Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

469c9f35d4...33.exe

windows7-x64

10

469c9f35d4...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2024, 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    469c9f35d47dcbbdf7135c893430fa33.exe

  • Size

    512KB

  • MD5

    469c9f35d47dcbbdf7135c893430fa33

  • SHA1

    04b660df1b63c0da69de9b0ff1d3cca546cd548a

  • SHA256

    f74e1f8bb9b8fd81cb1174c39233ca2f6c2726bd0c015e3fc3e87313a4a721bf

  • SHA512

    96bbf0129bb4af6161b765f02e8d639bb6dcbc83a6996cac274174b003f504c618ae5c30bf04d5925eda1d9a015475fadeb6e1d1929e767b8612aacf5ea7aadb

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\469c9f35d47dcbbdf7135c893430fa33.exe
    "C:\Users\Admin\AppData\Local\Temp\469c9f35d47dcbbdf7135c893430fa33.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\SysWOW64\pakejpxztr.exe
      pakejpxztr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\SysWOW64\pbmnpslm.exe
        C:\Windows\system32\pbmnpslm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2056
    • C:\Windows\SysWOW64\knklgywvvzgbagp.exe
      knklgywvvzgbagp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1844
    • C:\Windows\SysWOW64\cajrdsmcjhunj.exe
      cajrdsmcjhunj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3484
    • C:\Windows\SysWOW64\pbmnpslm.exe
      pbmnpslm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3648
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    17KB

    MD5

    1857e4470c5c0405eea6032c87e12441

    SHA1

    b148d2bc036416c4918b70e0edad515b07b82c99

    SHA256

    b7b9b05bb46a719e113d466996dadb3ecd970a3c233f00248a6141e8877e5dff

    SHA512

    b62ef3743cd78f478eba1e745e3cfcb53844ff26c9516a489df4d5d0b4ff7aa8954434cc851f326dec3c4e0f1a762513746103c38801f729954b428340c0179b

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    66KB

    MD5

    8275487192d0022ea520ed52a6d6f95e

    SHA1

    3341f0eedafb5a8f8df0406109ecb394cd0b37a8

    SHA256

    765c04a961c2fc72bfbf8d1ff83e3f2acf9af62e459e25e305b80d42ca1af7c8

    SHA512

    4258290226feec11423748b1a2b9e127d8b12ae90f5fa18d041e3ab2709c60367ada8bff574066b4db4788008d58bcd760e300a1f7bf8f084ddf785de4a0a72a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    bfbe543a47b87d687c299b696bb120f5

    SHA1

    d88f6330bdc17788b8aa5009b563d3217e4088bf

    SHA256

    2485e7eba3b242a7cd0cc413f6e70d3089aec1e4f344e5889362713f1e2046e5

    SHA512

    2dcead34efff60b99055dfb6239e75c501e7ad85c1a611b37fe4aa31c320f3bc914a7a97eae5a764e4909d07bb450c0aa43b2af342718a2bf3815d5269dd2038

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    0b74c5ce5057bb616900506b0699cb6c

    SHA1

    7e3e78b662f8839d43342fbe004d1a72f6b9a799

    SHA256

    80e8978b5d659299af2d9b6b5db5df32bc57819e5612327ee1ea440d13ff2bd1

    SHA512

    f084558b984fabb4f3e080afd1609f9b2d58cb997f8f293ad163ef87d626c49b25782a6b608f81a2e7e1fe1dc79dd79b22c57634bab89473fd92adbd5c8fe074

    Download Submit

  • C:\Users\Admin\Documents\EnterRestart.doc.exe
    Filesize

    181KB

    MD5

    58694c4c12288b2bd684c3cf4ad829ca

    SHA1

    471962924b5e8df2ff64296d177ebe445c768bde

    SHA256

    c8511c9093f2f55841a06876356a5a5989421fb542823434bbafe2436921b763

    SHA512

    85b631b1f2efee3099265ba964d05a361f978d6a5e800ffb073ddebe82a4d3c4cb81d913505b2dbecc3d112b0c2308a40f5b2091e9b596f73c581878cabeac2d

