Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2024, 13:45

General

  • Target

    3eb04652a3a57731b166a03425639ddd.exe

  • Size

    512KB

  • MD5

    3eb04652a3a57731b166a03425639ddd

  • SHA1

    0dab4b6bdd78b3495bab0ed32ca24d9d4d25d23f

  • SHA256

    cfb4d6ee578e544d7eebf0d054801c482878b0aa1bf6187ed236db3b8da6a8ca

  • SHA512

    215b4b65d4a40eb000f42d5c218c34b5b2205d6bd513989dbf37d418f4feb88844b7f3641eaa9fe46f6810516dab8bd4febe757e241c309bb8bff6e45382280b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3eb04652a3a57731b166a03425639ddd.exe
    "C:\Users\Admin\AppData\Local\Temp\3eb04652a3a57731b166a03425639ddd.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\ufvmyrjnxg.exe
      ufvmyrjnxg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\SysWOW64\hvnmarun.exe
        C:\Windows\system32\hvnmarun.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2644
    • C:\Windows\SysWOW64\vdbwmmaackoasil.exe
      vdbwmmaackoasil.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2704
    • C:\Windows\SysWOW64\hvnmarun.exe
      hvnmarun.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2868
    • C:\Windows\SysWOW64\pmdebqrkeeryv.exe
      pmdebqrkeeryv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2736
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      f682077ddb9a29d0cb8ee9e0e5a4e5d2

      SHA1

      8c03b23ea0fd375784b690b99cefadf9a82466ff

      SHA256

      1024a92626aa830e11f75054033cc232a37c986fef68e2112e110bf857710c3e

      SHA512

      52a0e26bd29aa1ddfeb9a711873643e1c0e82e8a4c2a7d2e21c838a91dc6535b688bd09f74e058dc8f38cc3e4830481eec9fabd9cd0bf473ba1e2c97b73e14b3

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      d287d6d06034f960c17d764e5615dab5

      SHA1

      778950f9ad1eb3b13b92d369e1ef21253ad6d00e

      SHA256

      8e712a1acd46933ca432da20cddb14f0247f535dabf9e856c7be3940e0a048e2

      SHA512

      995b83fb998e78ee5028f90ec041ddbd3d6b0019a4ff4c827dfd573e76c408fc2fff31e3ab80df02df6066fb7dd9f3adf96b6f1497a38fbe4427ae65f4a95e4d

    • C:\Users\Admin\Downloads\ResetCopy.doc.exe

      Filesize

      512KB

      MD5

      21d9c4405f2b79e0094d69fa9a3132b4

      SHA1

      47483c4292cdecda1a1b99508079ca6f96e2ab12

      SHA256

      a02c1ee9671f70cb05b31a721091a2b883be09fa6f57debf437d17cd9ad9d705

      SHA512

      32e7c40e7f9d2f66832326fe0f77c3535be7055b3df42504a943c7bf70833ae0f65f3bc0d270225711c92ef699f57e5e998607582a9f9978b80455be475447cf

    • C:\Windows\SysWOW64\vdbwmmaackoasil.exe

      Filesize

      512KB

      MD5

      4223aecd5e0d8938d1a84b2de151abd0

      SHA1

      3943f90ea7c3e190a99768c3967ca1c774b0b56f

      SHA256

      db69334bac7e8346e1e08bb1f562b4ae9761d2810895a04feab67981463b91ed

      SHA512

      64f94ae2ecb087685e9b03de46beb5c8c076edc2fecc5d63401871a4872bf24a73d090ef14d50b30e790ad1bda2d2ac8e64d4fd383f27b1af322f5839bc4a5df

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\hvnmarun.exe

      Filesize

      512KB

      MD5

      aed766f6b3a87af0cb7ca04706e76847

      SHA1

      b115fdb0a3cfed6ba9287ea021dcba317a7f34e8

      SHA256

      aaee4eef4b11f00a8db4f5dad15d2fc263c33b9d6795053bad7cf6d8e35d54e5

      SHA512

      36973f26ae450d4bf6af7b02a691894cb576a0c9d17353c65538ea1798029d2f64ab06921630f0ff47044f20da18b32cd2fc397b449f3c7e801ec0d3aad7b922

    • \Windows\SysWOW64\pmdebqrkeeryv.exe

      Filesize

      512KB

      MD5

      4704948efd3888decec6fd4ac99e91a7

      SHA1

      2ca28197b82d9477620ceb298cb0120e8c0bd132

      SHA256

      543e99a96631edf67499528e26cf1edc09f2021d8dcd8abab8cfe80cb41d0d5d

      SHA512

      e80f9e501c239775f43863281e034cb98798a820c1a0510a5f5dbff2e5c91919b567acb4d7c9c43edc04215923715f84ccc7fefe01363627e5c869a28c32b845

    • \Windows\SysWOW64\ufvmyrjnxg.exe

      Filesize

      512KB

      MD5

      772f77ee8805f7dcefec641f729953bc

      SHA1

      1fc4bf802be2b73631aad53066ace824181e677c

      SHA256

      65664c712c6592d9e2f99d269c1b26d6aab249ce3c09c286388f8ad33cb70217

      SHA512

      85acad7a6cd8b27e7bc4727ef799eeb47107d2e0980bd93ecbf8d3e6f95ec7fbdf548249b73f650886d4d60403c47d4cc59cf0c13a5d53c3b890731d1da48e64

    • memory/2852-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2852-47-0x0000000070D4D000-0x0000000070D58000-memory.dmp

      Filesize

      44KB

    • memory/2852-45-0x000000002F551000-0x000000002F552000-memory.dmp

      Filesize

      4KB

    • memory/2852-79-0x0000000070D4D000-0x0000000070D58000-memory.dmp

      Filesize

      44KB

    • memory/2852-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2904-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB