Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    158s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2024, 15:08

General

  • Target

    4649ca4d0e4bef77de0ec1b6bcbc8731.exe

  • Size

    512KB

  • MD5

    4649ca4d0e4bef77de0ec1b6bcbc8731

  • SHA1

    35723a8b9712b244de3c0e418d061bb9c9195adb

  • SHA256

    a28a251fa493872079dc0d9cac5f66c363641544b8b0ec297ce3f5d71514a129

  • SHA512

    303b701c65f05a19eadeff371853ffbf0376b0b7fd8ca4df6c4f5f587f25fb68c6b8f2c8786b4dd597d15f172a2a3995f10dac3a2221ad8d365d85fadf784664

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4649ca4d0e4bef77de0ec1b6bcbc8731.exe
    "C:\Users\Admin\AppData\Local\Temp\4649ca4d0e4bef77de0ec1b6bcbc8731.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\SysWOW64\mmbwyysway.exe
      mmbwyysway.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\wzydropc.exe
        C:\Windows\system32\wzydropc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3092
    • C:\Windows\SysWOW64\dnmhvwudkppqjgj.exe
      dnmhvwudkppqjgj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:324
    • C:\Windows\SysWOW64\wzydropc.exe
      wzydropc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1304
    • C:\Windows\SysWOW64\kmbaahdulriri.exe
      kmbaahdulriri.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1528
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    69dfa9908d2a527a8f2ed303a2eb138f

    SHA1

    d76b4477d27f6a216b3fb7e6c1380aaa9059bf24

    SHA256

    593be5e284f9c8d0485034e6d9fa1e85b8d319cb0a87cfa7458e8bbf17c8741e

    SHA512

    bbfecfaae58df9b8a68cc82f0c1572246b4ed9feb7efbe2a96ec6ad177abea98043701a6e5504eb56ec4a8b70e49ffbe1dfdd6748c0c9d23e5a855f8f94df1ce

  • C:\Windows\SysWOW64\dnmhvwudkppqjgj.exe

    Filesize

    512KB

    MD5

    bd62cd41fcfdc062155f7850105c6391

    SHA1

    800964fb9a339f140902385f2e28f0d0c7a23ec8

    SHA256

    f280ab7cf4ebf79c40ec90ae0b848b7c832de42ebcc45d11684da7b9759ae0c8

    SHA512

    26990fbb644848368ab6b5beae0d3ac691213fdbd812a5c4d2543eafb151b9241a837c88d14fa2bfc8ceb3dc00648428581b3b57e344f8295a7cc4695ac38f08

  • C:\Windows\SysWOW64\kmbaahdulriri.exe

    Filesize

    512KB

    MD5

    8a9f42b76ff948889946e3eac5ec0d1a

    SHA1

    4b8aba30c60abae4771b032de7ea52f1b517589d

    SHA256

    0457669dda3dd996c64cc238b3ec0c2d619de9e679e779a3fd8bffc1a0dfa015

    SHA512

    439102872c2adeadf1a52c7ffacb39e1292ed3b90df84d8ee3b9f41a580a0229039eede7492322c05090725649cec79166bca73e49add1149c03d569f25173fb

  • C:\Windows\SysWOW64\mmbwyysway.exe

    Filesize

    512KB

    MD5

    1ba054b9aaf7e9e81c46910a3bb3eef8

    SHA1

    4af66ebced12736f44a1768feb3e07459d21163e

    SHA256

    8052404683a9bca651beffef9834652ff7e53ad6d0d60bdc9e7f8047cc630092

    SHA512

    7532019dd59cc1b2cf870fdc423a75068392991b8671e1cf701b8d7153dbf19f2ce78b8a00666a9f23c9cbf4350cc9bfc810d21f53f3bfd898ac4176258f3cb3

  • C:\Windows\SysWOW64\wzydropc.exe

    Filesize

    512KB

    MD5

    1342f1b2a97df1287c35fe211668bff5

    SHA1

    075a2af99fdae2a5a78e62b902c1a1cb3f2fc518

    SHA256

    d299b24730e18fd0873b3acbb4eaf04c0398c3e6d79fb7577294e3333f4917e4

    SHA512

    6f3d61719cef3041d4945461d9e95392ecf80fad0affac7def026aa49c01b7aef9a9a9fa81dde511bb1de0e17b2f6ba89832f9618c65c6735e6f45e313aebbbf

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    0fdc05cc3f4720a05b923b4156b813c1

    SHA1

    912fe4fbce97a3553a08e62dd0f7bbd9591326bb

    SHA256

    84c4cba26c8bc3a578b0f1924b702641d9ca37f0ff8a883a72a6369482539863

    SHA512

    3a3a1f38cbe39d5e742473349351fc9c0275bd0e0df367e5ea41155f286a89c5c45b4dd625ed2409aa3a4ba78613daf7c6205c447d30289e442429bbbb97a822

  • memory/1512-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/3348-42-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

    Filesize

    64KB

  • memory/3348-43-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

    Filesize

    2.0MB

  • memory/3348-39-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

    Filesize

    64KB

  • memory/3348-41-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

    Filesize

    2.0MB

  • memory/3348-44-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

    Filesize

    64KB

  • memory/3348-45-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

    Filesize

    2.0MB

  • memory/3348-46-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

    Filesize

    2.0MB

  • memory/3348-47-0x00007FFBF5010000-0x00007FFBF5020000-memory.dmp

    Filesize

    64KB

  • memory/3348-40-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

    Filesize

    2.0MB

  • memory/3348-38-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

    Filesize

    64KB

  • memory/3348-63-0x00007FFC378F0000-0x00007FFC37AE5000-memory.dmp

    Filesize

    2.0MB

  • memory/3348-70-0x00007FFBF5010000-0x00007FFBF5020000-memory.dmp

    Filesize

    64KB

  • memory/3348-37-0x00007FFBF7970000-0x00007FFBF7980000-memory.dmp

    Filesize

    64KB