Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

969b2dabe6...d7.exe

windows7-x64

10

969b2dabe6...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    969b2dabe6080bc2da7236a0d455ced7.exe

  • Size

    480KB

  • MD5

    969b2dabe6080bc2da7236a0d455ced7

  • SHA1

    f2b4c9c70bbb5e11ec823846ad88a20c235775cd

  • SHA256

    4e7ae8c1b57d2178d7014c18b11a0d9ff1444f07d513ea8fdfa5af7a11f02873

  • SHA512

    1218dab072f3144304196c98f1b3c0494448929b8e6be35d5db88ef3dee0d0c12191f8cf3c94d8287195cde1af9a2a910a230d2e96f987e196e34ba00ae247c0

  • SSDEEP

    6144:Kjg5pk1GS0xX3lPtbNN/DNRgkpiZzjhDQ0oeGF91YVusYJx+9sisyYpFTOOzHTvP:Kg5pBHxXptbN5ZRgOiBjw/C0AWzFjPvP

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 28 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\969b2dabe6080bc2da7236a0d455ced7.exe
    "C:\Users\Admin\AppData\Local\Temp\969b2dabe6080bc2da7236a0d455ced7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\flvoztxypvf.exe
      "C:\Users\Admin\AppData\Local\Temp\flvoztxypvf.exe" "c:\users\admin\appdata\local\temp\969b2dabe6080bc2da7236a0d455ced7.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4740
      • C:\Users\Admin\AppData\Local\Temp\aghst.exe
        "C:\Users\Admin\AppData\Local\Temp\aghst.exe" "-C:\Users\Admin\AppData\Local\Temp\xoawiztfqkozomcb.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:4676
      • C:\Users\Admin\AppData\Local\Temp\aghst.exe
        "C:\Users\Admin\AppData\Local\Temp\aghst.exe" "-C:\Users\Admin\AppData\Local\Temp\xoawiztfqkozomcb.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:1788
    • C:\Users\Admin\AppData\Local\Temp\flvoztxypvf.exe
      "C:\Users\Admin\AppData\Local\Temp\flvoztxypvf.exe" "c:\users\admin\appdata\local\temp\969b2dabe6080bc2da7236a0d455ced7.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\bcyeabfbwaojiqqzsibcye.bfb
    Filesize

    272B

    MD5

    feff38e7c6d0f9bb2b5bc8735c48b0e0

    SHA1

    5b5ec8995f0b96fb4ff895baaf07f064c30cb242

    SHA256

    8bc16cf887859aa3cc8054506da404c371493f285056e3a3d7010b4a8c6cf5b2

    SHA512

    36d76b256c2ac1710db651804c440734734b4dc5d7418a814954f1f99c6079d7fdf2b14ba92b6b404377d06e96d8618dcb424894b177cbc80afe72338c958c73

    Download Submit

  • C:\Program Files (x86)\bcyeabfbwaojiqqzsibcye.bfb
    Filesize

    272B

    MD5

    6ffb8c5869abc640e8c5258d04d3b9be

    SHA1

    795e51ff6fa7138bb2bdae143f91581c4281bea1

    SHA256

    2899ed16e4d294eab55ebb81c409b06eb90e45d6e8c0034fc8fb6c5c950f0de3

    SHA512

    8f94482c33ebfcfe136b3f0085e7805abb8b062497a3e8805defbee26f6ebc2658e445d4eecdadc342c14ac4f81088c6060fdda948c326e1463946236947f04e

    Download Submit

  • C:\Program Files (x86)\bcyeabfbwaojiqqzsibcye.bfb
    Filesize

    272B

    MD5

    b27704ff7a7a5a7899c717d6ea4b4396

    SHA1

    c3b7257f6209d874d60c84840f734e79088b6351

    SHA256

    b6db702e3e120d70f47441610c4af281068e465fd92ee323801049b75a4c5dbe

    SHA512

    e683b9bafd56870d6535772805e23a8aa25ba95ea3616c676b02a986ec46fb1c5ac48de8228c20de843e4ec6fbdaeee34648fffaa56d2e0a355aaddcb3a6d2bf

    Download Submit

  • C:\Program Files (x86)\bcyeabfbwaojiqqzsibcye.bfb
    Filesize

    272B

    MD5

    02232d2f17080f7ceaa7d0bb776b2857

    SHA1

    5b782191662e515fee283d120b2afa21e2716c19

    SHA256

    9997edd491af4e58ef3fa872deae4652624feae5cdc818ebda342446a6a8bb76

    SHA512

    31ee3cbd48775eae49c3216c130e4f5b0941bebcdcd874c8fbc84c0b0c4cb10fafeb9ff8da36dd8901a70a18a661ef0a867f6469a92862fbedfc5ffaf4864e0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aghst.exe
    Filesize

    708KB

    MD5

    9483844ca3cee37db28545d32ac73b01

    SHA1

    43eb3010bf7c5d56695d16815149261bb44a5de6

    SHA256

    8f2a185b59feb6b4b7286a09fc2990e9f387e3f06e0482b7f4fb8d0abd35115c

    SHA512

    1b53b4ccb7552b11de9d38cea20e9ce229c1c0b815d76a8dd14872ff0daa97aca3b426ba4b7b43526a887e473e1f4fcba5d4e33355c3b34ae2806f8a53f58c52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\flvoztxypvf.exe
    Filesize

    320KB

    MD5

    eb09c682903ecbd87f30b0366e008d8f

    SHA1

    59b0dc27c06ce536327490439a37751a3dbd5e38

    SHA256

    c4b122f7bab30363b472a3dffb8a7c61604c0ec4719ebd233ccbac8be0951be1

    SHA512

    83236c0955b81375666c10445d2cf5e4723b24e42e4ee5fb951f53945483be2fff5c8ef167f08cfad3accc162c61e750bb1039edbf09e26afe18cba2f994eb5d

    Download Submit

  • C:\Users\Admin\AppData\Local\bcyeabfbwaojiqqzsibcye.bfb
    Filesize

    272B

    MD5

    cf91d2851a207ea478712b1ca989b97f

    SHA1

    c0bcf03394d4cc25e7e1e7673718d0d1b21cff55

    SHA256

    bafbd877e6ef486dc4753d075e4028df0eabead9c1d1c1608c5ae818d8a4e122

    SHA512

    b1c62a6937debdf331662de7a0fda8854c266da8edafe0256efa8345b40134758fca93cfc330c72e21dd524772630a9a61683e79061655b6535d9979c25b8675

    Download Submit

  • C:\Users\Admin\AppData\Local\bcyeabfbwaojiqqzsibcye.bfb
    Filesize

    272B

    MD5

    26545e22851f6c2e97b661d316ec129b

    SHA1

    b9681eae8acafd2f55b07cbd08eb89944de481d1

    SHA256

    f55ded7683438a4cf5e3a8bbaddc2e955a7bc1c6fe174b04b53674252b7ee559

    SHA512

    5072fc09ede84ce879cd5764e2c2e212a803b277d206004cd2972f71ba947255e12aedcf0ed6ab71a4d732f28cb3c6dbf898a760d3c7c1cf51dd23502a7ffca2

    Download Submit

  • C:\Users\Admin\AppData\Local\bcyeabfbwaojiqqzsibcye.bfb
    Filesize

    272B

    MD5

    71548b50472335b033448fb32d536481

    SHA1

    6b648daf6cfaf7bfef844f6fc438923ec3a844b1

    SHA256

    977cc7d54ff225ddc0f21a32971256bdf4ef1b6bc63ca39c7a80a84d06ef979b

    SHA512

    3078f4ebb0220b100ac12d87a92f02496e9d8ea7e305e5609e44e035ee1ca3d8ec289ab4a59cddd0e95d7413b8bc074e796a230a43d30191b9438e67dd3cfe7e

    Download Submit

  • C:\Users\Admin\AppData\Local\bcyeabfbwaojiqqzsibcye.bfb
    Filesize

    272B

    MD5

    0925dbc4b3487786b0649fae537f34f3

    SHA1

    748762118d1fbe95ae8571cccc6f692070d5db22

    SHA256

    b779ab43d1bb3fa611f3182518216e85e043b729df2ed0729a677d47f2d88bbf

    SHA512

    676606d8825b402535085b523f2118a1131d7507cda4c38205e20033e8dbce967a5f2d6bb15a69143a391f6b3d2e7156599c9c78047c964ea52041086df1a65e

    Download Submit

  • C:\Users\Admin\AppData\Local\selcjvkrxmlrbufzdeiubszlahncbhrkv.tuy
    Filesize

    3KB

    MD5

    8e9cb344253dd876fce8776f1bc89c8f

    SHA1

    9ff383d95c60d304d50a6592c8c4111d619a4026

    SHA256

    b6a17459403780ccbfb2247ea28c0ded511fb58c369f53c6b1e5dd01bf6ea313

    SHA512

    c2368fea6acec030e41290dbeeb59ff3efa431a11fa46f5b9828105894051e37468e1471e6e524adaa351b5415a14bea906a65ad459a860579f8ec662a6ef624

    Download Submit

  • C:\Windows\SysWOW64\ngusgzvjwsylccuvgo.exe
    Filesize

    480KB

    MD5

    969b2dabe6080bc2da7236a0d455ced7

    SHA1

    f2b4c9c70bbb5e11ec823846ad88a20c235775cd

    SHA256

    4e7ae8c1b57d2178d7014c18b11a0d9ff1444f07d513ea8fdfa5af7a11f02873

    SHA512

    1218dab072f3144304196c98f1b3c0494448929b8e6be35d5db88ef3dee0d0c12191f8cf3c94d8287195cde1af9a2a910a230d2e96f987e196e34ba00ae247c0

    Download Submit

  • C:\nwaosbnr.bat
    Filesize

    656KB

    MD5

    7e938de0c77388d16cc8bc8a1188c4db

    SHA1

    c27d1ac13a6dd2056f676e491110f94d19f247e1

    SHA256

    83c73dcf4bd4bed3d1be4afdbc9825df9ea6f4ae7523a6bbb6afbc0a8b2c1f0d

    SHA512

    3bccf9d49fb9c93baa869ccb57dbb83c67a96a925ac7a463c435bf12ec531272f5d0c3a3e208664b91f759506bae036c499e4d3656f5f9122a1153b99a7f855c

    Download Submit