Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

4d5e6dfe78...d4.exe

windows7-x64

10

4d5e6dfe78...d4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/01/2024, 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe

  • Size

    512KB

  • MD5

    4d5e6dfe78c7d6afdcd33b82ac6c93d4

  • SHA1

    d678125310c103b686c19d8440705536b2b39d55

  • SHA256

    a08683608022e84f917558136d95cfce577f1941292cf14a3fceb1a9722bc10d

  • SHA512

    df1b07039b4421aec83ec4907cd47836a65dd9e98ca8dee26f0e4865c778f9443fca5414bd76737052e5f90c54342ac552e627a4de769ad2aae6609aac5d0a92

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5q

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • AutoIT Executable 22 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
    "C:\Users\Admin\AppData\Local\Temp\4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\SysWOW64\crzxbsirfg.exe
      crzxbsirfg.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4912
      • C:\Windows\SysWOW64\kslguljs.exe
        C:\Windows\system32\kslguljs.exe
        3⤵
          PID:3096
      • C:\Windows\SysWOW64\tdyqmznxzgonoeu.exe
        tdyqmznxzgonoeu.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4056
      • C:\Windows\SysWOW64\skycbohzmblvo.exe
        skycbohzmblvo.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1180
      • C:\Windows\SysWOW64\kslguljs.exe
        kslguljs.exe
        2⤵
        • Executes dropped EXE
        PID:3872
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
          PID:316

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\ConfirmSubmit.doc.exe
        Filesize

        57KB

        MD5

        3a81bb7f89fff51fd80d1e9e1e60471f

        SHA1

        7c04e73b47855108f7cb0f1f8e76b71078d74158

        SHA256

        7afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e

        SHA512

        d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc

        Download Submit

      • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
        Filesize

        62KB

        MD5

        d0ab4b5e3abd207f49d49c2dbea9b582

        SHA1

        66e0d9f893de0db38434664722b7f9d6187e1326

        SHA256

        b25beae579f5dbddfd5a132fd552170c99483681ad06497699ccd410e0abfc34

        SHA512

        8773f809569e91b2a37c72352720277fd0567eb52924e3d1d71291d299e1ca45e43b7975cf1a7790a3a5f5b2ad3eb9fe0daa2d3f88ec13b623ae1c04db13f1cc

        Download Submit

      • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
        Filesize

        40KB

        MD5

        c97cafecbbdae036cac1dc7e886aa4c2

        SHA1

        f3114429144b6a538cfb6b7658d41e6a66fe1e7b

        SHA256

        d36f7d55fb7a69ffe4060b22ed61735234aedf6bc417b879e343ee30e21c0eab

        SHA512

        9da6cdd92f1b2bfa209fb5dbc18ac1c77d6ba518f87f2fede23aa2f108d5542a3cdee78786232aef2a43c7826a2627835c533b083c132590be2cd2e2a74c65e8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Filesize

        239B

        MD5

        12b138a5a40ffb88d1850866bf2959cd

        SHA1

        57001ba2de61329118440de3e9f8a81074cb28a2

        SHA256

        9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

        SHA512

        9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        3KB

        MD5

        d7161614227f6d13ce08ece24cff5dc4

        SHA1

        d269d7914c6e4a6513081f1ad99bab3cad67f7f8

        SHA256

        ca2e34f750aa68f9fcaf9bd50456bd6b97726b421d409e72cd7b91c51eb925d9

        SHA512

        10ac3c6c77a0623a45308c4c69a761726251fa0e26b365938a00f9a338fdad70c50a9041fa90264f17f9e3e92fd5d7678ee5962fda6603fac1abdad65a4e97e3

        Download Submit

      • C:\Users\Admin\Documents\UnprotectStop.doc.exe
        Filesize

        39KB

        MD5

        d939978ab2c38d02cb4f95f83986e4d5

        SHA1

        f5ca80cb012df98953210f631b2873176c92dcf3

        SHA256

        6029469f05263270b11ca05c16764b0b40981cc6cf6a85a8936389252c3be692

        SHA512

        278f2c3a000362d978798922f947b42a0cff030315c69e341635c678d17ed0d55e6db3de1e2b1d07da293d17fc9cd6477b96277b30da25dfed3215c21c6ea6aa

        Download Submit

      • C:\Users\Admin\Downloads\DenyConnect.doc.exe
        Filesize

        1KB

        MD5

        ec89629d437c17787acc7061c89e753c

        SHA1

        c65089b32eba1cf75d3546335718073460c971f9

        SHA256

        87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

        SHA512

        65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

        Download Submit

      • C:\Windows\SysWOW64\crzxbsirfg.exe
        Filesize

        55KB

        MD5

        3708f1ab904be3391fba4fdde2f15bc6

        SHA1

        fae942bbc5fa4dae7aef5fcabf04f1fa1a570393

        SHA256

        f970c857983b4e0d2c578c67023a7d92451565bb9efb0c8ef324b564af2ae0d6

        SHA512

        7e3f3b08a80106253b450366a9a15e916743feb661e416fbfc07006aa0ca8d2263736e529f82769d63478405221adc1313682c3db5a43645d0661038fc355ea1

