Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 02:51
Behavioral task
behavioral1
Sample
ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Resource
win10v2004-20240802-en
General
-
Target
ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
-
Size
839KB
-
MD5
803f39a10c4016eac37d86cd4b5e47c9
-
SHA1
2f3b456b5d398c45c912a7d7240830114db31572
-
SHA256
ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42
-
SHA512
cf4354345c612c56e2aac2719199fdeddda8f8c98556280aede08a40601fbda46d87a05ec96bbaa2bb06ee120a77adacc3ce87b82eb85607d23a7cf83696b932
-
SSDEEP
12288:E8kxNhOZElO5kkWjhD4AI/GtAtScw3qEKBaGtAtScw3qEKB:7qEkfFP145J145
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2916 JVRZX.EXE -
Loads dropped DLL 2 IoCs
pid Process 2108 ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe 2108 ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command JVRZX.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\ACKP.EXE \"%1\" %*" JVRZX.EXE -
resource yara_rule behavioral1/memory/2108-0-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral1/files/0x00080000000164cf-10.dat upx behavioral1/files/0x000a000000012029-20.dat upx behavioral1/memory/2108-22-0x0000000000350000-0x00000000003C0000-memory.dmp upx behavioral1/memory/2108-29-0x0000000000400000-0x0000000000470000-memory.dmp upx behavioral1/memory/2916-30-0x0000000000400000-0x0000000000470000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AOAW.EXE = "C:\\Users\\TCXMUFV.EXE" ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\O: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\Q: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\O: JVRZX.EXE File opened (read-only) \??\R: JVRZX.EXE File opened (read-only) \??\S: JVRZX.EXE File opened (read-only) \??\G: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\R: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\P: JVRZX.EXE File opened (read-only) \??\L: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\E: JVRZX.EXE File opened (read-only) \??\M: JVRZX.EXE File opened (read-only) \??\V: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\I: JVRZX.EXE File opened (read-only) \??\J: JVRZX.EXE File opened (read-only) \??\S: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\J: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\K: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\K: JVRZX.EXE File opened (read-only) \??\V: JVRZX.EXE File opened (read-only) \??\E: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\G: JVRZX.EXE File opened (read-only) \??\H: JVRZX.EXE File opened (read-only) \??\U: JVRZX.EXE File opened (read-only) \??\U: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\P: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\T: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\N: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\M: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened (read-only) \??\L: JVRZX.EXE File opened (read-only) \??\N: JVRZX.EXE File opened (read-only) \??\Q: JVRZX.EXE File opened (read-only) \??\T: JVRZX.EXE File opened (read-only) \??\H: ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\IZVN.EXE ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened for modification C:\Program Files\IZVN.EXE ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File created C:\Program Files\ACKP.EXE JVRZX.EXE File created C:\Program Files (x86)\JVRZX.EXE ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe File opened for modification C:\Program Files (x86)\JVRZX.EXE ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\BNSDSCI.EXE ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JVRZX.EXE -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\IZVN.EXE \"%1\" %*" ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Program Files\\IZVN.EXE %1" ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\ACKP.EXE \"%1\" %*" JVRZX.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\IZVN.EXE \"%1\"" ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command JVRZX.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\BNSDSCI.EXE %1" ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files\\IZVN.EXE %1" ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2916 JVRZX.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2916 2108 ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe 30 PID 2108 wrote to memory of 2916 2108 ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe 30 PID 2108 wrote to memory of 2916 2108 ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe 30 PID 2108 wrote to memory of 2916 2108 ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe"C:\Users\Admin\AppData\Local\Temp\ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Program Files (x86)\JVRZX.EXE"C:\Program Files (x86)\JVRZX.EXE"2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2916
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
839KB
MD5f3f30a183132353a9276ebfb914998df
SHA17300d4f3463c7915f87be9b4aee65915c9b08844
SHA256df99beebb19643e82afdaea0dc3f6e641bc6f93bba10bacc2c8e1a20691a9f20
SHA5122da08c7fc93dd4e8ed4342355f31c7f8a633030975d44f2615a7d86888937f7477b977cbcc7267928fcb4d386ff02de50a5d4f581323f0ff68da25363cefcae8
-
Filesize
276B
MD52b88a9887dc926923d5411848e6ac198
SHA1d21b70f60c5fc12621ac1b1f1e4238689e00c25a
SHA2563ee007b010e77aedde465a1ff9e9962624c5b40e902651820318588259a48c22
SHA512eac11a6c57ef6471ec10e85ca2cd52f0acf93cc79509cdd17d09d324a5447216c45453c586abd4ad1fb34ea992df109f15aa15d26c2e4cadec80dbf171f43950
-
Filesize
839KB
MD5d2a2ed2af6b3f85e7459552c175f9250
SHA1ddc3634193e682f8d9bb2daf19a1ed234df73a94
SHA256b364e9999be15f46cdbbfe776cf4e858f11cc46006b4a9504b31696ae500fa18
SHA5120a1bf4cf4441a3bd3dc8ded22e9789dcc7c3dee0ad88f4e236f4d7a514da13047cb8afc49ea2d1ddbc2824414b9d7e48f4ff28d2b5a62859485cc5b035b3b6e7