Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

1985c02243...f3.exe

windows7-x64

7

1985c02243...f3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    155s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe

  • Size

    225KB

  • MD5

    bbeb014ff76f456cc62ab5128e5846f4

  • SHA1

    83d8f2424e70b3ddb034a335d23ecbd54bd733c7

  • SHA256

    1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3

  • SHA512

    f41937d3b22e9292da384ace6dd574132938d77c864d53dd959368eb3ccc92cf31ab1af4987eab36854623a0abcf371dec61fa7741bbd0cf553dd04adf78ea52

  • SSDEEP

    3072:5YUb5QoJ4g+tknipuH/Zj6Iz1ZdW4SBoC2n+:5YfQ1h6SZI4q

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Drops file in System32 directory 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe
    "C:\Users\Admin\AppData\Local\Temp\1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Windows\SysWOW64\wclbxbv.exe
      "C:\Windows\system32\wclbxbv.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\wvjyydmyh.exe
        "C:\Windows\system32\wvjyydmyh.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Windows\SysWOW64\wrjqbad.exe
          "C:\Windows\system32\wrjqbad.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3516
          • C:\Windows\SysWOW64\wuumrnbf.exe
            "C:\Windows\system32\wuumrnbf.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:4816
            • C:\Windows\SysWOW64\wkbawufss.exe
              "C:\Windows\system32\wkbawufss.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:4720
              • C:\Windows\SysWOW64\wqvqfkya.exe
                "C:\Windows\system32\wqvqfkya.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2536
                • C:\Windows\SysWOW64\wic.exe
                  "C:\Windows\system32\wic.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3884
                  • C:\Windows\SysWOW64\wdfdxau.exe
                    "C:\Windows\system32\wdfdxau.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:1644
                    • C:\Windows\SysWOW64\wfgljbm.exe
                      "C:\Windows\system32\wfgljbm.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:4852
                      • C:\Windows\SysWOW64\wcjxoh.exe
                        "C:\Windows\system32\wcjxoh.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:2556
                        • C:\Windows\SysWOW64\wwlpattv.exe
                          "C:\Windows\system32\wwlpattv.exe"
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          PID:4392
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wcjxoh.exe"
                          12⤵
                            PID:3516
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wfgljbm.exe"
                          11⤵
                            PID:2988
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1688
                            11⤵
                            • Program crash
                            PID:428
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wdfdxau.exe"
                          10⤵
                            PID:1688
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wic.exe"
                          9⤵
                            PID:2584
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wqvqfkya.exe"
                          8⤵
                            PID:4568
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wkbawufss.exe"
                          7⤵
                            PID:116
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1344
                            7⤵
                            • Program crash
                            PID:1660
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wuumrnbf.exe"
                          6⤵
                            PID:3656
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1432
                            6⤵
                            • Program crash
                            PID:4516
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wrjqbad.exe"
                          5⤵
                            PID:3384
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wvjyydmyh.exe"
                          4⤵
                            PID:3364
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Windows\system32\wclbxbv.exe"
                          3⤵
                            PID:540
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1536
                            3⤵
                            • Program crash
                            PID:4268
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\1985c02243a4a75cf9fef2d3ace08a15709dc2b112ab68d113e054e0ebdfdaf3.exe"
                          2⤵
                            PID:3620
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2908 -ip 2908
                          1⤵
                            PID:4912
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4816 -ip 4816
                            1⤵
                              PID:2900
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4720 -ip 4720
                              1⤵
                                PID:1200
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4852 -ip 4852
                                1⤵
                                  PID:2340

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Windows\SysWOW64\wcjxoh.exe
                                  Filesize

                                  225KB

                                  MD5

                                  5c3e20fc897f7be86d4d1eeedbdb7376

                                  SHA1

                                  31f339c53b2e6e1bbc1fec478ee748f1682bce0a

                                  SHA256

                                  a79fd8243032d4ae7abd98b44583fcd8f1df73df5c7180feea97a3e19cd2734d

                                  SHA512

                                  8fb7053c373c342463016f72b749e3975e8f551ddeb63b24236108043af89feb7a0e61c21a2f1aee0bc190e401d3dd303deac38d86b49e525ef002cfcf9b9df1

                                  Download Submit

                                • C:\Windows\SysWOW64\wclbxbv.exe
                                  Filesize

                                  225KB

                                  MD5

                                  482f87341beab2c9e39c9187f12a5a35

                                  SHA1

                                  c40115aaf816a04434c179b757d0eabb5b3723a8

                                  SHA256

                                  83ff9c714e2445e18a3ff987d77a190f298fd30ce74d4555d8c91e1af882ae57

                                  SHA512

                                  553a47570de9680555661b3c7006123da9d37410772e957b420c029509e4769023961ba72ea3f58a531594ddcd7459371c1d50acd9f72ee77a4c5d1208564d20

                                  Download Submit

                                • C:\Windows\SysWOW64\wdfdxau.exe
                                  Filesize

                                  225KB

                                  MD5

                                  9e83d840378e42d4358f38ec3632a8ae

                                  SHA1

                                  544d90f94ace4c1407c107f5a9b7a48c0112307f

                                  SHA256

                                  6b52a738adc8f0fe2d98f8574924a6ef68465b9f9a7c19aa1b1c3aed77660d79

                                  SHA512

                                  8f3118d6ead2b780023b76cb1be279ab2b2a44049f2daa444dcee2a3b107bf67df83a4e43758bf1e612501e207646669501fad4b91ec80d63b87b03ff6681efb

                                  Download Submit

                                • C:\Windows\SysWOW64\wfgljbm.exe
                                  Filesize

                                  225KB

                                  MD5

                                  362d6bcd477b6392e056044cb486797f

                                  SHA1

                                  7ad7ce1b3ec2bcf00c69c39c6c2f8f8f0ba22a67

                                  SHA256

                                  031c822b61459e850345275b69a664fb257439b468e21eae170c7800a6f3745b

                                  SHA512

                                  7617e305d56577b80e1297d18da0b1a71559eb451c3934fc9632e0d9cbf5d060ce0f602ed5b1af1fa19e3416a952f96013603aed87643cb36a9b2413ef541415

                                  Download Submit

                                • C:\Windows\SysWOW64\wic.exe
                                  Filesize

                                  225KB

                                  MD5

                                  b77ff3f5c7cc6cb8cca9509f64716aa9

                                  SHA1

                                  7395a836a49ad346b04d9799a9a84d912a9921e0

                                  SHA256

                                  c3b859e5763976643395a42ea0893629593c48890f824428fbaf7dcc20ae1a91

                                  SHA512

                                  230ad333d0ff79f6733416f21a1d401ecc5df5bb806685acc538753901a8e0008fc66067ef5da70dac184618849b9c541b7033b080f5fa0e7ea554b6394aab9e

                                  Download Submit

                                • C:\Windows\SysWOW64\wkbawufss.exe
                                  Filesize

                                  225KB

                                  MD5

                                  90f8d348d6374348af5b46af43fd2352

                                  SHA1

                                  4f89a259292f06d310f18adc13bcd50bb80b0cea

                                  SHA256

                                  b631c89b5da0a7cf9a249a62e4c9f05a71e8b15b59097cc220ade8eff613ac0e

                                  SHA512

                                  36154216d1f6ecbc7e039f738e27a76aabfc33e2c1f4357c127a3a3428b556badc46f9fe9a61cc35abd93ff861ed40e9beed06f4be0ee1277eb01c24d54b6a46

                                  Download Submit

                                • C:\Windows\SysWOW64\wqvqfkya.exe
                                  Filesize

                                  225KB

                                  MD5

                                  70599a0a44e7f76292362d6045ad8dff

                                  SHA1

                                  82d364e5dfa7b868dfbe0cfbc680b6646d411613

                                  SHA256

                                  17061bc185bc3786a4bdda82a69b3f76deae6499f835d0a852f2d24671899feb

                                  SHA512

                                  7d693c5b256613bd923d9b8b0cf613c11f61fe68d5dcb18b2bb6260941001123d21178d9867e49c82949801178fb8cc097bc153681ebe18a6cfd513efe9847c7

                                  Download Submit

                                • C:\Windows\SysWOW64\wrjqbad.exe
                                  Filesize

                                  225KB

                                  MD5

                                  fbc79b318a57704f5b829d79763aba78

                                  SHA1

                                  16060f72d1056b4fc805c44763cac51f84501b3e

                                  SHA256

                                  774cf1b4f50e5df7648b05884024b402d2df0b3b16effa9009ef092ae5f08993

                                  SHA512

                                  e992ec0fac108ea769be97805a13fed06a61b50f897ac101506d9821aca6af4c62c1e96cee7e37b38c84733dba8c5b1cbcb26f58ea354f4cb2841b533e6be388

                                  Download Submit

                                • C:\Windows\SysWOW64\wuumrnbf.exe
                                  Filesize

                                  225KB

                                  MD5

                                  26a9ca6684c198677aedd022acf2a168

                                  SHA1

                                  aaa74549924228ab34285867dccf2644b9b85e85

                                  SHA256

                                  f9d6caf7209ce0cfc74ac9a0d30f9bbd89e1084877fd22135531efa19fa014f3

                                  SHA512

                                  ce27cf46093f7c871fcb71c01bab2d17167e4333cbb0e2cd58c7c6deee29fef31a6666145662219fafa416b1d3a085763c089abd09cf0229acfffe6ad0449a61

                                  Download Submit

                                • C:\Windows\SysWOW64\wvjyydmyh.exe
                                  Filesize

                                  225KB

                                  MD5

                                  90593f7c886ad55875bce74972c39e12

                                  SHA1

                                  2e726d724820f58299269565d11cb6b88828b6b9

                                  SHA256

                                  d0082c87328050da9bd498aa7bc54e4c4bb744fbbd3a1ad08090baa04269cc37

                                  SHA512

                                  74cfccaede86df80613037a67729be69b1bb368ce995ca24775d16ca3b959408f7f82cb11d515c60a570a4eef351055833d04c71b995913eabb86c1507618a46

                                  Download Submit

                                • C:\Windows\SysWOW64\wwlpattv.exe
                                  Filesize

                                  225KB

                                  MD5

                                  9e1b396f4e34d89db6872315f22f741c

                                  SHA1

                                  0487f7aa01ed55dec27218826ac7c10602b42ad7

                                  SHA256

                                  53142d1970b35c484405b894ca2ef9e5e819ef0ffba96eea03de4fc2ce76d100

                                  SHA512

                                  942f90919bd88b4ecc5f716d939833a79165caeaaa4d0c3236b6947b03095f648e8a979cc2aa10876a5edbf84d76bfc3e0ac5e7a9936edb5977ac7e405d2fcd7

                                  Download Submit

                                • memory/1644-95-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/1836-11-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/1836-0-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/2536-74-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/2556-115-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/2908-22-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/3472-21-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/3472-32-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/3516-44-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/3884-84-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/4816-43-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/4816-54-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/4852-94-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/4852-116-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download