Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 02:13

General

  • Target

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe

  • Size

    1016KB

  • MD5

    ee47200f60aa0ffe7e554db291da8a8f

  • SHA1

    a2ab0c657b6045b98aca1befb1fe2ce02ca0ae9e

  • SHA256

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7

  • SHA512

    02512eaff12cf835116833bead2006aa14e4f86e65f0225887e5d9e2b7a199849222bd15d50bf269e23646192f7cde45f9cb3746964bb6d3e6d325b4d250d478

  • SSDEEP

    6144:GIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUM:GIXsgtvm1De5YlOx6lzBH46UM

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 12 IoCs
  • Adds policy Run key to start application 2 TTPs 24 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 25 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe
    "C:\Users\Admin\AppData\Local\Temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Users\Admin\AppData\Local\Temp\waodwoqjgky.exe
      "C:\Users\Admin\AppData\Local\Temp\waodwoqjgky.exe" "c:\users\admin\appdata\local\temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe*"
      2⤵
      • Modifies WinLogon for persistence
      • UAC bypass
      • Adds policy Run key to start application
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Hijack Execution Flow: Executable Installer File Permissions Weakness
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2864
      • C:\Users\Admin\AppData\Local\Temp\wimts.exe
        "C:\Users\Admin\AppData\Local\Temp\wimts.exe" "-C:\Users\Admin\AppData\Local\Temp\tqfxhcmaspyrljgn.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • System policy modification
        PID:3944
      • C:\Users\Admin\AppData\Local\Temp\wimts.exe
        "C:\Users\Admin\AppData\Local\Temp\wimts.exe" "-C:\Users\Admin\AppData\Local\Temp\tqfxhcmaspyrljgn.exe"
        3⤵
        • Modifies WinLogon for persistence
        • UAC bypass
        • Adds policy Run key to start application
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Impair Defenses: Safe Mode Boot
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Hijack Execution Flow: Executable Installer File Permissions Weakness
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:4100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wimtscbelxvdmzlhudptazjilse.ktg

    Filesize

    280B

    MD5

    a0591b39d20e7a653b3701243abd8ca8

    SHA1

    e9ffc80bebbe263138ee30059d9ca0f8b5a4a4b0

    SHA256

    5112f8a56512ec617694a9fe3c9c7016cb4d11c1ab5b5c268b6b592a287584bb

    SHA512

    e758a877a10defe887a12f486bfbf4959a9eaeedb499126fb3a2768bdee11d9f022ee73998b18765abf04eaf371a4e0b0d810925b52a6b1fcbda470e45dcec86

  • C:\Program Files (x86)\wimtscbelxvdmzlhudptazjilse.ktg

    Filesize

    280B

    MD5

    497c00be9012d87481dbf82d0842741e

    SHA1

    f83ed665835b65bf4de90b2cb9f3c7f10c2c220e

    SHA256

    cd39dd8fe738e8f7e0012afc932bc11208c5fa4c56d990f3744341b5d680a1f6

    SHA512

    3a6d5a0d7057b7649579efe121024c639512d81b5ab6cf30ab00b0205020214222586b6f9cc35a0f1443ac96bcc8b118a32c0fc5322aca56226256c6c27c0ccb

  • C:\Program Files (x86)\wimtscbelxvdmzlhudptazjilse.ktg

    Filesize

    280B

    MD5

    01c9d47eb01d451fdfe66d14a834f30d

    SHA1

    78db3d73da27eab55fecbc6388f021f72be972b2

    SHA256

    90c8f870539f8659eeb04462e4cd95cea5e4febc0a0a5c0710c80a3f85c291f3

    SHA512

    e9b31c30d14697ad6f45461228a1516d7e2214955275269ae7ab5ef747f6c67d8917de4d9ac85162941a8b775c1628308af5050261570847da2e812dea4f992d

