Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

34de2818f6...54.exe

windows7-x64

10

34de2818f6...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2024, 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34de2818f6f0aeaeddce9ba8486e411976cb5c3bf8484309f5b23b4c929d6454.exe

  • Size

    484KB

  • MD5

    020047a12b1f54be1a7fb62d2715f1aa

  • SHA1

    91713461fce6a8635291b65bf0af8fbe30eb7c66

  • SHA256

    34de2818f6f0aeaeddce9ba8486e411976cb5c3bf8484309f5b23b4c929d6454

  • SHA512

    00207e74bb8390ca8b15f7a10ef8aa03734a1637abd22539049cba2cc5e3edfcffab8951ba0c5f56927aea098cf5ab4b243dc676d757b022f032a9e2f03c95e0

  • SSDEEP

    12288:QgkDxdkL+6JNgKVcRa+fpHyWs3OBH4pUm:2xsKXa+hHyWseBg/

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • UAC bypass 3 TTPs 13 IoCs
    evasiontrojan
  • Adds policy Run key to start application 2 TTPs 30 IoCs
    persistence
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 8 IoCs
    evasiontrojan
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 41 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\34de2818f6f0aeaeddce9ba8486e411976cb5c3bf8484309f5b23b4c929d6454.exe
    "C:\Users\Admin\AppData\Local\Temp\34de2818f6f0aeaeddce9ba8486e411976cb5c3bf8484309f5b23b4c929d6454.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Users\Admin\AppData\Local\Temp\pptiasubzzd.exe
      "C:\Users\Admin\AppData\Local\Temp\pptiasubzzd.exe" "c:\users\admin\appdata\local\temp\34de2818f6f0aeaeddce9ba8486e411976cb5c3bf8484309f5b23b4c929d6454.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3724
      • C:\Users\Admin\AppData\Local\Temp\jpvdiq.exe
        "C:\Users\Admin\AppData\Local\Temp\jpvdiq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbtiangriydmgda.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System policy modification
        PID:3176
      • C:\Users\Admin\AppData\Local\Temp\jpvdiq.exe
        "C:\Users\Admin\AppData\Local\Temp\jpvdiq.exe" "-C:\Users\Admin\AppData\Local\Temp\vlbtiangriydmgda.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:1604
    • C:\Users\Admin\AppData\Local\Temp\pptiasubzzd.exe
      "C:\Users\Admin\AppData\Local\Temp\pptiasubzzd.exe" "c:\users\admin\appdata\local\temp\34de2818f6f0aeaeddce9ba8486e411976cb5c3bf8484309f5b23b4c929d6454.exe"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System policy modification
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\ilotvaageildzgqautknqvxcc.gkn
    Filesize

    272B

    MD5

    86de2bc4d4ab6a40a1b4501777979460

    SHA1

    aade39d0b3eb95eeb934b29c26944be187919dce

    SHA256

    43c852712493c3d19e2783f1a753d3d8c179d9d43e75cf6688e94059fc443203

    SHA512

    cc418c83cfbdfc3324018f902186fd46c138b2d141a74780a1e9b3d06b07828c96c5e810f815b564e0c9ebe6a8ce6958707c917eb54630927d611c5ea2ceb3ac

    Download Submit

  • C:\Program Files (x86)\ilotvaageildzgqautknqvxcc.gkn
    Filesize

    272B

    MD5

    1ea98f6244e889e280a8eea1c9dfbd97

    SHA1

    693b936653f95d064ca2d4354dc31382724f333f

    SHA256

    24dd4f09fb2f9c26934b9448e55f30df9f4b48ac3b53a2d7fc584cc872e48ac6

    SHA512

    dc59ce2c0608fc05b9c4d1cf62e4271a7bd29313022594fee4302cdef57a9ff106ed93c2d8da0576259bdcd5f7d226e4fdbf371ef1693f13dd6692c89b420d86

    Download Submit

  • C:\Program Files (x86)\ilotvaageildzgqautknqvxcc.gkn
    Filesize

    272B

    MD5

    b3bea1724cc32808e83acf515e30f537

    SHA1

    4cca3c9ae1f21b8e83a824132c7181ba7603e9a9

    SHA256

    774577b0af31f753a6be7f7890eef6b950836b5e831e4c67604fa5ed6605c3d0

    SHA512

    d87e8d17fef91e6c154ab75b3f415e146b42774b216f83bd464b5459e79a8c702ffdb80d492302f051d4ed808f0713e18f40e606c8f38870b8b7da064df4e479

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jpvdiq.exe
    Filesize

    716KB

    MD5

    67569dcb1ccb02589fd2ba405888cb1e

    SHA1

    191d86a0974eb1703f4716670f00fd35b9d59579

    SHA256

    bc3e67d38c48a21a7609acd971d9e5b3e46a941d7a6e6766e09493c2d52219b4

    SHA512

    8b3695107ad72ba001883246d3bc40fde1f8ce791a9d8f745af9faa31ae28c937297ac197965688245c02cd6eb0192a0257c059f3422d6077f6174ba912f0853

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pptiasubzzd.exe
    Filesize

    320KB

    MD5

    1dd5dd5561723f37ccc81e15ecdbf830

    SHA1

    eeb9131c8d276ceb710d163e89fdc62b3e111971

    SHA256

    c8c542ac3f6526d1501c2b9d6262bfa029a1ac0d9dd6b3c1965977abdd8bd126

    SHA512

    b4881d7cd0c2ceeba067e13d23763e739389108d1269acd6c343dd308aa1fedde89da696a8482944342f44ea1094ea6b50021a15d4c6d03762ba032a9598bba5

    Download Submit

  • C:\Users\Admin\AppData\Local\ilotvaageildzgqautknqvxcc.gkn
    Filesize

    272B

    MD5

    cf3c60174dd984a9a972a3589a3b32ee

    SHA1

    e43c594c97552a98072685dc0d7b446e08be4f5f

    SHA256

    6e754a16fa675e560b419047fb05f67a097d50c6e87eff6bfbf5056ea69a2fa3

    SHA512

    0b0fd72a599db6193efdcce2229f5fd54e0d835039c2b8014e4e93627c816120f7a14922715613e6a122a1ed5eeb61efabbdf1deaca07f3b54d1b256e5a43d47

    Download Submit

  • C:\Users\Admin\AppData\Local\nbpfsitktiwzgytotdfthxkalclaoryqlglv.lzp
    Filesize

    3KB

    MD5

    e52bac8a71f1f9a3849bac93b9e9b9fe

    SHA1

    4fca40c481593c92d755d17557b2756cacc5255c

    SHA256

    91c7b192c16c088499c8696309235dfff217cee0507f77391708ba9522838d7e

    SHA512

    0e43d7191c5935bf2b0406de27558b71a4a28eb27869572653b7c3f26c158abeabc52a7ff2d4d3018160373bf6ed6b46a78700138dd8e02857e654668950730f

    Download Submit

  • C:\Windows\SysWOW64\ldvpgapkxqipawvudr.exe
    Filesize

    484KB

    MD5

    020047a12b1f54be1a7fb62d2715f1aa

    SHA1

    91713461fce6a8635291b65bf0af8fbe30eb7c66

    SHA256

    34de2818f6f0aeaeddce9ba8486e411976cb5c3bf8484309f5b23b4c929d6454

    SHA512

    00207e74bb8390ca8b15f7a10ef8aa03734a1637abd22539049cba2cc5e3edfcffab8951ba0c5f56927aea098cf5ab4b243dc676d757b022f032a9e2f03c95e0

    Download Submit