Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2024, 15:08

General

  • Target

    4649ca4d0e4bef77de0ec1b6bcbc8731.exe

  • Size

    512KB

  • MD5

    4649ca4d0e4bef77de0ec1b6bcbc8731

  • SHA1

    35723a8b9712b244de3c0e418d061bb9c9195adb

  • SHA256

    a28a251fa493872079dc0d9cac5f66c363641544b8b0ec297ce3f5d71514a129

  • SHA512

    303b701c65f05a19eadeff371853ffbf0376b0b7fd8ca4df6c4f5f587f25fb68c6b8f2c8786b4dd597d15f172a2a3995f10dac3a2221ad8d365d85fadf784664

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4649ca4d0e4bef77de0ec1b6bcbc8731.exe
    "C:\Users\Admin\AppData\Local\Temp\4649ca4d0e4bef77de0ec1b6bcbc8731.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\czvcoqmdla.exe
      czvcoqmdla.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\jxuvnxid.exe
        C:\Windows\system32\jxuvnxid.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2824
    • C:\Windows\SysWOW64\tlzrwtqdjfeafxh.exe
      tlzrwtqdjfeafxh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2040
    • C:\Windows\SysWOW64\jxuvnxid.exe
      jxuvnxid.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2648
    • C:\Windows\SysWOW64\atrxwnofhduev.exe
      atrxwnofhduev.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2660
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1088

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      1f4ac5531423fec72194295c96bce0b7

      SHA1

      55e6cb7c5cd89ae5a0bc766df8a4c1fbd98fabbb

      SHA256

      1a2503455511361f54bf3bfb308de46c6dd498de288b5b1e2f188469a0097877

      SHA512

      1c36d785f1ffc7cf6a6e028e65b29a2e6aa14268ac3dd7a32cf63ed2d9599e37fd5fefd5893a5293364975e47dea0157075ca1ef1f34ce2271f3f48af9d82210

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      8c3ae14c273c9fde13c6d8cb6eb6bd88

      SHA1

      89777d7d89ffd636195455f159f352566d412991

      SHA256

      b0d2d6543b03e55873f33c1b2cb4d55d565884d763f7a07e79019127913394a6

      SHA512

      3422951728b313bea3b1d56fd27a7925448f01b4e8b4792cdc8dd0e21fe58ffcc71db35e585bda9d486fc78f78fb60e294ba419904bcbe25809f1fbd19c8413b

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      b0be1ff0ff727d29b13d1ce44bf8e212

      SHA1

      8a1d4e52822fbab458deaff66b94b2457622a658

      SHA256

      b746a8eaeb1c0d0327f6bc5f69dd08b28e4a3cf4d0bd980f5dc5960747dba7e3

      SHA512

      2bb3b6cebf84cd48d6a6a0a6cf8fec69cd8bb371d0148ecb6fe8c8bb3a8cdeab3794234519f28c6ffa08e51b812a8a24b1c0d9a820c2322f271c5b3092f468e8

    • C:\Windows\SysWOW64\atrxwnofhduev.exe

      Filesize

      512KB

      MD5

      51654cd2c7282fa658938aa6ed229f74

      SHA1

      762ffe620f2c8b9acaaecec601f6a111c3231ce5

      SHA256

      e7894b73ca4acdc85871aea9aaee01a6b8f7c1b1a5da02c7ee21ceddbe67d0ac

      SHA512

      0b54d2503718c1d39cc15d6b5fc0f0d2603e42bb8cec72ca10e4520faae1bd5fdc6b0bee8042a8ab8b1fb11f9d131168c1c3ae4c9345d12b3b94b1c2e9fcc875

    • C:\Windows\SysWOW64\tlzrwtqdjfeafxh.exe

      Filesize

      512KB

      MD5

      53114e85783f5ec0126fe0b09b69e3fe

      SHA1

      f0b2bc432a98fe027c55c99938aa8a2c785e894f

      SHA256

      10abcfc27450b8458fbe97c9e341a1c9596f20e4862f482c705f6bff796821e5

      SHA512

      5f0731190272be3f9ca4d0355e951aea4eb57d4c3ee95b5bb29ad54b5d4b062a241e9b50dc80f4b813c29ad251c2d741f096993a8e326d4c42718df759b5d29e

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\czvcoqmdla.exe

      Filesize

      512KB

      MD5

      69744a6dfc9232b420c570d7ed9ca58d

      SHA1

      9de21407f690b30678bd51e7231f65ecd1fb87f6

      SHA256

      facb2acd42303b5758574b6ad696e54839079dc8ae6b80ee06b0639998f13f44

      SHA512

      08d77454621e683ba466205c002e84a8f60bbe8d7862c42c525ed4fe7895bbb15d1b6aa040a71b25f567c000a0365969121bd5e4db3645058f1fa7a11e59d00d

    • \Windows\SysWOW64\jxuvnxid.exe

      Filesize

      512KB

      MD5

      54265199f6ab1d18ca87f498b15d35a1

      SHA1

      770aa92ecc1e46d723b541fefb76a5ba12d3fd3a

      SHA256

      c72722baf74ccfd01de7ff9ee2ddfa167346de7ecf39c1af790bd1a831dadcbc

      SHA512

      213a24f873c0344ba248ebacdfea28fb8c9f6555e878398dc95c80e47a2a82e489a5e972dd36e8d469582de9c422ca0f402904128ca843d598aa05d0f50a8232

    • memory/2944-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2944-66-0x000000007140D000-0x0000000071418000-memory.dmp

      Filesize

      44KB

    • memory/2944-47-0x000000007140D000-0x0000000071418000-memory.dmp

      Filesize

      44KB

    • memory/2944-45-0x000000002F4E1000-0x000000002F4E2000-memory.dmp

      Filesize

      4KB

    • memory/2944-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2944-95-0x000000007140D000-0x0000000071418000-memory.dmp

      Filesize

      44KB

    • memory/3016-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB