Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    182s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 08:49

General

  • Target

    40691b933f9e08d2d4b77987bb8c08aa.exe

  • Size

    512KB

  • MD5

    40691b933f9e08d2d4b77987bb8c08aa

  • SHA1

    acdda4f9c6ac3ee89945d3dc54087ac2aee80604

  • SHA256

    cceb7e90fd67ae52aaba94f7a93291ee5ecbebbd33081c42db66ec57a30ec979

  • SHA512

    6ade6bec64c17d8258929ad8a7c17354501d90d8b6752e373e1d9025687878dfee65769c081151fee093d5b844384f66dc8e0a8295736375f80308deb34f6102

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6E:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5D

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\40691b933f9e08d2d4b77987bb8c08aa.exe
    "C:\Users\Admin\AppData\Local\Temp\40691b933f9e08d2d4b77987bb8c08aa.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Windows\SysWOW64\xqnfxulikd.exe
      xqnfxulikd.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\SysWOW64\zeytgzvq.exe
        C:\Windows\system32\zeytgzvq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:380
    • C:\Windows\SysWOW64\joclnigpkyffpyb.exe
      joclnigpkyffpyb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2548
    • C:\Windows\SysWOW64\nvscsbhwsxvje.exe
      nvscsbhwsxvje.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1788
    • C:\Windows\SysWOW64\zeytgzvq.exe
      zeytgzvq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2624
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1608
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      ccc52a1c61d8dc52562312628d478f2f

      SHA1

      8bc94804c04b4f651bb20f1676001e4907770e16

      SHA256

      342291350e0674499a2d2860b032e119fd160ac6b3158229adf9d62ee17c714e

      SHA512

      d25fafd13d15042fde7dcebf6ab232f3b0fe1f4f2ec84c6dde70234d0aecd3537e6b36cff88b02eb936f0f771ed1f73bf4a88508475dfb3d913a5ed4ceb07183

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      bab76d6e07c53c42443a2991c6bd957b

      SHA1

      10a185b9db4836f6f27268aa6da3cbbfde0e74c9

      SHA256

      cdc4d0f0957d7183b78814747526f846e5e202a40ee8956e10ddb72caac8fb7e

      SHA512

      4363be664872e0b5e12a106e5ba81bd2cef1002baab6addd0dc436c468adb3b7a3a547d94208a6515b372c54c0fd802a3f030f8e56bc10e613c0240867b5203d

    • C:\Users\Admin\Desktop\WaitUndo.doc.exe

      Filesize

      512KB

      MD5

      633042684e9aadfc11fbc5e997fc3375

      SHA1

      5def1004d750835008814fdd9abe7405d14b78b3

      SHA256

      8b62e9cf9904532d20363a4fbe4af5d934a2ce233274c29a2bcd4855a4504e59

      SHA512

      1764136f4753e89a6888d8df359eebdff9ff9c52f01986a6382c7cd120a50c43a3cec1c1736b883851d3663734d51d5e4609da9f3f2fb32aa22582a17be5d4ab

    • C:\Users\Admin\Documents\ReadMeasure.doc.exe

      Filesize

      512KB

      MD5

      ad9e6c480b795591123d00b081083e41

      SHA1

      b78f9b56de101ccb22af080df67200b70536885c

      SHA256

      075f24e165bb994006d2ca3eac0b40fed82d62fb95d743bb65f9e93202699a7f

      SHA512

      12941a73fe457ecd50395be8b03c00354186e528dee444063e6f0e9699b0f4da1fd18103e6dbbde134df1a6795b12abb769c5613790ae9c01af7bd3c58eb7456

    • C:\Windows\SysWOW64\joclnigpkyffpyb.exe

      Filesize

      512KB

      MD5

      b16ccba6b1acd9d19e4ced57c3eab8de

      SHA1

      7d84145093a83c065601b6cc5fbd28aa590fb32a

      SHA256

      ffa6aa13d82f5a3011c07dabb654ffb1dda77c2886d22aec14d6bc1f540c9df9

      SHA512

      e205482ba936167c00ffc2f08827207b9b5495dc1603770101bd43bbe0e3cdac8e30e0e620e83fdb453c131d398fd65ed8c696f65cbf49f460023f5f8a0691ca

    • C:\Windows\SysWOW64\nvscsbhwsxvje.exe

      Filesize

      512KB

      MD5

      2e6bf8a45e61840e9a3c7ee92e159cb6

      SHA1

      4b5e063ca0bf67fb4449a842f7893c19930f24d0

      SHA256

      9d6614d8b82785ab475a7ee7312b591177f5a1357c7646e02de13034b1bbbac0

      SHA512

      208ffd7febecf1061856712169b8f1b3893bb0997801a799c6c192c79c59bd53cc41e878462f976409ee8902dde05b3252446c6aa99470a680e73431a890144e

    • C:\Windows\SysWOW64\zeytgzvq.exe

      Filesize

      512KB

      MD5

      6d6011b7eb1e040d290ce04eed57907c

      SHA1

      2b4d6076dce9e688bad5799f80dedaf965f3560f

      SHA256

      076542c11d399bf6f328309614f3866627460f65b7685dfecb48a4d10f80c53b

      SHA512

      610a842544e520c8bf27b35d90d7fce7faa360d192d9b4b70f2acd2ca3ed2b521a3e3a411e4edb21b6bac001258e716083244e575339752f4414f58bd758c288

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\xqnfxulikd.exe

      Filesize

      512KB

      MD5

      471d29bc9d9dd38b66950b54e00e2e2e

      SHA1

      946495e17018b8d26fe224308e3ea42f4f749e48

      SHA256

      bde70eb8fb3ad7b67fc7d73682aedea755b2f5dd13a10564461c449f068c1fd2

      SHA512

      8861e52be74b2bf29d16ac6d9682cbadcae81d88cdb14cc7f805f9ad4881320c9158d42485276b2a9d99ef6e36cf515f0c4288ea5bda691487a3f836cf2c360e

    • memory/1128-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1128-47-0x000000007170D000-0x0000000071718000-memory.dmp

      Filesize

      44KB

    • memory/1128-45-0x000000002FF91000-0x000000002FF92000-memory.dmp

      Filesize

      4KB

    • memory/1128-85-0x000000007170D000-0x0000000071718000-memory.dmp

      Filesize

      44KB

    • memory/2808-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2892-62-0x00000000041A0000-0x00000000041A1000-memory.dmp

      Filesize

      4KB

    • memory/2892-86-0x00000000041A0000-0x00000000041A1000-memory.dmp

      Filesize

      4KB

    • memory/2892-92-0x00000000026F0000-0x0000000002700000-memory.dmp

      Filesize

      64KB