        Download Submit

      • C:\Windows\SysWOW64\crzxbsirfg.exe
        Filesize

        56KB

        MD5

        1aa60022302d272bbddf3b1be0a4ab6d

        SHA1

        2deee5821ac170dc248a1015e1d442e370e4413d

        SHA256

        c0d0683bdb9ba29302c025da268d52cabac463bc9f7159787e0935147644d945

        SHA512

        8253c5bb9f5bbcfd42deafb285449ccc433b5ef8dc0f7b5f2c05aa466f168caefd0390248addfa5ce743d26dd8d37c6af917c3fc28f5e011355689eb1cdc5cb6

        Download Submit

      • C:\Windows\SysWOW64\kslguljs.exe
        Filesize

        66KB

        MD5

        7bc21dc4153a07fde0a0b4afd767e177

        SHA1

        6007bbdb88d7176c60ba40cb15a2ef49305619bd

        SHA256

        ecafa4adb34f9862bfe3b1d95385f42ca31d57efcf7d6aafbf8248b2c35d4ad1

        SHA512

        49a6f817d8075fac1f486c56eacc16831c6674fef0ade809cb6655e402c0f6a352ec269e02544a8c74bfb1236c8208ed390bac097ae70230e81dd37221e981ef

        Download Submit

      • C:\Windows\SysWOW64\kslguljs.exe
        Filesize

        27KB

        MD5

        29d43ac90cd1074a950e25396a4f28cf

        SHA1

        505f2f8c6a826552edb394c24abe5dcbb2cf2439

        SHA256

        a83f7e24b0fcc32eff002567a6e107b3f32d70c181ed588b4b79ad80ae51509c

        SHA512

        689ec0fa5be77f5f1162d4796ff4a21f295beb868b306b4b6b75d70a19e8220ee5925e54bb89790a1d2bed59b8d63d3835ad44892a915f37e814687487a27ecd

        Download Submit

      • C:\Windows\SysWOW64\kslguljs.exe
        Filesize

        29KB

        MD5

        3e8688ab641e0c8968281fa789622906

        SHA1

        347023fe09554602f52dadde8b7c064cab81eff7

        SHA256

        1e0f10470392c3352ba0862457d46ae35772c632ad93efe8e06be5a29f9328c1

        SHA512

        2f087af80a72c285f25a5736948b9de4d6d699d2c1152b3b2f105d0a6dd50f3cba28107a67b7a81dde34b00794c340f15548203dda51cda9257e4cb67dfe5a7f

        Download Submit

      • C:\Windows\SysWOW64\skycbohzmblvo.exe
        Filesize

        37KB

        MD5

        66a85cc6824d52651d93864e4e18f6f5

        SHA1

        bd80300004c28791b28bda5d77e400b6997ec888

        SHA256

        49fe03a8e6a7e56fdafe931034d175c45c6929d510b349f29cfc96a57991a144

        SHA512

        ec3f015ac27841935e6c63b8863c1fbb4fb462bdb14340daa8d39fb4ec2c6801115bdf5d1ade9a8a3df87256c8e171d7cfc586b0ef417f0aeaa90c9734aa63e5

        Download Submit

      • C:\Windows\SysWOW64\skycbohzmblvo.exe
        Filesize

        40KB

        MD5

        4ad159b3d610d32e978c08d5a2cac062

        SHA1

        22b66b51e6e9568ea1cab2c372fb8b410820b171

        SHA256

        14b9d02236fe41eb317eef88d98b42850b7f1d801a381959827c92cc5d08f0fc

        SHA512

        d2c379658f305519b2ffcf5808e8952e4d67994eeb7412ba2b9914aeb0f27bf3751e8b87e07750da77a0da162dd7d8fa1703503cfedbb1c64a5014404e06ce04

        Download Submit

      • C:\Windows\SysWOW64\tdyqmznxzgonoeu.exe
        Filesize

        101KB

        MD5

        c48e641f0696cb5a3cf84ef34f6078b8

        SHA1

        fa530a47217d18c99a546baa52ceac8687a30a18

        SHA256

        70da0bccca39f0e51c058f1c1b031c619e8bc95cbfc1820f9a8c46ecd693b3f8

        SHA512

        1b8a7f7cce9b6563d4bf91cccf5d051cb276baee7995f1ab58d39ab49efc7cb7f553ce30dfba4b991c07a57ca1b16deb81d617b733e11a6bf553768bd41e139f