    Download Submit

  • C:\Users\Admin\Documents\JoinResume.doc.exe
    Filesize

    109KB

    MD5

    5459809c987db83de5a85b80de7b0016

    SHA1

    4c5744b78ce06576446214a9f24feac57108483e

    SHA256

    3ad57181e70428b60917f0a652f0b7d5ecf04cd10233a951e3d1ad15f9a15abb

    SHA512

    dd59d2886894dacff762b9534f617574d2b9a4fb28f78acf3b1941e122b7f9a66ad9aed7260628b530f2404d2c8952adb59294ab5f4e314b09fe7ef04fbd40ee

    Download Submit

  • C:\Users\Admin\Documents\ResolveConvertTo.doc.exe
    Filesize

    307KB

    MD5

    a10d724fc3558a543926fcb7deea9807

    SHA1

    7617197261420ff2f5474256f761408bab3ef748

    SHA256

    2974de93fa10f22b731e6f044a6e64c4b5dc2ef38c12e25c590cb64a3f7fd3c5

    SHA512

    0807ffaf69113f5302fbb32bae2f5f9c4eae4faa234ddf62562bd0287549a16be65bf68b33cfade503eae8ee1b033ba8789d5cbb96de1b8a14c240b22cccbfa0

    Download Submit

  • C:\Windows\SysWOW64\cajrdsmcjhunj.exe
    Filesize

    146KB

    MD5

    698b1cb0e5ced2031af2856dc05ee4c5

    SHA1

    26f9aa47011a6f7785112865215ac81add42135e

    SHA256

    4ae5aebf7563e528c6232c3688a389e4b883b80dddd45de11c73390bf415c19a

    SHA512

    145ef0d0423f9ae824aadf7ed1cafd4e4b9477d32a739f0ac03a55d91c12661fbc7b8735758f4bb559a9a46b907cd0994b97916c8df5ba98bef85b515f6f3d10

    Download Submit

  • C:\Windows\SysWOW64\cajrdsmcjhunj.exe
    Filesize

    124KB

    MD5

    de83bfac85a2c62d0cb12eb47652d5dc

    SHA1

    1990b0d527e8ea6e7503d0084dced33b9ffce8a6

    SHA256

    5d14fa9e8658105bdf0715b3de050ea871e8b3aceb585810c35435c966aed51c

    SHA512

    fee49bcb9c25cce746b005724afca9832b0b74b422569a441bb521bec8d31bca3f286c599b8822e7926cae1d0866a27215be6baf8b285356cd1a0bdf4f5da51e

    Download Submit

  • C:\Windows\SysWOW64\knklgywvvzgbagp.exe
    Filesize

    512KB

    MD5

    8c2496846a5a54a1bfe293572f4190e5

    SHA1

    05ef646ddb826e2568b4ab074145ec1949ec04ba

    SHA256

    f936618b8d33a545eb5aec3f67982d7ccf50909a37e2f59fe03e198df3c8d63a

    SHA512

    ea448cb3fbd5ab3a6ac074e7d38869a3d12942faf202494df2d3b78176bc7cc56d258a2950fa2b402ce6e02e41579918cdbaffd72ab6e45145ab0d052809611a

    Download Submit

  • C:\Windows\SysWOW64\pakejpxztr.exe
    Filesize

    512KB

    MD5

    7739e49dd783d71e2700a1b38a383c0d

    SHA1

    1c5dfa0ee0f82836fdbec9f02c9c97f338acf5c0

    SHA256

    18b03a9a8f9c8202f367f57ca878850904c6238e6c018ee2a9e53d67e913e378

    SHA512

    4d7a700e2d5ec396e89029f6b8cd7eb154f03d24681633ad9d8f67a8d5b6d333ae1dccd4fb59639c7d23f930a7ea36ab625b2fa6371df26f668b0c7b5f7817cb

    Download Submit

  • C:\Windows\SysWOW64\pbmnpslm.exe
    Filesize

    512KB

    MD5

    4e571612ad59b288954134e5d30005c0

    SHA1

    667200218147dc383de4adc81c9df0ca6b003e5e

    SHA256

    4a24827e026be2506751e05501224866cef07038c915753a144df26fd39e15a4

    SHA512

    2961ace91eccac835083ee6bef449e9f73b78bcc0525884ed82c166774ad1524b18ef96abc69e03bff35f332d89ad91520593b08b246fb5e755e06d986def49c

