Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2024, 18:33

General

  • Target

    781520476d4361be5ce19d1eeaeb3b5f.exe

  • Size

    512KB

  • MD5

    781520476d4361be5ce19d1eeaeb3b5f

  • SHA1

    9e974df0304e65d615a1a7be1c2fb691285350e0

  • SHA256

    c20ea11f0588f74fd9116cdc7f8828130a8120d446f91d9a66fa7603af7f7d9c

  • SHA512

    841c9f7503718ae09e0c9ea515c69b82e20bd023d01cadaba4ed5d89deb12195da7babae293f1f63ee7df622f6e5c04339cb54f5e38d656e3e3b692f64141897

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5A

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\781520476d4361be5ce19d1eeaeb3b5f.exe
    "C:\Users\Admin\AppData\Local\Temp\781520476d4361be5ce19d1eeaeb3b5f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\SysWOW64\icwrooqrea.exe
      icwrooqrea.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\xhpjrzdj.exe
        C:\Windows\system32\xhpjrzdj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2600
    • C:\Windows\SysWOW64\raxqabdprytyefe.exe
      raxqabdprytyefe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2816
    • C:\Windows\SysWOW64\xhpjrzdj.exe
      xhpjrzdj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2784
    • C:\Windows\SysWOW64\fjibzyqhbgjbw.exe
      fjibzyqhbgjbw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2688
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2620
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    b5d6872921c74c300b4e34b2b952286d

    SHA1

    3322e6c1949744ad310ef73e78d9d89ea2a56e75

    SHA256

    5ba465820e4c10a8d2a8349f48f133c4cc78b3b4eaab6d1714f7f8ecd502811e

    SHA512

    f353293bc32b56b89a83fd3c930dac0ba6b87b95f7c0d08f3515a5741062e43f4a810cf8c0b66bce2ffbed9a25739a6b265a41600728aa0fb003bd3c4af1a4d3

  • C:\Windows\SysWOW64\fjibzyqhbgjbw.exe

    Filesize

    512KB

    MD5

    e9e423cd9a7eee1c65de2907357bf62d

    SHA1

    7758630e80785336b316b34d5b47b67923e4561b

    SHA256

    e449c184e5c1dbc3b12736a479114d83a2156a54912d9471c4cd98c88d8155a0

    SHA512

    be8a509b9f96390cc4df0e77cced6f7508ae2caeece8b24d38196371a1210dff972c3621270c40baa7a2ef334ec1748f2974f693cbff5ea662ccb38c4123f66b

  • C:\Windows\SysWOW64\raxqabdprytyefe.exe

    Filesize

    512KB

    MD5

    cad363018313eb5e6289a43d5bb32fa8

    SHA1

    824a804e34b3af22f10250c84a74ac3c8014d272

    SHA256

    1ad1e83763bdcd2832dd19e3093723bee9cbb02ed3fb4aac10e428a79a9dfb1a

    SHA512

    7195719b2e73d9a5089673c7c6251561459c32d511819e35187e28d42358cce966e949931ccb745f5f2f23c4e38eafd1ff43638833c2781b11ced430eb7632f3

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\icwrooqrea.exe

    Filesize

    512KB

    MD5

    7fcdef46d79a96a40ad15d35bc13c3d9

    SHA1

    467ea4b99930a80526b1dc8936c4cbaae002ad1b

    SHA256

    36f710871e2e91b7720dc7d48cefbe012e889128697e7fb3771164323ab95fb1

    SHA512

    6092067dd8013fb9f33b8007f776ff87dd247ddfaa5af349ad7fbf3c880e348bcaea137d2f79b1e20cc79670615e7c1204fb60fe1c4d87a628e87dadebb08ecf

  • \Windows\SysWOW64\xhpjrzdj.exe

    Filesize

    512KB

    MD5

    ec2512f7e94b15c34a2d3a21ac6ee30b

    SHA1

    882e17ffe89bd82ae70872e8fa3d0b3b59634e34

    SHA256

    b9ea08b7956b50a074e514fdf025eb108982528f1c9eecf7662bc2ba109b620b

    SHA512

    6f10ffde2534c4843fa41157c3308e24984e9eddba8ead769fd1ce4e05d6ed52d65bd0c89821514fb611be147ed5168e8402785c935f76d89b10fc561fe73b04

  • memory/2040-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2620-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2620-47-0x000000007182D000-0x0000000071838000-memory.dmp

    Filesize

    44KB

  • memory/2620-45-0x000000002F441000-0x000000002F442000-memory.dmp

    Filesize

    4KB

  • memory/2620-76-0x000000007182D000-0x0000000071838000-memory.dmp

    Filesize

    44KB

  • memory/2948-75-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

    Filesize

    4KB

  • memory/2948-78-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

    Filesize

    4KB

  • memory/2948-83-0x00000000026B0000-0x00000000026C0000-memory.dmp

    Filesize

    64KB