        Download Submit

      • C:\Windows\SysWOW64\tdyqmznxzgonoeu.exe
        Filesize

        48KB

        MD5

        4277b01699bc59758ad5e9b0a4718b0a

        SHA1

        0a17013fa0685a1cf485c0283624d9db1a78093e

        SHA256

        b5dc01ff43784aed62c508623eda0f05c7bec0bc20d5689727ed55375413fa50

        SHA512

        4368a305922e48951fb04e3f778994ff48421657e6ec50ddf90bbea3bf1ab78075f328e4b7feb20fc9d075d5cfff9157ac17f53bdd3f3aa26c19e63681d2d743

        Download Submit

      • C:\Windows\SysWOW64\tdyqmznxzgonoeu.exe
        Filesize

        164KB

        MD5

        3238036331341c9fbba8e4b911b1b464

        SHA1

        6676147a8081c7ca97f9b1b008dc0a32a7ba2ccc

        SHA256

        352191ff313a25fc788a273c1ba64b31754b64eee2327cd062cd1be69ee23aa4

        SHA512

        55bd2e5da0d563dee475d8d876cc1b93dbe985403a3f3a43e72f6f0a00b64a7c7119c58ec66a1a4a8e8cb9fa68ba60c7daa3b73948ca600232262cdd067bc964

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
        Filesize

        36KB

        MD5

        acc30b82036429fe458ee93484e5533b

        SHA1

        f8442cad06d9a94ad937c16b9ea141a4a6b6183d

        SHA256

        d63bada2ce9b7f1ab28032c9c65d91318985bc0d3a0d208eebfac6b2cd7091c1

        SHA512

        1f28f5289ab25dea0b6c42ec6969f9a49155cd7024197145acc57f547a25de9411d10532d251e507656d52bdb5e70500584b60023e63677bb5973f4166113d14

        Download Submit

      • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
        Filesize

        23KB

        MD5

        e86e1b120d0d43363252397c348eacd1

        SHA1

        80d30ca425a3bd0668c95ff40f3b7cbcf85e3736

        SHA256

        40c26b8c0daa56647ddecf9506e98291961759293ca0e185b588e59ca73607cf

        SHA512

        77751e1cad974da53a965d0870497587477efefa3d1ff56d7c9451255610e24912ffd9b14a812fc2642a1020550f1084477dd6b6b2182ad7d3e7c24cf083bbd7

        Download Submit

      • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
        Filesize

        5KB

        MD5

        4218d293ed3612d8982614d241dce0cc

        SHA1

        15388b63642a6838393deb28fa18b077e24d49d8

        SHA256

        6d0bdb0ae5753df5ec4c6fec380b19657a4a3f092e68a2e6ade4e0a3427d65f2

        SHA512

        033fd49279c5eb84aaf0a775b8d26de13ee10694b6922d04ac2b1a281fb0473ee2efe8114d52a2525dab8f7d057b79aefb06c6d952394bb316b49db4d2d00703

        Download Submit

      • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
        Filesize

        9KB

        MD5

        b35b1f4c5eb499f62524766be9a3f580

        SHA1

        f3a95cd805d4d178906b33d01887e100ac31639f

        SHA256

        e311cc9039f96406b84412246561aed0aa49832d741b137e342843fe26d45b3d

        SHA512

        885bb3047c46cd65081975934aad7936ca99e4c146f0eeae98e36adb5b52c92c7a2a1cc8e645f50b8445dd5aa9d88e1db0ef860bb24c5f7122a87dd2b586a5a7

        Download Submit

      • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
        Filesize

        2KB

        MD5

        f8d64fbc319cb58315b645e476ab77f9

        SHA1

        db35f786a78ef8f206424d594c90ade339b62931

        SHA256

        58facb95e3bed902972446b15300f57f25ad43739ef0999e6778a1d76eee915d

        SHA512

        f6bd89fe954e75447753d2bce6c3c9c1b31e67e4d224414f48f40255d285c4cfc9a35db41a62f837314fcc6a450239de88b71307a202b940779214447a67ebfc

        Download Submit

      • memory/316-59-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-60-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-41-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-40-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-45-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-39-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-38-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-37-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-48-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-49-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-55-0x00007FF8EAD20000-0x00007FF8EAD30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-58-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-62-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-63-0x00007FF8EAD20000-0x00007FF8EAD30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-61-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-42-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-156-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-57-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-56-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-50-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-47-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-46-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-44-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-43-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-134-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-158-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-161-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-162-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-160-0x00007FF92CFB0000-0x00007FF92D1A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/316-159-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/316-157-0x00007FF8ED030000-0x00007FF8ED040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1608-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download