    Download Submit

  • C:\Windows\SysWOW64\pbmnpslm.exe
    Filesize

    46KB

    MD5

    06e87148328e96caa3090d2329c94cf8

    SHA1

    39fab5e0dc1b3b52192ea09499533ac100112d89

    SHA256

    54329e1b3f74c1b13deca812aea8350867d1612aa0ce498c997ab3cb685e1b9f

    SHA512

    0888272e8c516a1b2da9c6456ea51353380fa694181cf3b9ed21c4d3d9c0d060d93b0972c76df3cd92e3ddcde396328490c54c9e53e7ad4254a4f444902e56af

    Download Submit

  • C:\Windows\SysWOW64\pbmnpslm.exe
    Filesize

    81KB

    MD5

    731be1bddd08413549ef02036e2d5e20

    SHA1

    89c177092f812574def172c41bb271ce3cc770f9

    SHA256

    0d829ec2eb71997fb0af89fdf888e39f5dee58c21041ad22e5facff0cf4ce821

    SHA512

    f2e871ac02fd78fa07f1edc65a9ebf813cb47c837baa7a07d0c86407e7ebc81e06fad600030e0501545da3f0d19eb06dfc0b59a2102e49379ec01af03e6191a2

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Users\Admin\Documents\JoinResume.doc.exe
    Filesize

    244KB

    MD5

    215dc89b46d8404b0394dddc5678dd05

    SHA1

    a564d11c448c0bc23b735fb82d4906268065f614

    SHA256

    0af286ab7b518c285800238753b492714775bf375c2ae9fd5847bb91affbae82

    SHA512

    5dce532f78e82c8cf5e01662729d98d9384c058c960d570f2d4d81c932c31814cd79e16ad3a95c797a58cd91552d5e87ffcf105b79af03659af8f3cc8da3fee2

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    192KB

    MD5

    110f40dbeb901f612cee1dc242fdb309

    SHA1

    0d668d172ef81b3f17c1f870513988629c697600

    SHA256

    2776ac73ff5e792a5a804395643f25e611d6eb66037ffd261caacd95ae084b82

    SHA512

    076fda5dfa04f3c443f91657f607ef768185b7753767eb70d557635d398a76f85c8b3c19c7d864f9c342ced1af18c9c98f6f4da4b7bb86dca104230fa71b6df1

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    216KB

    MD5

    5b9c43f3acda66288926108bbd9f64d4

    SHA1

    db391a04ba3434f316df01e0ec713ae2aff18ae0

    SHA256

    8f6da58c2e35705e5f94a8d1a20b6ceda1b5df3c2cbd886f3226689e22ee35bc

    SHA512

    11f80c9fd767a70bb5bf784f8975a63394ef0898b43a589f7054db3a0d1e390dfe043a04444437c7c238345c635064cafa0d8b70523ff346e5f53421d8ee6f5c

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    223KB

    MD5

    6499087f19524509495cd079859a3977

    SHA1

    ff0352811bc247c19c52a1e8ebce284cd8eaa00d

    SHA256

    aa1964c687f04a5c5bd033f34c065cbeb7915a229af919374fef9ad1c328c45f

    SHA512

    188b3c1342f9954c1f619ba7ff96e6ecda932f7c73edf3400954ae1d628c53ff4f3d9fd4309025b744e67f982c3c22e8abf5057be717cdc8635599454d234ddd

    Download Submit

  • memory/1388-52-0x00007FFB4AFC0000-0x00007FFB4AFD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-39-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-55-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-56-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-57-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-58-0x00007FFB4AFC0000-0x00007FFB4AFD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-53-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-51-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-45-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-43-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-50-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-49-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-48-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-47-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-46-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-44-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-42-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-54-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-38-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-115-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-116-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-117-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-41-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-40-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-37-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-155-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-156-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-157-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-159-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-158-0x00007FFB4D170000-0x00007FFB4D180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1388-161-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-160-0x00007FFB8D0F0000-0x00007FFB8D2E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4652-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download