Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 04:46

General

  • Target

    4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe

  • Size

    512KB

  • MD5

    4d5e6dfe78c7d6afdcd33b82ac6c93d4

  • SHA1

    d678125310c103b686c19d8440705536b2b39d55

  • SHA256

    a08683608022e84f917558136d95cfce577f1941292cf14a3fceb1a9722bc10d

  • SHA512

    df1b07039b4421aec83ec4907cd47836a65dd9e98ca8dee26f0e4865c778f9443fca5414bd76737052e5f90c54342ac552e627a4de769ad2aae6609aac5d0a92

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5q

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
    "C:\Users\Admin\AppData\Local\Temp\4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\xtiojdexdz.exe
      xtiojdexdz.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\ixgflrvl.exe
        C:\Windows\system32\ixgflrvl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2748
    • C:\Windows\SysWOW64\pulgfonxcchgkhu.exe
      pulgfonxcchgkhu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2728
    • C:\Windows\SysWOW64\ixgflrvl.exe
      ixgflrvl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2896
    • C:\Windows\SysWOW64\drzraqhgydmpk.exe
      drzraqhgydmpk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2852
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      6d3b130730afe2136e5eea1edf2d6cd9

      SHA1

      867ff7f8d239fef7a69dd4f869e7d7eeb54c84c6

      SHA256

      1d04106de82bade844f9259ac3eaac2e79f3ee526ebc45e3db79f8bca0384142

      SHA512

      f27257b98bf0ed0da1830df1f35fd7e26be2662fb74729b1190fcdacdf14d9b60a2e59b4d63f4682a6fd780d8c5a16cef83b48215d3533e14dbde7e39ed9a140

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      86d11f40a58cd847ed0ce94ef908df0e

      SHA1

      353898d0670796d904fb0fe2bfb2ccc71b431186

      SHA256

      679f565e931648cb0da031d6506840e0533711cfc7ac234f618aea8fe6422fef

      SHA512

      37e3119cb423f606c7d61d224c3e56b01a16d86c3bf8eb36902828bad553a7bcd8ae1d54f97b9ffb65e9035366f875f6730fdac96f14d410a0e88940ce4f6dd3

    • C:\Windows\SysWOW64\drzraqhgydmpk.exe

      Filesize

      69KB

      MD5

      ed46282b641847f19c32696ced33d0f7

      SHA1

      6fa698b85369b21be5c2f8b7e04241eacd010b16

      SHA256

      7e3bc5f2b2e533173d410aa3d845600c45a847c1091f9652e09ccb1685871b98

      SHA512

      d05e2eec91e4814ea518f71b2b472929ceae7eaa8872348b43514e64b1981b60a89b8d9b10abb85b97fb5765ebf214c1e85a07cb92571da108dd3704e4c80bab

    • C:\Windows\SysWOW64\drzraqhgydmpk.exe

      Filesize

      1KB

      MD5

      ec89629d437c17787acc7061c89e753c

      SHA1

      c65089b32eba1cf75d3546335718073460c971f9

      SHA256

      87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

      SHA512

      65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

    • C:\Windows\SysWOW64\ixgflrvl.exe

      Filesize

      62KB

      MD5

      017e548bdfd8961c9268326a363dbda6

      SHA1

      787ae0b7cc229f67707d20014537071311420e30

      SHA256

      c4a39ce873f4415be3933ffd7d9aac31940a8e06f3a585011d485a9dd83c7d06

      SHA512

      dae69fa212f33f96849477e8ff97c036620b0aa33dc19786cae01536a91d005b00371547682f89eac70d731f626db8695b359e39828c46757dcaadff43e78821

    • C:\Windows\SysWOW64\ixgflrvl.exe

      Filesize

      33KB

      MD5

      05fff811b43c3fdb8a6f1ccc920fbb28

      SHA1

      e40c7a343e2cb06b22f9d9fcd83bce75562c38d7

      SHA256

      6c2bc990abeea3203e617d28e0dafe6639f1785e47d8233503ce3eb87f233849

      SHA512

      677458d59741fa03fa04c0360f503ff2bb02c04f3ade40d3639dc93a2bfe38758852b668ecdc05a3e8b3c285d8d387d279a0b6347bf4c75278737eb8d51f0f16

    • C:\Windows\SysWOW64\ixgflrvl.exe

      Filesize

      7KB

      MD5

      88efa173783dc69eab793e956ea2507c

      SHA1

      2eeda12c20feedb49d015b6d9c3d40d5df0867a0

      SHA256

      7c9b4687195cd24a6281be5d97f3075145731ca3b611cff5df9b1fba46b691be

      SHA512

      976b0c8dfd9aca3fb704d0dd26d26582337e31bb59ebf3b6311de9a2ad9c5791343258683df923b644ee8c906d4d859ff836fd149c131c9dd99e540f863c99f9

    • C:\Windows\SysWOW64\pulgfonxcchgkhu.exe

      Filesize

      51KB

      MD5

      c58dff29c07cb4e218f17ab9bc71fd19

      SHA1

      cabea63cf07b035a52ca7fd155c678c5b7382770

      SHA256

      f9f94f01e198c6a5cabc1bc9c9b40f1e2728a7a343aa6c807d9d8288ade96b7c

      SHA512

      1d0f884575ac5f4ddded2148f19f3d6270198ef4cc33d9841579b28640b3509a320f10400b2226d494e869ec66d3c91857068874cefc28d9c26b1d88e957753b

