Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2024, 03:19 UTC

General

  • Target

    5263ee44519d3d416ec840fd28e3757c.exe

  • Size

    512KB

  • MD5

    5263ee44519d3d416ec840fd28e3757c

  • SHA1

    b9f96e553e4e668d14d01d60ff67e4f647545906

  • SHA256

    84d7ddcbfd77db7442c481199561925908aca7c30f36a28a39ceeafa0e9210ff

  • SHA512

    8929f25b5a14b77f367fd52fcdce3ff915fa55b16777c2439c2452fd8d79fe33ef5a5183ca03954b7bc8d556298ecafb2634f546fcb2e4c19a1f50ac9413154b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe
    "C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\ztdcyywuec.exe
      ztdcyywuec.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\knkvosfu.exe
        C:\Windows\system32\knkvosfu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:1952
    • C:\Windows\SysWOW64\vugbpulyscsnmbp.exe
      vugbpulyscsnmbp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2788
    • C:\Windows\SysWOW64\pkviyyzhkzaaq.exe
      pkviyyzhkzaaq.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2084
    • C:\Windows\SysWOW64\knkvosfu.exe
      knkvosfu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2712
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2580
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\DisconnectStart.doc.exe

    Filesize

    337KB

    MD5

    3eb0a308d41f6936208559c255e8877b

    SHA1

    a4bac734ad29b66f009bcc65d2e558313abd11e9

    SHA256

    9db914eb0fa4e170ea2456f42b0514eb03ec48549c671e470ea7280dafd02bbf

    SHA512

    9a58ed28d2b1da8fbb617bf1d76a0ec35b9181243196f580a7c692f99d66af3cfdd9c61f4098f9680a7c3e273f14bae7b98cd0a1c3961ede4f9f97364ad65327

  • C:\Windows\SysWOW64\knkvosfu.exe

    Filesize

    30KB

    MD5

    9049e6bbc10adaa2c03d5a60e579ccf3

    SHA1

    e47e06c43f2ec0561483b761ae2ecccd3712ed9d

    SHA256

    f714cb3575b5a702f70abb9dc899cf25f279f44c01c0a3e46d74f52ce4728283

    SHA512

    800ff578e97ec5990c578b07aa0926c46d36683b6a49e0433e004b9f59a0e58474b3053c54258545d67c3725e1695960b0eb3fa6711dab14374bac02271c81be

  • C:\Windows\SysWOW64\knkvosfu.exe

    Filesize

    345KB

    MD5

    34bdbe55c7eb68b4aea144e2ccadabe8

    SHA1

    34b8fe6e7573a61f9704732b7671957b4214aaa7

    SHA256

    83e7f5d2420849eadf2e9d703bbd0cac012e6d5cf43ec19a75c626f53005fd89

    SHA512

    47f2a805bd367e6eb508cff044bfbcc32f4e34a71c5486b8bfc9840306a6551376eb4af25842c213b9c08634f6d3a45cec312dff56bd8f68d4b65e90c842de54

  • C:\Windows\SysWOW64\knkvosfu.exe

    Filesize

    381KB

    MD5

    9995d2f692a7f3e60a4351dc09ec453a

    SHA1

    33fdc4cfe7ff49bde1159a522dcab09c7ca462a2

    SHA256

    c00a5fccf496864b0af740e8aa89ebc17eeaf4165f81f533bc84925eb7960e41

    SHA512

    f714de63f93ba68964d33ad047aec87fafa9639602b3bb118ddaec45e5a65d78d7925cd8204fa4d673b401a7f4cda193950394e546453ce17299decde5423945

  • C:\Windows\SysWOW64\pkviyyzhkzaaq.exe

    Filesize

    466KB

    MD5

    5c8978da67f66039c809318729728cbc

    SHA1

    8f553268746d0636d169c5b9dd85d4debced348a

    SHA256

    146a4be9bca65ceafb21462979bac37b882d7ef40d799b1f7cbfb6abe7643b29

    SHA512

    07c70e9063802ab62e73681b0a3b7d50ac4e7fd35d00c699bc549a5b4d43b65e89a37b4d69d1c41a4ea2df6cb84945469ca2914cf88202325373490c01940b94

  • C:\Windows\SysWOW64\pkviyyzhkzaaq.exe

    Filesize

    385KB

    MD5

    1af7e0b81936176869fc12e85f954d2b

    SHA1

    d32dd2ec067c6b4cdbab051ae8489bf883fc1d02

    SHA256

    ba65ea9edce23dadc4744b353e238001829e6d5cdd50efa76e5e8cf4aa13e0df

    SHA512

    62e595ab43b0772695e2174db8a442969f5b1c83763a39f97bd73178a949a4fda09b562eedc9d3c046db72ee2e1ca025bbd9d07e4fa56ab681f664a4067d0c29

  • C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

    Filesize

    24KB

    MD5

    3853d8b90f81d232abcf861600e5c17c

    SHA1

    dff05514421858dcf8382d0501779c452efcba31

    SHA256

    84c06b69e9531d6e2473b11ad5e83dabbec3fd500bb9e2c54a29a1a1d27abacf

    SHA512

    56bacb24be4fb31048a476baab034a4fb299bd3eb3e63e62191d19abbca6af369a835f89beb1893ca0780ec6a04bb97449aecc23c776c8491888f7c07ef6c027

  • C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

    Filesize

    410KB

    MD5

    32298f5f131ff4e4d0847331f113aba6

    SHA1

    c8ae57715477b340c543aeca6c85cc2b7556a634

    SHA256

    dbef92936a0ca30ed1e46536f22db3d70ccb448eb63ab01b8d2b10953bfda559

    SHA512

    2a2fc47a638ab2041532a5798d257f8abfb0f389cbf46ab397edb593b57d0484ba2f71b0b3b48fb3f91efca357f36da85bb37c84a0beaf51b61559fe5c797b81

  • C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

    Filesize

    512KB

    MD5

    ce762988d8809c3c94c9cfcd8ab23702

    SHA1

    3c412852377fd5583c2e127df1553f938579238a

    SHA256

    ec80302fe06b760dcdfd825ef4528c5048fe06385263c62cfedf5f974cc849ff

    SHA512

    7f6405f428cff482d74575769e7127c7dbcddca861aacafaa310e6a48484779fa9709e56af68e4508c8b0534bbb6d907a7f729b22e8f9d984565d59022f985e4

  • C:\Windows\SysWOW64\ztdcyywuec.exe

    Filesize

    381KB

    MD5

    6b4db2d51a6d07abb195937bd9f737c0

    SHA1

    50332fe1f7a59d3e57fbb1cd7e6e7eae68f61a4b

    SHA256

    370bbbe0b65ceeabb7f27fc734efdc19aaad52252d2608e2ca22790de76cc3a3

    SHA512

    6d50a59a932e00fa276cccb6fa3945f7c8f419fed7f44aac41cef2cfa650a97e79dc233c3402a95c7cf49ff28b82cdf50a3dc55480d4363dc2147918f43a6a83

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\knkvosfu.exe

    Filesize

    512KB

    MD5

    6783c156f9e774efd715396c3938fe9d

    SHA1

    1f4c3a4940ee490522b0dd7c1aff3352708e9d8c

    SHA256

    53b38f59859e615926a292b8f8be42350fe867c238e56a2169e275ce887a7aa1

    SHA512

    0b0b6765c0c465f45a6e776d2de802dfd97b4a2e76164f1446b8ede42ea60a5ab4a61e916a460bdd73d64c778938f652a8bb1d09cdfc076ccd19b4ce85c63149

  • \Windows\SysWOW64\knkvosfu.exe

    Filesize

    383KB

    MD5

    f2da9014910be9007ba05c55c80af761

    SHA1

    50be8400869b37a586679bb7d808f82e83a3861c

    SHA256

    65ac234b58eff0259f20e56ee412763df36a46cbe7275139f6f1b2bb1f94dfa5

    SHA512

    85c6c394768e0f1f99ea8c8fea5c1f5e90c96d41fe5a9ee4e90aa66f3c7d532197ddcac19b64c452a172f0ec6c6cdd6b07add00defaf26204a65297f1dbe5646

  • \Windows\SysWOW64\pkviyyzhkzaaq.exe

    Filesize

    406KB

    MD5

    0b844d949ac46f910ef4aa1642b6b3be

    SHA1

    78840733e1a849c0ca97f11340707d81d1eaa1f4

    SHA256

    b735b0f17607e3ccf1d1b69f3c7b4adf9b5951eeefaa85dfed4e3a2722e81599

    SHA512

    c240c5a797ed52c60dd40ff0d061b220b8aea5755db5d42ce3a4373a3f276f146c5a1fc32cb4fef9030d54cdbe46b2a7f0dfd0f09577f2b61e50bac6a2b7a171

  • \Windows\SysWOW64\vugbpulyscsnmbp.exe

    Filesize

    61KB

    MD5

    410bbed7f087c0724804ea84d51385e4

    SHA1

    4b40bcf8504b2085704484095a8dfd6c20435197

    SHA256

    cc17fac3ea58993d999a130172f661c795aa7b4ecd596b8b4ab4e3cd8c981cd4

    SHA512

    d4af28748c442b1fea3b832e4cd03f44cf153fd07ffd4357018cd233a359412b854a8877e7b4226f2f5832fc4d12c68aa1b29b65028593df1f774691146d6892

  • \Windows\SysWOW64\ztdcyywuec.exe

    Filesize

    512KB

    MD5

    e7f891b01a9a9da2e401eb0939d37657

    SHA1

    55ddb4217a41cf40a7fc29f7bb347a5acc845785

    SHA256

    0eb3708944aafa1c46deb6cb8f7383c1e2ebc94e71110c1f3c98a08ce1378a18

    SHA512

    1923c8170f1585f9f2f66b876585524f21feb1cabbf13fdb3a29f4c29503ac2583b3c19274a8b9690b2845e38c4b42a51ad8c55ae2c0e3f0363a621095a050f3

  • memory/2472-83-0x0000000003F60000-0x0000000003F61000-memory.dmp

    Filesize

    4KB

  • memory/2472-86-0x0000000003F60000-0x0000000003F61000-memory.dmp

    Filesize

    4KB

  • memory/2472-91-0x0000000002700000-0x0000000002710000-memory.dmp

    Filesize

    64KB

  • memory/2580-45-0x000000002F661000-0x000000002F662000-memory.dmp

    Filesize

    4KB

  • memory/2580-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2580-53-0x00000000717BD000-0x00000000717C8000-memory.dmp

    Filesize

    44KB

  • memory/2580-84-0x00000000717BD000-0x00000000717C8000-memory.dmp

    Filesize

    44KB

  • memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.