Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28/01/2024, 12:10

General

  • Target

    7d172f1d232d758347932641bbbf7dcf.exe

  • Size

    512KB

  • MD5

    7d172f1d232d758347932641bbbf7dcf

  • SHA1

    2256a32fd4209fc94e66b7a94c120eea6a054a3a

  • SHA256

    3e359659220833717f4206c8257124ee3d5ae741ec5ee1e643c094c07f2d3d05

  • SHA512

    c963c99b8914efa0020791e0ea32f4ffa714b05a92449269070a017c5d9b6b91205fca6dc051a6323c01e7c4a1780ff8523006d884888bd15c46a53e14095e40

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d172f1d232d758347932641bbbf7dcf.exe
    "C:\Users\Admin\AppData\Local\Temp\7d172f1d232d758347932641bbbf7dcf.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\jymukgwzza.exe
      jymukgwzza.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\ymwyhewq.exe
        C:\Windows\system32\ymwyhewq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2640
    • C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe
      clvnvdoagrwzkdw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3036
    • C:\Windows\SysWOW64\ymwyhewq.exe
      ymwyhewq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2556
    • C:\Windows\SysWOW64\emwubcrcavrmo.exe
      emwubcrcavrmo.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2672
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2496
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

    Filesize

    512KB

    MD5

    e449f7cae5d90c20ac41ec7a1cf79799

    SHA1

    4f4339f9f436c96db37316ab0740a83ce4760ec9

    SHA256

    fbb1371b44a911541fdc54b14885c213f7a3ffdf6298476beacfa9d3473b71b0

    SHA512

    6822c90f337032354e1244d19e9a77d941fa708ad40bf0834f61ece5b55674df30a2a08a962d283ea707d0d348591b5e0664a17c19c8ab1a0d5831fa84cff0ec

  • C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe

    Filesize

    307KB

    MD5

    6c78ce2bc1f28e8e292231ee743b5923

    SHA1

    47149b239b982ca4d85bca9189df9040bcc9977d

    SHA256

    1da4bb2717bb1177f8e0970fb0a4e1ac4ee345601c0d3d23032e03246b48aede

    SHA512

    d96ee59d56b56ff48104f0cef5dd922ac51e3f809bbbd74b4b9c173745c3c094e0efbdb4850695517706e9d1fd8056341f09ce1736f3cf7a34960948275b7ab0

  • C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe

    Filesize

    389KB

    MD5

    dbda106623e21f60ea6da27a054a6a13

    SHA1

    9320f67a599835dd84862201dc72fed1ac779611

    SHA256

    ee491d24b01e6b0d6f62b7c819ad66a106c636ade3d71b4188fd2a107085c2b8

    SHA512

    fc174f762f4d28bc6a3262ce0d9b9a190f5092ed9aefe1c4bde33c2d1fbf3f97013072e97dea07b80b540ccfa8232eb2c459e25af70b41bfd802072fb731e169

  • C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe

    Filesize

    512KB

    MD5

    b31feeaf62054e79eeae34112fd5a5aa

    SHA1

    d5228057e00319648ac1a106103a43a137421cc6

    SHA256

    b13cdc33727b7a6265cf818e434fbb9877946acf6af94b5e653c6722b9b493f3

    SHA512

    6e31e4580d5fd07e842e5a901095eeb2f0c01633f0ba88bb5aee7f800866bb26ed98fcab90d8e7666076e5295112a1f5b3ec0b3eab84d7649a1890a55f6b9976

  • C:\Windows\SysWOW64\emwubcrcavrmo.exe

    Filesize

    512KB

    MD5

    0c6a40a215f2c92f196edc0d4346715a

    SHA1

    ec38d10c894dd46be5f9dfbb8b1a753a2619f0a2

    SHA256

    97b7ea70a501a0f3d5eca913d5774925382f409ad42eb59106ea97672c0435fb

    SHA512

    2a7bebe5e4889af1525de0a3dd6a294ad8e8e1408e1b2a4cfec09da5522fe696822fef340d4b696750ce83229990fd4ec1f08b2b962eb7cf8c64cb7fa7e8eb3a

  • C:\Windows\SysWOW64\emwubcrcavrmo.exe

    Filesize

    496KB

    MD5

    18b14c2e0aac4dd3f27b8a63e63c4eb4

    SHA1

    2625d70fc241869261405de95a5bdbd89071d2fd

    SHA256

    e66aeedaa79a3271df1f21318308e18f806daa0656e5fcf1f94ee64e34360588

    SHA512

    cfe6a273d7b2b1f22256be62d2c07fff79ce319a404498b04b176cbca0200b3b87f9a229571f764eaefc73193b8b3ed0da8893e13550a0f4bfaf220494456305