    • C:\Windows\SysWOW64\pulgfonxcchgkhu.exe

      Filesize

      62KB

      MD5

      36e91ca7841c65c8b098f74deb9a249c

      SHA1

      9e408a110245db5777ec9ed9e269901e9836eafa

      SHA256

      597a042fc38e4d92229a91351a5cd4ce477e1cc0a25375f5de5d710cd6392b41

      SHA512

      90210143d146bb2d8db91df90d7f39f6bccb731870e09edf6cb4a402e029cc1a2095d7cec5569241052e91b21aac4349a98118914647766a3f1bac0c11679c91

    • C:\Windows\SysWOW64\pulgfonxcchgkhu.exe

      Filesize

      512KB

      MD5

      5503dae307774331521103dedbbccfdb

      SHA1

      32a63c53f25b58f284db754c71d4e4df75ba2868

      SHA256

      0496f02ce041af68fd2a157f186e3b928244f61fa88f90865d400969997d0650

      SHA512

      c430d3d716ff42bb75ba0c6b38a975108afeaff5af10d23317723f0f29bfdb76bd0b332419965aea8e2c074957b2ad13413e6f23d79cb69a691b7f6668f1f538

    • C:\Windows\SysWOW64\xtiojdexdz.exe

      Filesize

      266KB

      MD5

      3ba919cf1e8ca4baf44a70be84880cb1

      SHA1

      41ea9de2807ef03f57cf564a224712e124287755

      SHA256

      364dadfceff8e3313a0b924afdca4814d8a7e3c507f39b3d6c4d6f3965ce5de8

      SHA512

      8f965a86cab8514538edc65af094effa9da66340c549ab048dedf4d16033d42d78222b6f3ce6f6106c0a58bbcf4421ba870b8e2480ed28cd7a558a9bb6858f63

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\drzraqhgydmpk.exe

      Filesize

      45KB

      MD5

      e8d0a210a7de9cb675e1378280b0b6de

      SHA1

      c2ab939a2766a03bf6c24459cd935c2d580f220d

      SHA256

      c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b

      SHA512

      e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5

    • \Windows\SysWOW64\ixgflrvl.exe

      Filesize

      79KB

      MD5

      23d80d6c0f188b47e51f974a0b802708

      SHA1

      5b510e857b46de80c83e904a670f22db4c06ba4d

      SHA256

      a068be9b5cc41de25f043a1f42d6a9b3a126c1b3062db6a5612299b8519da527

      SHA512

      a09d83298f2d15fef3bb9699878a40d07ecb69b13d340709a32423b56edcc79e97cc398cba7b6915bf5b0e186a239e1d800c59e04c9fa4b82e45c042d94a3799

    • \Windows\SysWOW64\ixgflrvl.exe

      Filesize

      11KB

      MD5

      5f7990983a1bd89887ec3cc0c570424b

      SHA1

      819a85aeb3aa5e7a143ecbdca07e9b0db29f43da

      SHA256

      d860742a7159164106750b5de95e740c8372053706f76b90012200b02e4778f1

      SHA512

      96211bbc945ddee6c3e9392a7d556df4e95f867f5c954b9cfda2d326e2c01dbdb748257b5e8dd420f753c781ae5671549c358d5446cbab4b6ed413bf94cc1a97

    • \Windows\SysWOW64\pulgfonxcchgkhu.exe

      Filesize

      177KB

      MD5

      0381fd0e78841e1f5727a9e4dbc32c90

      SHA1

      4b7671c2ac18ca74776b8f4356b948aeab153571

      SHA256

      5b20fe75d6a2f04bde3d441bc19725da20cdb27701d31bd423225071660cd525

      SHA512

      788451e37b9b0cc789d27aa1a5ce418ffee9466e28ec0da29e1b3a9553585aa0f08caea0a08b890193ac5b2a6e592e1194c813b8c380e68bd6c5ca5332d60021

    • \Windows\SysWOW64\xtiojdexdz.exe

      Filesize

      512KB

      MD5

      1fcb70e614aa7d3c1279f8bf5e306353

      SHA1

      32cdae750d4baadb2fef90cb51adccd0ee48359c

      SHA256

      db6f8498ab6aa909eb94aab0c0e04a0c64f37af59b9e4feef56996be37adc6e7

      SHA512

      c2f88ecadf9c39fec568c0de35119d1fd6484723bc8efe6fcbb522e1df00728964f243068d934e35fb2f3ed7aa0822a1e5344ac41b63ee6a5163ae104e59620c

    • memory/2480-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2608-45-0x000000002F171000-0x000000002F172000-memory.dmp

      Filesize

      4KB

    • memory/2608-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2608-47-0x0000000070D0D000-0x0000000070D18000-memory.dmp

      Filesize

      44KB

    • memory/2608-75-0x0000000070D0D000-0x0000000070D18000-memory.dmp

      Filesize

      44KB

    • memory/2608-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB