Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2024, 17:09
Static task
static1
Behavioral task
behavioral1
Sample
cbf5e424dc90b592d06e8f30f37c1e6b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cbf5e424dc90b592d06e8f30f37c1e6b.exe
Resource
win10v2004-20240226-en
General
-
Target
cbf5e424dc90b592d06e8f30f37c1e6b.exe
-
Size
13.2MB
-
MD5
cbf5e424dc90b592d06e8f30f37c1e6b
-
SHA1
c036166895f21a873d666560bfd7e7fce142f260
-
SHA256
2e3bb86704384f0a25c46a9b79a7f2ae0168709d3560d94f92acfd51bd6a7637
-
SHA512
0fec8527110f2c75dc3cb6b61a97fe544596f1b1575a6ac025420fa9fdd651c3dc6c4db5dcc4e1bfb8b29d1bde34c3302f2801430a5140dc626edb4f7d0810d6
-
SSDEEP
6144:1KTDS3aiZOTXbKdags2FNxWUWF5zoINm/nu:QMaiZOT+dags21Wts9vu
Malware Config
Extracted
tofsee
defeatwax.ru
refabyd.info
Signatures
-
Creates new service(s) 1 TTPs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4904 netsh.exe 3552 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hehwgsdd\ImagePath = "C:\\Windows\\SysWOW64\\hehwgsdd\\rvcgilbn.exe" svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cbf5e424dc90b592d06e8f30f37c1e6b.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation eilhtczv.exe -
Executes dropped EXE 2 IoCs
pid Process 4440 eilhtczv.exe 412 rvcgilbn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tqtisepp = "\"C:\\Users\\Admin\\eilhtczv.exe\"" cbf5e424dc90b592d06e8f30f37c1e6b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 412 set thread context of 3744 412 rvcgilbn.exe 129 -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1760 sc.exe 2344 sc.exe 5108 sc.exe 3900 sc.exe 1348 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 744 4776 WerFault.exe 95 4936 4440 WerFault.exe 113 112 412 WerFault.exe 124 -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4776 wrote to memory of 1348 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 101 PID 4776 wrote to memory of 1348 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 101 PID 4776 wrote to memory of 1348 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 101 PID 4776 wrote to memory of 4544 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 102 PID 4776 wrote to memory of 4544 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 102 PID 4776 wrote to memory of 4544 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 102 PID 4776 wrote to memory of 1760 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 105 PID 4776 wrote to memory of 1760 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 105 PID 4776 wrote to memory of 1760 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 105 PID 4776 wrote to memory of 2344 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 107 PID 4776 wrote to memory of 2344 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 107 PID 4776 wrote to memory of 2344 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 107 PID 4776 wrote to memory of 5108 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 109 PID 4776 wrote to memory of 5108 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 109 PID 4776 wrote to memory of 5108 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 109 PID 4776 wrote to memory of 4904 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 111 PID 4776 wrote to memory of 4904 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 111 PID 4776 wrote to memory of 4904 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 111 PID 4776 wrote to memory of 4440 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 113 PID 4776 wrote to memory of 4440 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 113 PID 4776 wrote to memory of 4440 4776 cbf5e424dc90b592d06e8f30f37c1e6b.exe 113 PID 4440 wrote to memory of 4292 4440 eilhtczv.exe 117 PID 4440 wrote to memory of 4292 4440 eilhtczv.exe 117 PID 4440 wrote to memory of 4292 4440 eilhtczv.exe 117 PID 4440 wrote to memory of 3900 4440 eilhtczv.exe 119 PID 4440 wrote to memory of 3900 4440 eilhtczv.exe 119 PID 4440 wrote to memory of 3900 4440 eilhtczv.exe 119 PID 4440 wrote to memory of 1348 4440 eilhtczv.exe 122 PID 4440 wrote to memory of 1348 4440 eilhtczv.exe 122 PID 4440 wrote to memory of 1348 4440 eilhtczv.exe 122 PID 4440 wrote to memory of 3552 4440 eilhtczv.exe 125 PID 4440 wrote to memory of 3552 4440 eilhtczv.exe 125 PID 4440 wrote to memory of 3552 4440 eilhtczv.exe 125 PID 412 wrote to memory of 3744 412 rvcgilbn.exe 129 PID 412 wrote to memory of 3744 412 rvcgilbn.exe 129 PID 412 wrote to memory of 3744 412 rvcgilbn.exe 129 PID 412 wrote to memory of 3744 412 rvcgilbn.exe 129 PID 412 wrote to memory of 3744 412 rvcgilbn.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hehwgsdd\2⤵PID:1348
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\anenfsuo.exe" C:\Windows\SysWOW64\hehwgsdd\2⤵PID:4544
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create hehwgsdd binPath= "C:\Windows\SysWOW64\hehwgsdd\anenfsuo.exe /d\"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
PID:1760
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description hehwgsdd "wifi internet conection"2⤵
- Launches sc.exe
PID:2344
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hehwgsdd2⤵
- Launches sc.exe
PID:5108
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
PID:4904
-
-
C:\Users\Admin\eilhtczv.exe"C:\Users\Admin\eilhtczv.exe" /d"C:\Users\Admin\AppData\Local\Temp\cbf5e424dc90b592d06e8f30f37c1e6b.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rvcgilbn.exe" C:\Windows\SysWOW64\hehwgsdd\3⤵PID:4292
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" config hehwgsdd binPath= "C:\Windows\SysWOW64\hehwgsdd\rvcgilbn.exe /d\"C:\Users\Admin\eilhtczv.exe\""3⤵
- Launches sc.exe
PID:3900
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start hehwgsdd3⤵
- Launches sc.exe
PID:1348
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul3⤵
- Modifies Windows Firewall
PID:3552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 11083⤵
- Program crash
PID:4936
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 10322⤵
- Program crash
PID:744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4776 -ip 47761⤵PID:3992
-
C:\Windows\SysWOW64\hehwgsdd\rvcgilbn.exeC:\Windows\SysWOW64\hehwgsdd\rvcgilbn.exe /d"C:\Users\Admin\eilhtczv.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
PID:3744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 5202⤵
- Program crash
PID:112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4440 -ip 44401⤵PID:2424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 412 -ip 4121⤵PID:2304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵PID:368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5e80b444a789b894602d55b0579e8c7a2
SHA12a13df9f545b847ba91ac221a826e96c704acea9
SHA256ac1e645a85310922650931254613c8bd3c152461f41617bf7a2d7d42e95bdfc4
SHA51226a842ee3d3f321b3d887e45f5185a9fda3001b437b4fd59aed8a6da2f2f2df5a30601d4275db88033fabb55a842aa6cd7746038ee4bb9843cd9d9672e84d397
-
Filesize
631KB
MD56cef15a4194e454834d0872f2cee44b3
SHA15e06bc9e68d819c57eaf69c1bf6e72bac819f4c7
SHA256d74656d24ac3205b894efa14b5c592efe50f84269e13b1b26e9ef8379c713792
SHA51223e259a4e7e60b1dad0adf37e5d003b2b16c9260b60b3b82836bf1bf6ae75e144afb9be7fed2021ee7a50614054331b7f3de81e097005daaab54b19fb0befca9
-
Filesize
2.4MB
MD552182d0f6f719df3fa5d4264f162b8ec
SHA114626c6a0c885e2e3831dde39458257897b49327
SHA256889605bc04f4023b99f9894d22bf0fb075869ef5cc9803c9a3deb7756f848d88
SHA51267be1260219675f720a22c7434db75cc46f5d787c90d7a4c94e00825e469d968e0d56886b2094302fdd1d829ca060b8f284233c849ca19ec0d9ae1e8f2158381
-
Filesize
3.6MB
MD55e527a4c1eecf84e4006e74ee48a2d75
SHA19362352dbc2159882cd26276e6fed50f21b9d273
SHA256f96a362a61b4515c7d3d9fade1caf4ab5ac87cdff1e0fa6005b57b3c7a2dd4b5
SHA5125e3e2eb122526940b721ab6bd105e6ce763c3a0774cd9f3629b7b53972fea225458a03c1f0a24d51e8891fc8143b091712c2800cf6db43b11176d4941255930c
-
Filesize
1.1MB
MD5a0f11dacb563af3253a55c1d29998cbe
SHA1ae8f674c3cf05aff1f9bd384b2f8301883d0e033
SHA256681e1760e67f195ce0757358b2a3ba7de506f10b8cfa46ba273e1d5e616ade48
SHA5129b2572a8346bcc3490fdd89544e780ab8778a079e77644771e3454d17589072b4f5a65d10241f02a38961c88cb11c7f51e942790c6fcb232a4753d29641bf767