Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 21:12

General

  • Target

    eb2087ef1f7f2ba17e2fd823fee9bd3dee7a3b91e51f3b2bd9051d7ab1f5734dN.exe

  • Size

    512KB

  • MD5

    d8f727185707eeac395c1761e2b34320

  • SHA1

    a2779fe447275984460d5139b4cdbd38f69d1fe1

  • SHA256

    eb2087ef1f7f2ba17e2fd823fee9bd3dee7a3b91e51f3b2bd9051d7ab1f5734d

  • SHA512

    08cb5ed658412310e7b65361d7361a057fa131ead5db7389bf581a1ae8f9ebf782c531485c7649b9a8889ab6abfa1486fe8cfe49e86ed0d9e9a1658127250a60

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5l

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb2087ef1f7f2ba17e2fd823fee9bd3dee7a3b91e51f3b2bd9051d7ab1f5734dN.exe
    "C:\Users\Admin\AppData\Local\Temp\eb2087ef1f7f2ba17e2fd823fee9bd3dee7a3b91e51f3b2bd9051d7ab1f5734dN.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\rkjudjzoux.exe
      rkjudjzoux.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\mpnqhrlz.exe
        C:\Windows\system32\mpnqhrlz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2664
    • C:\Windows\SysWOW64\uneylfbfocvdtrh.exe
      uneylfbfocvdtrh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1848
    • C:\Windows\SysWOW64\mpnqhrlz.exe
      mpnqhrlz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2788
    • C:\Windows\SysWOW64\iouvmcntvfikl.exe
      iouvmcntvfikl.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2608
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      1a34e3b21bdd87f805493ae56b91e77e

      SHA1

      5d36fb73d07fefadc02a1076a0f074eb62e6a1ff

      SHA256

      5d711fcc65b7a3f8e5fe371780f23be28b339fad2fb2c1087c6626640b6f0bb2

      SHA512

      0fa660adcdb4d9f3d085789c3e31a8c7751ef12f89ed420d1e96edccf3687ec83e8411e795739508f007fad00c9496f27d322d31ddab60192a6c054e56bd16ca

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      d62e1654b3fdf7ead7c42c05fbdd3d7a

      SHA1

      1bc0b50fb6bb7f9e33584a278be1ed6290dee7ca

      SHA256

      bb65054a354d66fe4038175eea6bb47f2c2875c5ca18124393eb948eb41511cd

      SHA512

      686304e7f1ba9e435a8a3ff25ee38047f4c54cae0c020a5694cc2fd403c4696fd522577e520bcc5f3b989939dd71c359cb7f005c18cd188cce60108ee18ea2aa

    • C:\Program Files\CompareHide.doc.exe

      Filesize

      512KB

      MD5

      0eb8fb565e560245babeb7005fd57d03

      SHA1

      d186b81f49ea80219a277644cb8d2058ae7cb959

      SHA256

      6e740eebb8e45dbcdbd1c4176a51b98aa88f8fc0404d6146c1339541b78f0c7b

      SHA512

      641e093b5bc63e4b82047bf2c6c06845f75b6d02a61b9005f9f449ed0d14bd51c20c6c7a11421432ffc39b85e7c724b2aa7c99287554e5dc710e88d812094c1e

    • C:\Program Files\ExitRequest.doc.exe

      Filesize

      512KB

      MD5

      addfc081edccbd01d7b4b2f3ab4d0e20

      SHA1

      3d9362a1bce50b429bdf269af8e39dd7cf0d7147

      SHA256

      5f7983226f7876ae56e7a5838dd73351b4914a7b4bf704c99587f0e8b4417482

      SHA512

      7b9aa0af28d82c7c0766665417de0d1c0e63a34865427f2c40a93c7a0cdbd3bb5fa5931f927cd9b961efa53361139fc7821bd134c36f7791c4ccbc033362477d

    • C:\Windows\SysWOW64\iouvmcntvfikl.exe

      Filesize

      512KB

      MD5

      4c2ae00be5f6d64c5b71946e4ab7fb7f

      SHA1

      aeeddcf471ff9754e494b1009172c2dc260055f8

      SHA256

      d23e07a9aa8de9460c31110190fe4a03115e8146a4d887e070f8c9bcf3e9cdb1

      SHA512

      36ae295ab9f6708d7c33948887d247069c7d1c680f23922ae2c4d131865622bf5c7717579beff89742bfb025429fab103c3e1f92b2165bf9ba1b8e8e4735b620

    • C:\Windows\SysWOW64\uneylfbfocvdtrh.exe

      Filesize

      512KB

      MD5

      c0ddf1990f9eafdfcb29a2898730fb03

      SHA1

      bcff14490485377f79d13101cbd2dfd5180a73e2

      SHA256

      56a8bc1e17de514557839f06c45669464f1557f1a94f4f0e99bf5fa12eee0545

      SHA512

      977ba6af44ff2a71a6523eaeb182905ede110fe141d4dd1d123d78ad7c148447f1adb0086f1970cd5b67260e3c4990990727ba1a77e58e21433540eeb8caeffe

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\mpnqhrlz.exe

      Filesize

      512KB

      MD5

      311dd2b5450dd6cb640bd542fc454196

      SHA1

      3dcabb7909fa1a147dcd4e8bb723d3c2b9b4fd9a

      SHA256

      04c5dec57809e66464807b2239a8587ec5bcfc1f723f01e1bfd5567e2213586d

      SHA512

      149471b90f8f14209f65bf845af8e49876af9df2e90ea95472b914e44d3a0402f4831937240e46cd5c5ceb1d383fa13046328d53044bb40a3e5515a143fc2899

    • \Windows\SysWOW64\rkjudjzoux.exe

      Filesize

      512KB

      MD5

      613d2e913a0e93fed962d0e763a2241e

      SHA1

      8f2638ff002fd5d1448e76ee7b696ef7d3c83b83

      SHA256

      76b5d6903bf7a1c2509c18703c1d6034cd1bbe7d244493320430252a901ff0ad

      SHA512

      6de9ce643e6507f718ecf958727d851f61ee01f3f0913a56938082e2696c1f513cfa99fcc2a1cb176ab99b5e71ae54f158b2851fecb515e1f34cb3a72b4f0e33

    • memory/1960-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2740-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB