Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 14:22
Static task
static1
Behavioral task
behavioral1
Sample
a2118c67534664afde234ba2dab7c02e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a2118c67534664afde234ba2dab7c02e.exe
Resource
win10v2004-20240221-en
General
-
Target
a2118c67534664afde234ba2dab7c02e.exe
-
Size
10.2MB
-
MD5
a2118c67534664afde234ba2dab7c02e
-
SHA1
c398da3954e3d68ba1f05876d867ce57f9efbb34
-
SHA256
79940b2f535b1111facb217b7f3ed439eb91003b345e0e6bc049af42fbbe9b13
-
SHA512
cf20f6b7adfe95968ea411a4945f7460e72a234efb541cfd937105f7a8aa03f4ce93f5d09b341e37db65cb23e1f7304aacfe4f5d4ee72bdc5c0c04d2e4dbc79f
-
SSDEEP
24576:UlxdvCcpOKCtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBv:UlzOR
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4532 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uwmcdpdo\ImagePath = "C:\\Windows\\SysWOW64\\uwmcdpdo\\yqzherdx.exe" svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation a2118c67534664afde234ba2dab7c02e.exe -
Deletes itself 1 IoCs
pid Process 680 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3648 yqzherdx.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3648 set thread context of 680 3648 yqzherdx.exe 102 -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5032 sc.exe 720 sc.exe 4536 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1696 3972 WerFault.exe 83 916 3648 WerFault.exe 99 -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3972 wrote to memory of 4372 3972 a2118c67534664afde234ba2dab7c02e.exe 86 PID 3972 wrote to memory of 4372 3972 a2118c67534664afde234ba2dab7c02e.exe 86 PID 3972 wrote to memory of 4372 3972 a2118c67534664afde234ba2dab7c02e.exe 86 PID 3972 wrote to memory of 3300 3972 a2118c67534664afde234ba2dab7c02e.exe 88 PID 3972 wrote to memory of 3300 3972 a2118c67534664afde234ba2dab7c02e.exe 88 PID 3972 wrote to memory of 3300 3972 a2118c67534664afde234ba2dab7c02e.exe 88 PID 3972 wrote to memory of 5032 3972 a2118c67534664afde234ba2dab7c02e.exe 90 PID 3972 wrote to memory of 5032 3972 a2118c67534664afde234ba2dab7c02e.exe 90 PID 3972 wrote to memory of 5032 3972 a2118c67534664afde234ba2dab7c02e.exe 90 PID 3972 wrote to memory of 720 3972 a2118c67534664afde234ba2dab7c02e.exe 93 PID 3972 wrote to memory of 720 3972 a2118c67534664afde234ba2dab7c02e.exe 93 PID 3972 wrote to memory of 720 3972 a2118c67534664afde234ba2dab7c02e.exe 93 PID 3972 wrote to memory of 4536 3972 a2118c67534664afde234ba2dab7c02e.exe 94 PID 3972 wrote to memory of 4536 3972 a2118c67534664afde234ba2dab7c02e.exe 94 PID 3972 wrote to memory of 4536 3972 a2118c67534664afde234ba2dab7c02e.exe 94 PID 3972 wrote to memory of 4532 3972 a2118c67534664afde234ba2dab7c02e.exe 96 PID 3972 wrote to memory of 4532 3972 a2118c67534664afde234ba2dab7c02e.exe 96 PID 3972 wrote to memory of 4532 3972 a2118c67534664afde234ba2dab7c02e.exe 96 PID 3648 wrote to memory of 680 3648 yqzherdx.exe 102 PID 3648 wrote to memory of 680 3648 yqzherdx.exe 102 PID 3648 wrote to memory of 680 3648 yqzherdx.exe 102 PID 3648 wrote to memory of 680 3648 yqzherdx.exe 102 PID 3648 wrote to memory of 680 3648 yqzherdx.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2118c67534664afde234ba2dab7c02e.exe"C:\Users\Admin\AppData\Local\Temp\a2118c67534664afde234ba2dab7c02e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uwmcdpdo\2⤵PID:4372
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yqzherdx.exe" C:\Windows\SysWOW64\uwmcdpdo\2⤵PID:3300
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create uwmcdpdo binPath= "C:\Windows\SysWOW64\uwmcdpdo\yqzherdx.exe /d\"C:\Users\Admin\AppData\Local\Temp\a2118c67534664afde234ba2dab7c02e.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:5032
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description uwmcdpdo "wifi internet conection"2⤵
- Launches sc.exe
PID:720
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start uwmcdpdo2⤵
- Launches sc.exe
PID:4536
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 10322⤵
- Program crash
PID:1696
-
-
C:\Windows\SysWOW64\uwmcdpdo\yqzherdx.exeC:\Windows\SysWOW64\uwmcdpdo\yqzherdx.exe /d"C:\Users\Admin\AppData\Local\Temp\a2118c67534664afde234ba2dab7c02e.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
- Deletes itself
PID:680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 5322⤵
- Program crash
PID:916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3972 -ip 39721⤵PID:3804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3648 -ip 36481⤵PID:2464
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.1MB
MD5a97009b0aaa919cf37c9d2565249f0f5
SHA1e2169995542d3bf300b9be50f4cde800451fa01b
SHA25672a22196f310a3744d04927e159483f39a8207ea991fbf3691f1d65fa16ee9b6
SHA512a262971274c82ee1bebdac5b3c2fc56f7d5db2c2f97d2aeaeb4dc2502c22c83e0f8f6396f482eaacf92d0e2c4fe0ea445ce63bbd372c80e2c69633ee8fa23e37
-
Filesize
9.1MB
MD52bb572540bce396e3fb3ededb000780d
SHA1fabe406e422ce93d5607c9bf261f1bf906c902e6
SHA2560ffdedf6f8b5bc4d806b5a7b0440a8dd498ce1ec27c95fd1b70b94df92ac3db8
SHA512f44b302e91826f440864c75a60a240114f53483c736aa03efcde61dfd3e6eddff576a08757293d056434ca64e0abab5f026913573da6d9db619008f671c7b2bc