140-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/3052-45-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

      Filesize

      4KB

    • memory/3052-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/3052-47-0x0000000070D4D000-0x0000000070D58000-memory.dmp

      Filesize

      44KB

    • memory/3052-78-0x0000000070D4D000-0x0000000070D58000-memory.dmp

      Filesize

      44KB

    • memory/3052-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB