Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2024, 03:19

General

  • Target

    5263ee44519d3d416ec840fd28e3757c.exe

  • Size

    512KB

  • MD5

    5263ee44519d3d416ec840fd28e3757c

  • SHA1

    b9f96e553e4e668d14d01d60ff67e4f647545906

  • SHA256

    84d7ddcbfd77db7442c481199561925908aca7c30f36a28a39ceeafa0e9210ff

  • SHA512

    8929f25b5a14b77f367fd52fcdce3ff915fa55b16777c2439c2452fd8d79fe33ef5a5183ca03954b7bc8d556298ecafb2634f546fcb2e4c19a1f50ac9413154b

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe
    "C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\ztdcyywuec.exe
      ztdcyywuec.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\knkvosfu.exe
        C:\Windows\system32\knkvosfu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:1952
    • C:\Windows\SysWOW64\vugbpulyscsnmbp.exe
      vugbpulyscsnmbp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2788
    • C:\Windows\SysWOW64\pkviyyzhkzaaq.exe
      pkviyyzhkzaaq.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2084
    • C:\Windows\SysWOW64\knkvosfu.exe
      knkvosfu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2712
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2580
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\DisconnectStart.doc.exe

    Filesize

    337KB

    MD5

    3eb0a308d41f6936208559c255e8877b

    SHA1

    a4bac734ad29b66f009bcc65d2e558313abd11e9

    SHA256

    9db914eb0fa4e170ea2456f42b0514eb03ec48549c671e470ea7280dafd02bbf

    SHA512

    9a58ed28d2b1da8fbb617bf1d76a0ec35b9181243196f580a7c692f99d66af3cfdd9c61f4098f9680a7c3e273f14bae7b98cd0a1c3961ede4f9f97364ad65327

  • C:\Windows\SysWOW64\knkvosfu.exe

    Filesize

    30KB

    MD5

    9049e6bbc10adaa2c03d5a60e579ccf3

    SHA1

    e47e06c43f2ec0561483b761ae2ecccd3712ed9d

    SHA256

    f714cb3575b5a702f70abb9dc899cf25f279f44c01c0a3e46d74f52ce4728283

    SHA512

    800ff578e97ec5990c578b07aa0926c46d36683b6a49e0433e004b9f59a0e58474b3053c54258545d67c3725e1695960b0eb3fa6711dab14374bac02271c81be

  • C:\Windows\SysWOW64\knkvosfu.exe

    Filesize

    345KB

    MD5

    34bdbe55c7eb68b4aea144e2ccadabe8

    SHA1

    34b8fe6e7573a61f9704732b7671957b4214aaa7

    SHA256

    83e7f5d2420849eadf2e9d703bbd0cac012e6d5cf43ec19a75c626f53005fd89

    SHA512

    47f2a805bd367e6eb508cff044bfbcc32f4e34a71c5486b8bfc9840306a6551376eb4af25842c213b9c08634f6d3a45cec312dff56bd8f68d4b65e90c842de54

  • C:\Windows\SysWOW64\knkvosfu.exe

    Filesize

    381KB

    MD5

    9995d2f692a7f3e60a4351dc09ec453a

    SHA1

    33fdc4cfe7ff49bde1159a522dcab09c7ca462a2

    SHA256

    c00a5fccf496864b0af740e8aa89ebc17eeaf4165f81f533bc84925eb7960e41

    SHA512

    f714de63f93ba68964d33ad047aec87fafa9639602b3bb118ddaec45e5a65d78d7925cd8204fa4d673b401a7f4cda193950394e546453ce17299decde5423945

  • C:\Windows\SysWOW64\pkviyyzhkzaaq.exe

    Filesize

    466KB

    MD5

    5c8978da67f66039c809318729728cbc

    SHA1

    8f553268746d0636d169c5b9dd85d4debced348a

    SHA256

    146a4be9bca65ceafb21462979bac37b882d7ef40d799b1f7cbfb6abe7643b29

    SHA512

    07c70e9063802ab62e73681b0a3b7d50ac4e7fd35d00c699bc549a5b4d43b65e89a37b4d69d1c41a4ea2df6cb84945469ca2914cf88202325373490c01940b94

  • C:\Windows\SysWOW64\pkviyyzhkzaaq.exe

    Filesize

    385KB

    MD5

    1af7e0b81936176869fc12e85f954d2b

    SHA1

    d32dd2ec067c6b4cdbab051ae8489bf883fc1d02

    SHA256

    ba65ea9edce23dadc4744b353e238001829e6d5cdd50efa76e5e8cf4aa13e0df

    SHA512

    62e595ab43b0772695e2174db8a442969f5b1c83763a39f97bd73178a949a4fda09b562eedc9d3c046db72ee2e1ca025bbd9d07e4fa56ab681f664a4067d0c29

  • C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

    Filesize

    24KB

    MD5

    3853d8b90f81d232abcf861600e5c17c

    SHA1

    dff05514421858dcf8382d0501779c452efcba31

    SHA256

    84c06b69e9531d6e2473b11ad5e83dabbec3fd500bb9e2c54a29a1a1d27abacf

    SHA512

    56bacb24be4fb31048a476baab034a4fb299bd3eb3e63e62191d19abbca6af369a835f89beb1893ca0780ec6a04bb97449aecc23c776c8491888f7c07ef6c027

  • C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

    Filesize

    410KB

    MD5

    32298f5f131ff4e4d0847331f113aba6

    SHA1

    c8ae57715477b340c543aeca6c85cc2b7556a634

    SHA256

    dbef92936a0ca30ed1e46536f22db3d70ccb448eb63ab01b8d2b10953bfda559

    SHA512

    2a2fc47a638ab2041532a5798d257f8abfb0f389cbf46ab397edb593b57d0484ba2f71b0b3b48fb3f91efca357f36da85bb37c84a0beaf51b61559fe5c797b81

  • C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

    Filesize

    512KB

    MD5

    ce762988d8809c3c94c9cfcd8ab23702

    SHA1

    3c412852377fd5583c2e127df1553f938579238a

    SHA256

    ec80302fe06b760dcdfd825ef4528c5048fe06385263c62cfedf5f974cc849ff

    SHA512

    7f6405f428cff482d74575769e7127c7dbcddca861aacafaa310e6a48484779fa9709e56af68e4508c8b0534bbb6d907a7f729b22e8f9d984565d59022f985e4

  • C:\Windows\SysWOW64\ztdcyywuec.exe

    Filesize

    381KB

    MD5

    6b4db2d51a6d07abb195937bd9f737c0

    SHA1

    50332fe1f7a59d3e57fbb1cd7e6e7eae68f61a4b

    SHA256

    370bbbe0b65ceeabb7f27fc734efdc19aaad52252d2608e2ca22790de76cc3a3

    SHA512

    6d50a59a932e00fa276cccb6fa3945f7c8f419fed7f44aac41cef2cfa650a97e79dc233c3402a95c7cf49ff28b82cdf50a3dc55480d4363dc2147918f43a6a83

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\knkvosfu.exe

    Filesize

    512KB

    MD5

    6783c156f9e774efd715396c3938fe9d

    SHA1

    1f4c3a4940ee490522b0dd7c1aff3352708e9d8c

    SHA256

    53b38f59859e615926a292b8f8be42350fe867c238e56a2169e275ce887a7aa1

    SHA512

    0b0b6765c0c465f45a6e776d2de802dfd97b4a2e76164f1446b8ede42ea60a5ab4a61e916a460bdd73d64c778938f652a8bb1d09cdfc076ccd19b4ce85c63149

  • \Windows\SysWOW64\knkvosfu.exe

    Filesize

    383KB

    MD5

    f2da9014910be9007ba05c55c80af761

    SHA1

    50be8400869b37a586679bb7d808f82e83a3861c

    SHA256

    65ac234b58eff0259f20e56ee412763df36a46cbe7275139f6f1b2bb1f94dfa5

    SHA512

    85c6c394768e0f1f99ea8c8fea5c1f5e90c96d41fe5a9ee4e90aa66f3c7d532197ddcac19b64c452a172f0ec6c6cdd6b07add00defaf26204a65297f1dbe5646

  • \Windows\SysWOW64\pkviyyzhkzaaq.exe

    Filesize

    406KB

    MD5

    0b844d949ac46f910ef4aa1642b6b3be

    SHA1

    78840733e1a849c0ca97f11340707d81d1eaa1f4

    SHA256

    b735b0f17607e3ccf1d1b69f3c7b4adf9b5951eeefaa85dfed4e3a2722e81599

    SHA512

    c240c5a797ed52c60dd40ff0d061b220b8aea5755db5d42ce3a4373a3f276f146c5a1fc32cb4fef9030d54cdbe46b2a7f0dfd0f09577f2b61e50bac6a2b7a171

  • \Windows\SysWOW64\vugbpulyscsnmbp.exe

    Filesize

    61KB

    MD5

    410bbed7f087c0724804ea84d51385e4

    SHA1

    4b40bcf8504b2085704484095a8dfd6c20435197

    SHA256

    cc17fac3ea58993d999a130172f661c795aa7b4ecd596b8b4ab4e3cd8c981cd4

    SHA512

    d4af28748c442b1fea3b832e4cd03f44cf153fd07ffd4357018cd233a359412b854a8877e7b4226f2f5832fc4d12c68aa1b29b65028593df1f774691146d6892

  • \Windows\SysWOW64\ztdcyywuec.exe

    Filesize

    512KB

    MD5

    e7f891b01a9a9da2e401eb0939d37657

    SHA1

    55ddb4217a41cf40a7fc29f7bb347a5acc845785

    SHA256

    0eb3708944aafa1c46deb6cb8f7383c1e2ebc94e71110c1f3c98a08ce1378a18

    SHA512

    1923c8170f1585f9f2f66b876585524f21feb1cabbf13fdb3a29f4c29503ac2583b3c19274a8b9690b2845e38c4b42a51ad8c55ae2c0e3f0363a621095a050f3

  • memory/2472-83-0x0000000003F60000-0x0000000003F61000-memory.dmp

    Filesize

    4KB

  • memory/2472-86-0x0000000003F60000-0x0000000003F61000-memory.dmp

    Filesize

    4KB

  • memory/2472-91-0x0000000002700000-0x0000000002710000-memory.dmp

    Filesize

    64KB

  • memory/2580-45-0x000000002F661000-0x000000002F662000-memory.dmp

    Filesize

    4KB

  • memory/2580-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2580-53-0x00000000717BD000-0x00000000717C8000-memory.dmp

    Filesize

    44KB

  • memory/2580-84-0x00000000717BD000-0x00000000717C8000-memory.dmp

    Filesize

    44KB

  • memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB