Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 18:32

General

  • Target

    419bacbe17f2854a74f4dc8147e6b25a.exe

  • Size

    512KB

  • MD5

    419bacbe17f2854a74f4dc8147e6b25a

  • SHA1

    5a8c9da397dcbbe098d985da62858a1ab01e014a

  • SHA256

    652f8702be627fc380f162a3d568d2214da9141b2494a47da1b958c9491ab2e8

  • SHA512

    ecfac2a7e03fc0140184f430c5e4241852e09594cec84dc03c76632feab06efc9c39f0aa6292a5029daeae2bac2dfd9a2264cce37a5fdf6e3b755b23b13f1b9e

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\419bacbe17f2854a74f4dc8147e6b25a.exe
    "C:\Users\Admin\AppData\Local\Temp\419bacbe17f2854a74f4dc8147e6b25a.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\xcimqzoune.exe
      xcimqzoune.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\qojgniub.exe
        C:\Windows\system32\qojgniub.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2576
    • C:\Windows\SysWOW64\skgmeuhpfvxpzwq.exe
      skgmeuhpfvxpzwq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2572
    • C:\Windows\SysWOW64\qojgniub.exe
      qojgniub.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Windows\SysWOW64\laimndrdsptuo.exe
      laimndrdsptuo.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2620
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      af01d326fe43fa13db89f66366536e24

      SHA1

      1b5573c05805f0c031213b870277705ce539c8a0

      SHA256

      f1d6838de2c14e0a9a68edacbe786f732ab154e0e48cd2d00319f0e1f5f91bc9

      SHA512

      7691cff89f8b6661cb73eb7a302c69a20bff581e800572979a750c89000c21534c91db0df4b8ecf45227a942b54d198394a3fd13f40d05cd18f3de2c0ba83caa

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      ae2196878c7fb6e00460b642f9df6197

      SHA1

      f9755f1ffb15907d675d2a27ff3743054aecfb9e

      SHA256

      f3ca4baec65b0eda2d28e508480e4d6996ea96eeb2f3e243f81bee6497b66f2a

      SHA512

      f86663d26aee06a9b4825f27adc2717ee1110fa4f86d34e3061f8512d9d45e5a79cfd2a78d813bc19848ab0a6a3912ab9950f0b8109be36988fbcb47a41f95ab

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      a716be9358af7a7403960ac667c4697a

      SHA1

      8eeeb1d6e733172855d3c71b1c402600176bce12

      SHA256

      c095e34f0be807f51096ff2e7c7a01aa7bdb53a8fd1da499e13d8858add5dfd2

      SHA512

      fef41bdceace309f3bfce45e4f01c8f1bfd0a95b37197ef18f261e1a245c0a53981dc7ac6b5d0b43ac5797b8f5ec0eee803d742baff46bd336ec9351c60eacc9

    • C:\Users\Admin\Documents\StartInstall.doc.exe

      Filesize

      512KB

      MD5

      ecabb7ace3bc0dd64cd87862c17a84bd

      SHA1

      64c804ff68e1ddba9e3120db7f06c1e5d720ed9a

      SHA256

      1f952875ceb6ad1e1a506a3cb96ace9c6d26a85a21983c8dac568793ebad3577

      SHA512

      dad329d255e7968b78443a565a8475e86a0abaf88b8e19dc6066e4f9b70ea0eef8a3719001abcf1946959e8eed2a4bc4f7340b4739bc39d0ee367b55c7256cf9

    • C:\Windows\SysWOW64\skgmeuhpfvxpzwq.exe

      Filesize

      512KB

      MD5

      d3b429e8f112b9027f177c0fd052e9f6

      SHA1

      72de24a298812b0f50ee5a2c5a841dab28377065

      SHA256

      b2074de0f21f2668a5b0f106bca536b1427a8a9271dcd02e6b02bd3ef82b8240

      SHA512

      17204c1be2c70d41b6215066a0f871526ad3f4ed36c5440a072d8fd4d4209ef3b11de6594324df69d5d4abea8d66f3442a5d631a260976ba10eb36c60afe4a1a

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\laimndrdsptuo.exe

      Filesize

      512KB

      MD5

      7e342cfdcae5bcaef2d248e74c16dc6e

      SHA1

      b314cb9096d2d262feaa453684b79d1cf2ba58de

      SHA256

      b3efd8d6e5ef068c14cd8f26e743d93992ac483db6b15f050d8fca708c848295

      SHA512

      428f3d844d85427e8911313937d6ae114182fe3390a4fad8e4eb0dc455b7cd43477b772e6c12d80de9996ca258b645d355466b41e925b96ae478e9e2f8a62683

    • \Windows\SysWOW64\qojgniub.exe

      Filesize

      512KB

      MD5

      eb3e887140152f8945e8eb4995fb6531

      SHA1

      4996b8544a5671d9dd58db3b348f51bba2f2244f

      SHA256

      49d7b513f20de2e1ee981c1162c24273053ec7f629d6f7d4c23052cb3eaa525a

      SHA512

      e57d3f2e0704c245b211b75b2acd910f7f8dd4da49ab3c3ee3bd289143a9ff293b608d1a3b48d849278a00061d6d0c0019f1ede2c21aa16c9bff97c7d6dab4a3

    • \Windows\SysWOW64\xcimqzoune.exe

      Filesize

      512KB

      MD5

      154310a7d99d96184af742f48641a36d

      SHA1

      23bcee9e28a69823ff072154087defa9835d3213

      SHA256

      4455481e106c79561a95c4aa2999283540a620349f8a91b049aead12cb99ad5a

      SHA512

      b6703b39c7be408c0cb5bb2378e2d129abba214d79801264d346a8ac003e76c3733d163d426b7e7ac1f5677cc302f96de4b11a4da6c5d900616b43c1236ac6cb

    • memory/1888-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2484-47-0x0000000070F7D000-0x0000000070F88000-memory.dmp

      Filesize

      44KB

    • memory/2484-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2484-45-0x000000002F921000-0x000000002F922000-memory.dmp

      Filesize

      4KB

    • memory/2484-81-0x0000000070F7D000-0x0000000070F88000-memory.dmp

      Filesize

      44KB

    • memory/2484-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB