Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Resource
win10v2004-20240226-en
General
-
Target
b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
-
Size
693KB
-
MD5
02b75e96d9b1ade54981ac2d077c9aef
-
SHA1
76f9d2aa57ef9837dfa94b92463f545dbe4fc8d4
-
SHA256
b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7
-
SHA512
e31f6a1e42a9daefbceb986ba2bef96c3db907e99c83c9b23ea806fc2711a6da4685200db751a323c4ae1112b23c4ce2591eed4da6efffd280eb556e1418a3a5
-
SSDEEP
12288:l8kxNhOZElO5kkWjhD4AcGsGtAtScw3qEKB:WqEkfFN145
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4704 PVKML.EXE -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command PVKML.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\KVMCN.EXE \"%1\" %*" PVKML.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WJVPF.EXE = "C:\\Program Files\\WJVPF.EXE" b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: PVKML.EXE File opened (read-only) \??\M: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\Q: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\E: PVKML.EXE File opened (read-only) \??\I: PVKML.EXE File opened (read-only) \??\N: PVKML.EXE File opened (read-only) \??\L: PVKML.EXE File opened (read-only) \??\T: PVKML.EXE File opened (read-only) \??\E: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\J: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\O: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\U: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\H: PVKML.EXE File opened (read-only) \??\U: PVKML.EXE File opened (read-only) \??\G: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\V: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\M: PVKML.EXE File opened (read-only) \??\P: PVKML.EXE File opened (read-only) \??\S: PVKML.EXE File opened (read-only) \??\I: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\N: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\R: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\S: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\O: PVKML.EXE File opened (read-only) \??\V: PVKML.EXE File opened (read-only) \??\H: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\K: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\J: PVKML.EXE File opened (read-only) \??\L: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\T: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\G: PVKML.EXE File opened (read-only) \??\Q: PVKML.EXE File opened (read-only) \??\P: b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened (read-only) \??\K: PVKML.EXE -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\PVKML.EXE b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File created C:\Program Files\ILPWM.EXE b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File opened for modification C:\Program Files\ILPWM.EXE b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File created C:\Program Files\WJVPF.EXE b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe File created C:\Program Files\KVMCN.EXE PVKML.EXE File created C:\Program Files (x86)\PVKML.EXE b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe -
Modifies registry class 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\WHNWUYG.EXE \"%1\"" b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\KVMCN.EXE \"%1\" %*" PVKML.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\PXSFVCU.EXE \"%1\" %*" b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files\\ILPWM.EXE %1" b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command PVKML.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\WHNWUYG.EXE %1" b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "F:\\$RECYCLE.BIN\\WHNWUYG.EXE %1" b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\ILPWM.EXE \"%1\"" b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4704 PVKML.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1264 wrote to memory of 4704 1264 b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe 87 PID 1264 wrote to memory of 4704 1264 b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe 87 PID 1264 wrote to memory of 4704 1264 b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe"C:\Users\Admin\AppData\Local\Temp\b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Program Files (x86)\PVKML.EXE"C:\Program Files (x86)\PVKML.EXE"2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4704
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
693KB
MD5956a126a2ba05939872fb856d9f616b6
SHA1eb711d5534426d7166a1a235ce236294173bfdc0
SHA256eede4a86690564e942cc16482520d8dcb79851cbd078c5ed480a71ffc9e99125
SHA5128788ae51956be0e641e457371e90d92cb3849184a1b1462dfdbfff6e7798cea294b40f3b4987489f76fcbafeb4ea4c3247c9ffb42d6cfd68c67fb213e5e6eaae
-
Filesize
694KB
MD5a6113815cefbcf09f387bb5486ad03d3
SHA1b07f2e521d5924057dae81e2d5c63ff808e73edf
SHA25659b7b67864e72632e1971c2f97b4870a1c1ca05f9442f40f9af297e0f87d591a
SHA5121378c5d401c308078a383c2316fa89c6ec48b8e0c62898e9836f12f32b4cd918f3db404ea4e69c1b1e89e0a0c75bc25a8e206cbab35afa263d8fe3f5ba4aca8b
-
Filesize
296B
MD5c72fd472503871dd1bcc78651eb1b7a4
SHA1aae6546f997f6c1d830d468badf8284ff76da54c
SHA256cc6b00d19c664b1539ec7327c7dc93053c5176445e283d200210a16db8be864c
SHA5125ffa0668065abd53a6ff2f0ba71ec4f1c88bfa01d666364d8ca1954c74adb6ad12dd0888d0bc57ad66881fe3818aac751a5be21498a650952b50a2cae90b768e