  • C:\Program Files (x86)\wimtscbelxvdmzlhudptazjilse.ktg

    Filesize

    280B

    MD5

    004f855979e405381434b71120a23ab8

    SHA1

    92db07206379a96b777c9a4eb87ad5ecdf69da5d

    SHA256

    a353eb7dd50294da81a094a6a12b16272ac81d3dc7f90dce069541f0d0a92920

    SHA512

    86e243feda239ca8fe74fccd0fbb612ed041888ecf2811be6c3b83d5f4ebff1394c96f677bf2e2947502bf976b7f8dd26aa1ddcfa324b7e072e40a6a77c5fb8d

  • C:\Users\Admin\AppData\Local\Temp\waodwoqjgky.exe

    Filesize

    320KB

    MD5

    e745eec92517153ac2c10d0b1d6bf708

    SHA1

    e66279d8873fdbecc611f0ea238bb59004cf0667

    SHA256

    12f03c1c3e441c2d1acff28ddf8ca0f3469aff59d68af2b5c3d2034911d781d0

    SHA512

    17ebc5cfb619f0bc77c57d67c598d478a0509a1836d3f6edfaba6fe11ee13bca710f77b8535e60e4161619800612c590744082ad7e9e7431bc181b893d2c7a83

  • C:\Users\Admin\AppData\Local\Temp\wimts.exe

    Filesize

    716KB

    MD5

    125463a3e0cf72758315271eb1988124

    SHA1

    13c2c42c00cbafabf05fce88e23ee350fa9be1cb

    SHA256

    6d98f0b072dacbfd3709a32e4a1acea5c05d48ba6595f65dcf5d5c4bfef8253a

    SHA512

    a6a93c59bab9165ef2ac7ac9ff99070a81cefbb6dd4c9bc2b8c1534f6039cb5e7c625fb651e4ac4193919ee89a852553c099e07b8617de967105e66df5b7c86f

  • C:\Users\Admin\AppData\Local\tqfxhcmaspyrljgnlfcrjtoymebkdxvszxrodv.aky

    Filesize

    4KB

    MD5

    dbab3e8ec5834e500574252a3c2cc93c

    SHA1

    822596f71c549197e47461c2a60d2ed7b961c007

    SHA256

    1a58896bef74af65d4804450a73ea23631cda3a7cc02b41e9ad8c9edc52c540f

    SHA512

    b3dc25247e47adb235ffc58fa974c1aac1b5c8ebe9e266db5c66f6de1f4fea600bcd52a0c8b6250e498b9b9d6deddca2743d13c706d2e40cf25e1f6596e8a1bc

  • C:\Users\Admin\AppData\Local\wimtscbelxvdmzlhudptazjilse.ktg

    Filesize

    280B

    MD5

    85074b63a1ec9b5194378d8cf01f7ac2

    SHA1

    fb804c357d0cf14bcc170e30495fe0166c5d4b74

    SHA256

    47b22ece5c941b224052d437614e97f9240f91bad2ae0e203ec17bbf7963e9cf

    SHA512

    d5798cc3c862bf19043a9cb4822c7e22d0f1576bc87eeafc031d521647971d826c8f21e3432b25fb8687954bebc7588df14c1c41d83220b0368db2b83b8a353d

  • C:\Windows\SysWOW64\jiztfcoeyxidzzyhhd.exe

    Filesize

    1016KB

    MD5

    ee47200f60aa0ffe7e554db291da8a8f

    SHA1

    a2ab0c657b6045b98aca1befb1fe2ce02ca0ae9e

    SHA256

    b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7

    SHA512

    02512eaff12cf835116833bead2006aa14e4f86e65f0225887e5d9e2b7a199849222bd15d50bf269e23646192f7cde45f9cb3746964bb6d3e6d325b4d250d478

  • C:\uioxykl.bat

    Filesize

    468KB

    MD5

    e9202c48f85c173330b6422bf9c89d90

    SHA1

    f0c2ead1405eb564d6f9e1a5ac184c16ff11741b

    SHA256

    871406410f07ce5c0adfff9a9f7a908871af8c27f00e85e020cb8201d06a6b68

    SHA512

    286ece38d8cd065d2f8a516333ea6ab5384b43d66455c2e6afd79db87769ea04481ea787d243d101094a41a03eaa89d7476538621ecd9c8a06cfda3631450e36