Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/01/2024, 19:06

General

  • Target

    7b08b4850997162cb775641f8e651d38.exe

  • Size

    512KB

  • MD5

    7b08b4850997162cb775641f8e651d38

  • SHA1

    1e6b1cda9e5485d687e0c8cbcee9e860c133ea86

  • SHA256

    567f54e9750445ceee03431cf67310b5b258d25ba9ac4c686989b56b61b1118a

  • SHA512

    5c2959ce5df916279ca4d3b4e35e9e89b65b0928f925c68fb5c1e1fe39a1d0e68bdf49b797e506872a0297991f8285b19ff8a675bd3612d0b4d22a82edbc6cda

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b08b4850997162cb775641f8e651d38.exe
    "C:\Users\Admin\AppData\Local\Temp\7b08b4850997162cb775641f8e651d38.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\fegeeavroo.exe
      fegeeavroo.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\rhcxmjrp.exe
        C:\Windows\system32\rhcxmjrp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2684
    • C:\Windows\SysWOW64\riqkqqdzschppai.exe
      riqkqqdzschppai.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3032
    • C:\Windows\SysWOW64\xqlbhxesciugz.exe
      xqlbhxesciugz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2256
    • C:\Windows\SysWOW64\rhcxmjrp.exe
      rhcxmjrp.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2736
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1888

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      cd4c57d9a1e0e86ac5814b1d4a4f9cfb

      SHA1

      29992372050297f9f60792aa247afd0f445fdfbb

      SHA256

      d1cf0817e3b3217d019f433850752ba161892c6f59939f7102eab40047d20599

      SHA512

      f5f18a47d9a771fec6a696c0bf68e479f4db330226d553f24c790fe9103eb5bebe4a6888091a3de644ef708f15e06507977af13512b17f338007610390cde970

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      8210a1e6d63f0a2ece51b0c05a1b9334

      SHA1

      787625d067d42d9896e0a05b94713021989adb11

      SHA256

      0fd4f6e57f0b1e10c54c4a8eb8021032a736e932d5e4788bad7bbdf3922205e5

      SHA512

      bdd9f563192afa89d5098f605b524c8945813ab0859e39d428f11546889d12d9e285356bc06e682f8b9044e6fe2c79fb52543fbb8270df0f681519ec985b7cc7

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      e98982095f15d1c9e2668b8d895738d0

      SHA1

      0c65301fd7d1e09307bef90ccaf4646b64aa6f94

      SHA256

      8080919a0d6a653c97ea70d5dd90f088cfa2c03db96e834fb6fe237eb51da677

      SHA512

      0280a0a8420f1312c23996da75cf8bad7e10f3abf7585d3dc06802bcf1edaac39a5a293e4fe1cfb143132d99f8740b3589eaf7745deebafdb59c5110de0eda2a

    • C:\Users\Admin\Documents\DebugAssert.doc.exe

      Filesize

      512KB

      MD5

      28b47e2ce385d097513b6235917138a2

      SHA1

      52bd738db83105585fa4aba26c909ed54c9d38fa

      SHA256

      61d509679c902050193ca7e30fc2f8c3b75a53d7f5cc97b0760258037c891b3c

      SHA512

      1dba8775ec36286d350c0417da6c6bffceaae182e8541f07483c9dad767542cd3ad52689b11f9d126cf9b2071f60bb93f19bdb21c99ca5e716b05caa2b1fa9f8

    • C:\Windows\SysWOW64\rhcxmjrp.exe

      Filesize

      512KB

      MD5

      28521a24d09fd4f0177f001e0299c23d

      SHA1

      aeaddc371a25772dbe855c779902b0f63dd46082

      SHA256

      5dbc402264c6b8e5d1b4c9575bd7019a2984b2652f8190eb9571b96818f084f2

      SHA512

      07cf620e79224050b7f124d3b84e1c069ad2bbdfecaa82f52c0339836d2da1c7d790f3513fec39f5df67423c06484b3d3fae2912692b54704587e38aa056129a

    • C:\Windows\SysWOW64\riqkqqdzschppai.exe

      Filesize

      512KB

      MD5

      7375cd5a300db782bc21b5fe175e135d

      SHA1

      e6842a3618303f7b6487adfcdfe85bc67adee2ca

      SHA256

      3a02aaba49ea4f750747e6b51e4e6c40ceaf7a31754cfa44c63d421306b033b8

      SHA512

      04bf4ace307d4872487fe0412e688024305a14b0fa999cffa3ebb52032b28f7c2c10d2590222aa8a5e637bd7185e3bc88d5b6eade10957be29ca1c9fcdc1fc05

    • C:\Windows\SysWOW64\xqlbhxesciugz.exe

      Filesize

      512KB

      MD5

      72abd75f07a8f9164db208db8c9933df

      SHA1

      5e2ef3c7b297ea25a47a04d02e439aa3c581065b

      SHA256

      0b256c553aeb008977e2d395c6a6cdd6c4dbcc74ca80d2177c68dd12265b9590

      SHA512

      29b0dd58187f3fe18e725367721a8a10e123a5e1ea6b13cbae387a72624ca3fa842da1700caabc6b9f1406fe48836de5d2f3a499adbf7c1a37f6a58181718ead

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\fegeeavroo.exe

      Filesize

      512KB

      MD5

      982fed46df051de9e2541ad899565a4b

      SHA1

      fc1b0c3e4d67880f46b073323c5bf9d43681c6d4

      SHA256

      29cfb3670ce0e286d3cab4e4f2f1011a2f17f52ac513bacfbd8825408b0ba674

      SHA512

      e474940b82176683fe448523a3fccd060e26c2a829b230ff558d4afcb6cf159f5dcf1a1056cfa5b0f80b162eac8555b75e6fa03b9671a7e830e9a3c513007a42

    • \Windows\SysWOW64\xqlbhxesciugz.exe

      Filesize

      64KB

      MD5

      d76d22b81130bc9206c7c947d7a9ea5e

      SHA1

      5956e88a6ec7949ce5a350e21703307d855f34b1

      SHA256

      b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870

      SHA512

      112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1

    • memory/2076-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2636-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2636-47-0x000000007174D000-0x0000000071758000-memory.dmp

      Filesize

      44KB

    • memory/2636-45-0x000000002F111000-0x000000002F112000-memory.dmp

      Filesize

      4KB

    • memory/2636-83-0x000000007174D000-0x0000000071758000-memory.dmp

      Filesize

      44KB

    • memory/2636-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB