Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2024, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe
Resource
win10v2004-20241007-en
General
-
Target
cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe
-
Size
221KB
-
MD5
bea46091b01466823436c3f717261ae0
-
SHA1
cfdbb7ff82b47ff8f076ceb8d0ef5c99f296b73d
-
SHA256
cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00e
-
SHA512
5af35259991ee4e2c38f1f4d78531a0dca3e7391c37e4b3988859b04be6362b8926b156bcb57d18cc1041832b20dd34f8c9196402ee6c6c7acd36bf780440a35
-
SSDEEP
6144:x2vnAaPNJT3lhZ/8tgt79Jad3vqaFlgi:inAONJJ/CgZ65rX
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4508 gpkwd.exe -
Executes dropped EXE 2 IoCs
pid Process 4508 gpkwd.exe 808 frzhu.exe -
Loads dropped DLL 1 IoCs
pid Process 808 frzhu.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SHR = "c:\\Program Files\\uqobf\\frzhu.exe \"c:\\Program Files\\uqobf\\frzhu.dll\",Scheduler" frzhu.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: frzhu.exe File opened (read-only) \??\s: frzhu.exe File opened (read-only) \??\y: frzhu.exe File opened (read-only) \??\z: frzhu.exe File opened (read-only) \??\a: frzhu.exe File opened (read-only) \??\e: frzhu.exe File opened (read-only) \??\m: frzhu.exe File opened (read-only) \??\o: frzhu.exe File opened (read-only) \??\w: frzhu.exe File opened (read-only) \??\q: frzhu.exe File opened (read-only) \??\t: frzhu.exe File opened (read-only) \??\g: frzhu.exe File opened (read-only) \??\h: frzhu.exe File opened (read-only) \??\i: frzhu.exe File opened (read-only) \??\j: frzhu.exe File opened (read-only) \??\n: frzhu.exe File opened (read-only) \??\p: frzhu.exe File opened (read-only) \??\u: frzhu.exe File opened (read-only) \??\v: frzhu.exe File opened (read-only) \??\b: frzhu.exe File opened (read-only) \??\l: frzhu.exe File opened (read-only) \??\r: frzhu.exe File opened (read-only) \??\x: frzhu.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 frzhu.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\Program Files\uqobf\frzhu.dll gpkwd.exe File created \??\c:\Program Files\uqobf\frzhu.exe gpkwd.exe File opened for modification \??\c:\Program Files\uqobf\frzhu.exe gpkwd.exe File opened for modification \??\c:\Program Files\uqobf gpkwd.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpkwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frzhu.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2180 cmd.exe 1048 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 frzhu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString frzhu.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1048 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 808 frzhu.exe 808 frzhu.exe 808 frzhu.exe 808 frzhu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 808 frzhu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4368 cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe 4508 gpkwd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4368 wrote to memory of 2180 4368 cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe 86 PID 4368 wrote to memory of 2180 4368 cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe 86 PID 4368 wrote to memory of 2180 4368 cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe 86 PID 2180 wrote to memory of 1048 2180 cmd.exe 88 PID 2180 wrote to memory of 1048 2180 cmd.exe 88 PID 2180 wrote to memory of 1048 2180 cmd.exe 88 PID 2180 wrote to memory of 4508 2180 cmd.exe 89 PID 2180 wrote to memory of 4508 2180 cmd.exe 89 PID 2180 wrote to memory of 4508 2180 cmd.exe 89 PID 4508 wrote to memory of 808 4508 gpkwd.exe 90 PID 4508 wrote to memory of 808 4508 gpkwd.exe 90 PID 4508 wrote to memory of 808 4508 gpkwd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe"C:\Users\Admin\AppData\Local\Temp\cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\gpkwd.exe "C:\Users\Admin\AppData\Local\Temp\cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\gpkwd.exeC:\Users\Admin\AppData\Local\Temp\\gpkwd.exe "C:\Users\Admin\AppData\Local\Temp\cad9d89a39a1573d40214f23d59b72b03b035eed80a562022fc8dd88800df00eN.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\Program Files\uqobf\frzhu.exe"c:\Program Files\uqobf\frzhu.exe" "c:\Program Files\uqobf\frzhu.dll",Scheduler C:\Users\Admin\AppData\Local\Temp\gpkwd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
221KB
MD5166da264ae38d4753e08b3b9d87b3b6b
SHA1819c19876fbd585760648617d06d829cc152f830
SHA256d166ef93af8a764a6263027b66553e98e8542856d9e246f49335e7ab7c79a223
SHA512f9030095568f19a5547f24a9273164c37b8ac60cde34bace7828d92da95cbbe875ac963989845328d2d01a1b585a15d08ddb7679a98dc162542108f6721f7f2b
-
Filesize
184KB
MD58859f0ae4f69bc4049501516bd8c161c
SHA19643d46047ad471ae12ae28b2d7baa734e84c9b2
SHA256148721c8f81117bb8ec0b2586d511b771d0dbbc097c1b0d2e2cd2d778aeda872
SHA51204e21600eb849eeafbacd0e4252fd4f858654e5782b606f691abee0aec0bab5f43a0e75e79f3a5d0f81af1affa7052fdc86f0e0d911224f01d0a115474e93e6a