Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

8d7790b628...1b.exe

windows7-x64

10

8d7790b628...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2024, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d7790b62884b7833d558c4fa2dfb11b.exe

  • Size

    512KB

  • MD5

    8d7790b62884b7833d558c4fa2dfb11b

  • SHA1

    38799b1de2f350d45a83fe153fffa33f3f322733

  • SHA256

    ed389d561ce8e29e7416fa3005e3bb1b27b9984389564563bb77fcaca8fcbb04

  • SHA512

    e8bf0c6bd48aac54830c7909af01951fb2fd8e5ab8047a4d018d3e119723241de42f028b8936e8551db5ad1093850b5ad971f3115637b9920e1824998537c027

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5q

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 21 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d7790b62884b7833d558c4fa2dfb11b.exe
    "C:\Users\Admin\AppData\Local\Temp\8d7790b62884b7833d558c4fa2dfb11b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\SysWOW64\skwucyxncn.exe
      skwucyxncn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\yvmefpvt.exe
        C:\Windows\system32\yvmefpvt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1640
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2888
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2864
      • C:\Windows\SysWOW64\tzwhacaxpuyzy.exe
        tzwhacaxpuyzy.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2948
      • C:\Windows\SysWOW64\yvmefpvt.exe
        yvmefpvt.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2672
      • C:\Windows\SysWOW64\ivarjrchajticuw.exe
        ivarjrchajticuw.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      4c5c0aa810d29defafbb6703549263fb

      SHA1

      0060cb2bfa7ebdbabd5a123a52f4fe8e7f5b3467

      SHA256

      ee5c2d3217e9b55e9080fc351693e354ccdd2827f7c548d3e1e946ea909ed6ac

      SHA512

      d223161fa09480298292a489c86347301a27e9876e599f03217dadea6f088092d38f1b4900aa9885caab40bf78b0d36e690afead3a1de700766e117891644109

      Download Submit

    • C:\Users\Admin\Documents\ClearSkip.doc.exe
      Filesize

      294KB

      MD5

      1238bf562263cd371c1c14e182fcd21b

      SHA1

      a699921e1a069a854791bf71fe895a232823ca1e

      SHA256

      677a1e58c1cdf0fa4ce101a8ad16f2020d610dff9c421232262a9c7edf9cd6cf

      SHA512

      4a272ddd7f0336f02994e74d093367d101aaf863a3db13eea84e5a09aa9b688bd2e7e38d58a7bb41db9eb1091342489f5cabb78d044b3bb87be14be7fd754984

      Download Submit

    • C:\Users\Admin\Documents\EnablePing.doc.exe
      Filesize

      286KB

      MD5

      f627014e440f70ade918a31c1dd379fd

      SHA1

      0a8296232734c19c73211ec4871c75563a255d10

      SHA256

      7851074c5b7586e5650b6257c934468666cb937fb415fca1200c436abbe98b2f

      SHA512

      f0a1e07a4a7c974170345084f8dcacbf1ce8eec40327a96298fa50b4dcd9a2cd728921ce0ecdd73bb5017f39cf025a7daa5744e5f5cc9182871ceec3663317e7

      Download Submit

    • C:\Users\Admin\Documents\ReadSearch.doc.exe
      Filesize

      96KB

      MD5

      cc727bf87e75e50d52a07aae13046485

      SHA1

      1e3f482c3e5ce033458667b8600f90037a39f88c

      SHA256

      a030d652d6e7aa73d0ee0f3cdc1c4c4de60b34c67e8ad81e9dccaf28e833871b

      SHA512

      a724410143e813afcfba5b3033840a919bc1205f8a9cfbcfc8191d241051f10fa3d11bbaa5beabadb9b4456c717ec541013d42e125216620f2988a0f6acee44e

      Download Submit

    • C:\Windows\SysWOW64\ivarjrchajticuw.exe
      Filesize

      101KB

      MD5

      d0b7bf6e8d38fbe5262f9b092295b194

      SHA1

      efce3b4690abff8bb7fe040918430cd6c0188052

      SHA256

      a40276b67180c09d2aec8777d74fed9fb08ad5ebfba3cf89361950b99be93318

      SHA512

      07a5bc6f790359445a54ecbf9cbd5b08ec536aace980ad68cc32c7ca36eb78b03f0c42de1a40feb9c0f0e08fc7c6606d4631b6e38a28923cd75b67bd074e4754

      Download Submit

    • C:\Windows\SysWOW64\ivarjrchajticuw.exe
      Filesize

      80KB

      MD5

      64db68fe4b42f5608c3d316b698a85af

      SHA1

      cc60ac7af93c29d15db552c2413f0b050cf33e14

      SHA256

      db85e7ff75c6c000dda9acda1bfb0c4d3c4928dd0032850cf38ffe9b99a974db

      SHA512

      3c17c335529c39bb75b8a381c7e0b9cdf33913ea11268414eacc79713fa67625f3fe555b3519061569c37279bf5e734394facd89532dc547fcd2cb7cc76638bf

      Download Submit

    • C:\Windows\SysWOW64\ivarjrchajticuw.exe
      Filesize

      389KB

      MD5

      751e7965e4f2c5295cf54730359b3213

      SHA1

      55209ce4145931501f3ff551836f857dbc03fcf3

      SHA256

      c3c4e37616375ed909206e890548b159e032ae7efe6d051d6243c5de317103dd

      SHA512

      1e77c2a797ed0f5d2231ef5dd67c7c9afe91bd9b8c11fc8d96b6053dc88cc080502a24b4107e66d0040588524a1a32fe455c1608535f069bc90fda107aa8d012

      Download Submit

    • C:\Windows\SysWOW64\skwucyxncn.exe
      Filesize

      320KB

      MD5

      ca8e562ca64214a22778b31a3227c749

      SHA1

      e6e151c6d1bdc315424e94d3702a32b8d7a97c22

      SHA256

      722146d21aa1328bca6d611d71273ff1ded9ede078769952a18516f46446b027

      SHA512

      ad2823f1daae203efb7342e1aa4b7e99daad1d0fa3ffc6173a9d24036996b6c2291ab9f6a65552fc9399f5f6d728faba337c9482697e582ffddbfb489dbd7257

      Download Submit

    • C:\Windows\SysWOW64\skwucyxncn.exe
      Filesize

      168KB

      MD5

      0969fd090631eb1969c9d727cdd6e609

      SHA1

      3392bdd1e1110b4f799b2f15033700083f332006

      SHA256

      2049b7fa60f24026e63af8530b5d33a443103f07ab16d5e0e6bedbcc3074bb67

      SHA512

      d942cd26366288fe376f44f58c4c5a738c9604c673e9cae6fb66a118aa5a12d0a02c573053dec41502f3682818b34049e122d8793638ce9c92fa90979c6042a3

      Download Submit

    • C:\Windows\SysWOW64\tzwhacaxpuyzy.exe
      Filesize

      51KB

      MD5

      7c879a07be75279ab9edb85d30582a70

      SHA1

      36d7199407af862a19614e76ed0aaa62d93b7825

      SHA256

      5f2e64711ca575a5ae71c9040b9f31878a1bb5d55fb90e175c2d68e1ee469043

      SHA512

      064386a01ab7a5e922d94ffa36c98e48e9821dfce81a107ef04b9dba6111fce53c6824a05e8754177e9e17904162d920f61aa54495669fdcb018ca9097e7512c

      Download Submit

    • C:\Windows\SysWOW64\tzwhacaxpuyzy.exe
      Filesize

      183KB

      MD5

      59cb97abbbdc01d72bd04471bb99b0f7

      SHA1

      8cee1324d11394234bebe52c5aeca0790ee6e359

      SHA256

      8c692fffd38409902a54ca4e5eeeb1f95b2e145d0bebfe9fc87ddb88c74727be

      SHA512

      ce0ec26f0760195d65c1a6a165c8869d35ac906bc58903985d11d8c72f0f492419200ee2b28ea7a040d52d4c096f8ae4d3b4369fe357f7132973e0d27e7d055e

      Download Submit

    • C:\Windows\SysWOW64\yvmefpvt.exe
      Filesize

      332KB

      MD5

      e0df8926bb6150d505d0323a6fe16295

      SHA1

      f32333dfe53b94d32821d9edcb10250e735f7d39

      SHA256

      719ef12f73f6085e9480afd0de09e50fa62a8477aa5faf5807cfe56dddf59d03

      SHA512

      4febec4fdd4e7f3834adb7f8ad5cb213539870bea60d64755561d822ec8518236ff2bf890fc377ca48f4420342e2f6d0b839d28fb509ae02c60dc0c885604d16

      Download Submit

    • C:\Windows\SysWOW64\yvmefpvt.exe
      Filesize

      164KB

      MD5

      273cce1c5dfefc6c4bc6c5bc0993808a

      SHA1

      0deab2bf2f3fa8ebfb7ee20f0517350029d47933

      SHA256

      4acabf217d383c363b8b657b97e639fe08cfd25c87dda965d7f7742fc66ac179

      SHA512

      e2a3e46397a3d70ff671fe12d8a2f9d69677bc3fdba8c967769741c50f927733cfa8b4b70690f3ca4913e9618348035f499f6572d2ae71453e5ed4d8b4919341

      Download Submit

    • C:\Windows\SysWOW64\yvmefpvt.exe
      Filesize

      288KB

      MD5

      f2bc30765ca02d0e7feafc4e1b251309

      SHA1

      f0328587b12360a6389e6aa8cb7589b570c9c7bf

      SHA256

      de87462af6370df1fd94bdb1e492c97695db52a6bb43a1a05b2578ec8483d592

      SHA512

      193debdc47b87694d9f91813a5eb4850b376b2e83df88c469c3e17fc4cdb25cd64a7d3c48b0c9abbb214be45f3d5e60309b9e97688e96c38e6b69977e105a831

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Users\Admin\Documents\ReadSearch.doc.exe
      Filesize

      117KB

      MD5

      d963fc6248a1e92065cf75d0ffea06e0

      SHA1

      a3de7f340f092fa7668c5bb473207fa4ea561708

      SHA256

      4ce0ce1ebab1763a8b8b6bf8a1c2f788582ae4d62514c4aafb8951b7e5917940

      SHA512

      93e3f46fcf3c76149133761064484acf3bfd08be1ac1a16b9d1f55c384c04bb82b2ab8043b31c3710a853b19a9a266b23463ca9bd6b61b4a09cd9ec7043d47c9

      Download Submit

    • \Windows\SysWOW64\ivarjrchajticuw.exe
      Filesize

      343KB

      MD5

      63be45f154ed4e6730ae00feff8033fa

      SHA1

      32f969942e82eef0950ae43fb903a86bfa7a0062

      SHA256

      eaefe1fd763bfb854c27e354f938c61a7f9569f60326c284484d563648b6624e

      SHA512

      185319beeed99cabef1df065a7e7259c26fe035fa02946cc6158b660d68d5311dcc491e815ad1cf4108393af5e59e05925ea222ee89ac612fb9da163975e317e

      Download Submit

    • \Windows\SysWOW64\skwucyxncn.exe
      Filesize

      99KB

      MD5

      7fc6cf931da79ecd4267f22c6a1aefa8

      SHA1

      913682b9a75a4089cc18ec25b28e082916a6b314

      SHA256

      2672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487

      SHA512

      272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf

      Download Submit

    • \Windows\SysWOW64\tzwhacaxpuyzy.exe
      Filesize

      201KB

      MD5

      0a74dde1cebf510117a707de33e1a0c1

      SHA1

      8f2afb393132223b4c2c5d0b5810c92aef08cf6f

      SHA256

      27be35e2e7dc7b0548da5205bfcdde20a3f5bef89a6b8b8a487830b673ca3fb7

      SHA512

      2d5a9633b1aefadee12005ad62a248d12de1a0035a775e2c9cfc82c34f06c4a7966403687b38be5e7a8444415881341f8ce3b6c95871357f7115a25202154353

      Download Submit

    • \Windows\SysWOW64\yvmefpvt.exe
      Filesize

      300KB

      MD5

      e1c27a3729ee027b43bd8c6cbbbd12ba

      SHA1

      d3f1736a08d4d5285f692437ee6567d4060839d7

      SHA256

      472a061e96be25d6331ddb621c650dc1eb3dee80d27454b4f21b56cbe91ea690

      SHA512

      fca32ac138cb3c1a453493bc51d7764b4c2d96c88b76f0d4b7434381baddd08d5b6d05ac3caaf96a8b71a6c9691fe3ae3fc30c18d48f9180c2b5af242d38027e

      Download Submit

    • \Windows\SysWOW64\yvmefpvt.exe
      Filesize

      190KB

      MD5

      ceabacf87f41c29b1173f4329aac018d

      SHA1

      63fb4d0fe20fed730bcc23bafba8145dbdfe4ba7

      SHA256

      161392b03fbf434bb932483b1461dc5d7ca8a897c9335b77743bcd278f97df91

      SHA512

      9cbf61e8ea35f525761bcfc976deef375d6a4883bc560b172062a62bb5257a2388fb09a5029b5b777b4dd7db5dec645c02f2fa7671524c61e71149e0f280f86f

      Download Submit

    • memory/1704-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2888-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2888-47-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2888-44-0x000000002F7D1000-0x000000002F7D2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2888-92-0x000000007126D000-0x0000000071278000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2888-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download