Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 15:27
Static task
static1
Behavioral task
behavioral1
Sample
ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe
Resource
win10v2004-20240412-en
General
-
Target
ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe
-
Size
404KB
-
MD5
efc6cb9af265da2f0e216c682efcc0ee
-
SHA1
5e315afad74932c4be924418ca745f23200f1cda
-
SHA256
ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9
-
SHA512
ba436d1e446540c2213b329ab7c7532dc313f557754ea2695c9238b1c635e27eee57ee2ec0a78f905e30b45849dd30a9d3b1e9f4d75deb0e056161a1f0b5bfc9
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
flow pid Process 3 2660 rundll32.exe 5 2660 rundll32.exe 6 2660 rundll32.exe 7 2660 rundll32.exe 8 2660 rundll32.exe 9 2660 rundll32.exe 10 2660 rundll32.exe 11 2660 rundll32.exe 13 2660 rundll32.exe 14 2660 rundll32.exe -
Deletes itself 1 IoCs
pid Process 3016 jgyhut.exe -
Executes dropped EXE 1 IoCs
pid Process 3016 jgyhut.exe -
Loads dropped DLL 6 IoCs
pid Process 2368 cmd.exe 2368 cmd.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ujuhyhetr\\kdnzp.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\a: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2660 rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\ujuhyhetr jgyhut.exe File created \??\c:\Program Files\ujuhyhetr\kdnzp.dll jgyhut.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1632 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe 2660 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2660 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1300 ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe 3016 jgyhut.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1300 wrote to memory of 2368 1300 ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe 28 PID 1300 wrote to memory of 2368 1300 ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe 28 PID 1300 wrote to memory of 2368 1300 ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe 28 PID 1300 wrote to memory of 2368 1300 ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe 28 PID 2368 wrote to memory of 1632 2368 cmd.exe 30 PID 2368 wrote to memory of 1632 2368 cmd.exe 30 PID 2368 wrote to memory of 1632 2368 cmd.exe 30 PID 2368 wrote to memory of 1632 2368 cmd.exe 30 PID 2368 wrote to memory of 3016 2368 cmd.exe 31 PID 2368 wrote to memory of 3016 2368 cmd.exe 31 PID 2368 wrote to memory of 3016 2368 cmd.exe 31 PID 2368 wrote to memory of 3016 2368 cmd.exe 31 PID 3016 wrote to memory of 2660 3016 jgyhut.exe 32 PID 3016 wrote to memory of 2660 3016 jgyhut.exe 32 PID 3016 wrote to memory of 2660 3016 jgyhut.exe 32 PID 3016 wrote to memory of 2660 3016 jgyhut.exe 32 PID 3016 wrote to memory of 2660 3016 jgyhut.exe 32 PID 3016 wrote to memory of 2660 3016 jgyhut.exe 32 PID 3016 wrote to memory of 2660 3016 jgyhut.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe"C:\Users\Admin\AppData\Local\Temp\ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\jgyhut.exe "C:\Users\Admin\AppData\Local\Temp\ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\jgyhut.exeC:\Users\Admin\AppData\Local\Temp\\jgyhut.exe "C:\Users\Admin\AppData\Local\Temp\ec64a708a2b0fc34e2ef40d6b88ccdf695e0abccbd9df574a33ba3a1a4afcaf9.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\ujuhyhetr\kdnzp.dll",Verify C:\Users\Admin\AppData\Local\Temp\jgyhut.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD543f16d8e7ae36b7a5ab650a427b12c3b
SHA13f939b2cc8451332b9cfe466003a9860e8e6ff24
SHA256ad08b1a16858fb31b4e7d36b501009247742e874e60a868903bdd8a4b31ffcbc
SHA512cd58a65e3d714f7bc0b7ef66180286da53f7a7391e326dcb4485eb4f42e274d0679811508f60b7d09119cc801ee48f3924e75e7956b0d2c338c4fe234c85f2e6
-
Filesize
405KB
MD5ff820002a85ea5701d69e63f2f2dee89
SHA102b08b400817bbf8edad0fed59216a9f0648c5d6
SHA25616987e9abe6eae20a142558355d7e85d366f469d74332b2f9bf96ed44e8d303c
SHA5123e92cc138c0f8da54371fe1bedcee651ed88a29b0a5fd0956a21340fa206ca8e24b56f8f39b726a16c66457d748488cfee2083c39071ffde71bb9a4edbef1aa8