  • C:\Windows\SysWOW64\jymukgwzza.exe

    Filesize

    423KB

    MD5

    522fc5c938ebfc25a35f671e9201e682

    SHA1

    f9e48c74481ded815b4ce03ee6969dc11c52647a

    SHA256

    a3b187b33e7de7a71e8c2e8d67fd243b643915e917755c055a1c5cd41dcc274c

    SHA512

    4a3fc433ba7b383e23cfbb6011f146072ea6b8c3a2b992fd35da07625dd6720f814998590cd882e55c3510cdc6ff0ba8c0b662cf437a3ba6bcc6487c3f128e5e

  • C:\Windows\SysWOW64\ymwyhewq.exe

    Filesize

    494KB

    MD5

    7b1525b3472e00d432603fdf78f96f86

    SHA1

    2136d76b14d442a1c4a11b6eea826dcf62cc6d08

    SHA256

    b62db2be6a1fb49632d6110ef70f37611ec2ea746dadb7b626e27e76f37dc935

    SHA512

    786f8c53cad2d3ec7e0ea40aadce3ca463015a8dcf22b61837e8f4a5a11b1e0cf581811b09bc77a3809cf21d7e402ac860edbd360fbeaa8f49ec3daf4924c621

  • C:\Windows\SysWOW64\ymwyhewq.exe

    Filesize

    350KB

    MD5

    8b3695b3287401eadd4542be6b5c383e

    SHA1

    0410a65d96fe5ca1bbbe204b1144fb368ff9ca50

    SHA256

    2053afe1aa436ee71502c93b6a1864d71c928687b478219f776221788edc2698

    SHA512

    40aca8406669b5b23e657fcc6a3cf8dd3400d93a63e969c20a2d12981ea70a7e4a0041e364198a422184bd0574006642edb47d7bbce5981682106cadf8584e46

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\emwubcrcavrmo.exe

    Filesize

    220KB

    MD5

    97067760cfb027e11cf178153156b9ee

    SHA1

    bbb15ab92f2d261ab72a3d7c133daa272d6fad9c

    SHA256

    9f02f1661935d574ccc146ba3903eeb50d6d3c9944d226d287565ff28447af9e

    SHA512

    ee6b91a6b05e79089a7b777ac2073a5c5ed4aaa7781cf06acf4dae7789123439ece138c90ebbe199967ce06a78bb17d586abdea75301076510af60b42b8cc0fe

  • \Windows\SysWOW64\jymukgwzza.exe

    Filesize

    512KB

    MD5

    be5b07a8017248b0fa0475f4e5eb14b9

    SHA1

    2c597657a42494a1262ed052128e7aafffe7c5ca

    SHA256

    ed60b32f80a6e0d809823872e6eb51cde2273861b32357af36687f502922831c

    SHA512

    af5c30a7eda259473f1ca72e5995234537e62aefad5520edd606c6db6f78ba4464b9129a10c2bc1a7288eb7c4b35685f0f130673136be951051ccb63fe5f8840

  • \Windows\SysWOW64\ymwyhewq.exe

    Filesize

    512KB

    MD5

    0ed4ff3270b14c144b6a9af098b30e3d

    SHA1

    d1aec4850ea72466e6f6006dfcd25ff3a0c46412

    SHA256

    bfe89a5648dba7466ea02c199a140c8c29ee875cb36f37a75d81ef9f90d889cd

    SHA512

    6cbac759249b0e9054fdc1974356cc2b9429032c002b934f0135f01d3abcff39ee8ae4fdbc98f880e0abb30c852d067dc8ee1b45665a8f36ef988b1585449c3a

  • \Windows\SysWOW64\ymwyhewq.exe

    Filesize

    334KB

    MD5

    bfdef0bc4988f2d6a89bad4e51a6e5cd

    SHA1

    a405defa990a25591a377ae723fe2f47483e12cb

    SHA256

    5820cf35b1d2c05edd7f3f53630c640c4f8752c7a9dc9640c2a5dd54a00bd4f4

    SHA512

    a3d6669b5de2c52a96907f7745e292236c4709311b5e85f4cfe9c4e7872e7a5d785df357061a492097d5a00f57b8846ce3c26efc2848390c70b553faacdd3fa9

  • memory/772-75-0x00000000043C0000-0x00000000043C1000-memory.dmp

    Filesize

    4KB

  • memory/772-77-0x00000000043C0000-0x00000000043C1000-memory.dmp

    Filesize

    4KB

  • memory/772-83-0x0000000002A40000-0x0000000002A50000-memory.dmp

    Filesize

    64KB

  • memory/2372-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/2496-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2496-47-0x000000007130D000-0x0000000071318000-memory.dmp

    Filesize

    44KB

  • memory/2496-45-0x000000002FB81000-0x000000002FB82000-memory.dmp

    Filesize

    4KB

  • memory/2496-76-0x000000007130D000-0x0000000071318000-memory.dmp

    Filesize

    44KB