Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 07:21
Behavioral task
behavioral1
Sample
9f273f59ffaf82c65485ac3ea2108b50N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9f273f59ffaf82c65485ac3ea2108b50N.exe
Resource
win10v2004-20240802-en
General
-
Target
9f273f59ffaf82c65485ac3ea2108b50N.exe
-
Size
1.0MB
-
MD5
9f273f59ffaf82c65485ac3ea2108b50
-
SHA1
459756f0bf0f5fd1008e074439b8faa4114b17a1
-
SHA256
4ac4b8cd40a3955fa6876a1865cd7c56399b26670469d559588799434b43a9b6
-
SHA512
128b15cc0853a0f2a9ef4e97d35d1522674608206a66fc51e17486c2ce489243385059d8aa99bbcaca921826736638c3d76facd97d1a94effc5e46c68ad8b84f
-
SSDEEP
12288:M8kxNhOZElO5kkWjhD4AyCGtAtScw3qEKZGtAtScw3qEKBYGtAtScw3qEK:jqEkfFa1456145v145
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3784 YPVK.EXE -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command YPVK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\HLWAFL.EXE \"%1\" %*" YPVK.EXE -
resource yara_rule behavioral2/memory/4852-0-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral2/files/0x00070000000234b5-10.dat upx behavioral2/files/0x000a00000002346c-21.dat upx behavioral2/memory/4852-24-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral2/memory/3784-28-0x0000000000400000-0x0000000000470000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FCGN.EXE = "C:\\Windows\\XQDDFM.EXE" 9f273f59ffaf82c65485ac3ea2108b50N.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\V: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\K: YPVK.EXE File opened (read-only) \??\U: YPVK.EXE File opened (read-only) \??\J: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\R: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\U: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\L: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\M: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\P: YPVK.EXE File opened (read-only) \??\R: YPVK.EXE File opened (read-only) \??\M: YPVK.EXE File opened (read-only) \??\E: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\G: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\N: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\S: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\E: YPVK.EXE File opened (read-only) \??\H: YPVK.EXE File opened (read-only) \??\P: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\Q: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\Q: YPVK.EXE File opened (read-only) \??\I: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\O: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\T: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\J: YPVK.EXE File opened (read-only) \??\K: 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened (read-only) \??\L: YPVK.EXE File opened (read-only) \??\O: YPVK.EXE File opened (read-only) \??\G: YPVK.EXE File opened (read-only) \??\I: YPVK.EXE File opened (read-only) \??\N: YPVK.EXE File opened (read-only) \??\S: YPVK.EXE File opened (read-only) \??\T: YPVK.EXE File opened (read-only) \??\V: YPVK.EXE -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\YPVK.EXE 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened for modification C:\Program Files\YPVK.EXE 9f273f59ffaf82c65485ac3ea2108b50N.exe File created C:\Program Files\QEAT.EXE 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened for modification C:\Program Files\QEAT.EXE 9f273f59ffaf82c65485ac3ea2108b50N.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\FBYTEJ.EXE 9f273f59ffaf82c65485ac3ea2108b50N.exe File opened for modification C:\Windows\FBYTEJ.EXE 9f273f59ffaf82c65485ac3ea2108b50N.exe File created C:\Windows\XQDDFM.EXE 9f273f59ffaf82c65485ac3ea2108b50N.exe File created C:\Windows\HLWAFL.EXE YPVK.EXE -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YPVK.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f273f59ffaf82c65485ac3ea2108b50N.exe -
Modifies registry class 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\QEAT.EXE \"%1\" %*" 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell 9f273f59ffaf82c65485ac3ea2108b50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Windows\\FBYTEJ.EXE \"%1\"" 9f273f59ffaf82c65485ac3ea2108b50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\QEAT.EXE \"%1\"" 9f273f59ffaf82c65485ac3ea2108b50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\HLWAFL.EXE \"%1\" %*" YPVK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command YPVK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 9f273f59ffaf82c65485ac3ea2108b50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\YPVK.EXE %1" 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file 9f273f59ffaf82c65485ac3ea2108b50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Windows\\FBYTEJ.EXE %1" 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile 9f273f59ffaf82c65485ac3ea2108b50N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command 9f273f59ffaf82c65485ac3ea2108b50N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files\\QEAT.EXE %1" 9f273f59ffaf82c65485ac3ea2108b50N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3784 YPVK.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4852 wrote to memory of 3784 4852 9f273f59ffaf82c65485ac3ea2108b50N.exe 86 PID 4852 wrote to memory of 3784 4852 9f273f59ffaf82c65485ac3ea2108b50N.exe 86 PID 4852 wrote to memory of 3784 4852 9f273f59ffaf82c65485ac3ea2108b50N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f273f59ffaf82c65485ac3ea2108b50N.exe"C:\Users\Admin\AppData\Local\Temp\9f273f59ffaf82c65485ac3ea2108b50N.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files\YPVK.EXE"C:\Program Files\YPVK.EXE"2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3784
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5d5159bb7ac9308ce52dbe386ac7ef4ab
SHA10f8b6549532aa79c02c8369327f03f445bff5c08
SHA256a60b40b16a8279ced256cab6bb772a822de1b38d2bd07d1cba7f78f84a33b41c
SHA512149198bfdaf5fa7b070d12150689db745a0a46d139941715e393b5c0fdd8761dff869fd50591723caf141e8b61f9f88ee8c90ff8623e20106b9bcf620c000079
-
Filesize
1.0MB
MD5c60e43e1444972c4371f5f054d68ab76
SHA107176849afb35a8f797d4c7e18d2322697396990
SHA25652d715ce6e7736ce165ec88bffc659739afd3a9cd779de6ca72f1f1b0d7c2cc0
SHA512193454b0c5efd089bb2c496ca6409c96decd3d5938acb4a008f28e58cd72fc00f3d018bb92724e18eb95637ae971f91d167a24ee299b5012d20e06c3caa3433e
-
Filesize
254B
MD5aade3641af5db8c041289386db2f5aca
SHA185b06788952a8923f90cab1b56ddddcb77674487
SHA256325d6c8375cde875113e4ef6802e1b8becb0d9d6c87d72fe7b9d3208c9800fc2
SHA5128538c20bb4224902d480577e37ccd03d1a4192592c4b6a1bceac908de21899e7049c8b1a233db98c0fb83082dd8e81930e4c2c4a9975c5d5a8ea9ece932e76e3