Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07/07/2020, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
stud.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
stud.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
stud.exe
-
Size
755KB
-
MD5
6044900d66376321ad6f237d1b465ecc
-
SHA1
0147db0583256b648680a54573b288f9167cca67
-
SHA256
9099123ab27c467c09e2483339756820e29e6d8cd3d0346305d3873902e4af65
-
SHA512
03fdca6dfdccc2a17abbfb42adfb5a89a5e2a32b9929efde0689da17967db406dd55f057162d2324605254c354130c8b73077fa9bc4bf23053878ffc5f239076
Malware Config
Signatures
-
description ioc Process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Dnnu0\userdfg8f.exe wlanext.exe -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wlanext.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\UP-T0HTHUJS = "C:\\Program Files (x86)\\Dnnu0\\userdfg8f.exe" wlanext.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1400 set thread context of 1432 1400 stud.exe 24 PID 1432 set thread context of 1284 1432 stud.exe 20 PID 480 set thread context of 1284 480 wlanext.exe 20 -
Deletes itself 1 IoCs
pid Process 1016 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1400 stud.exe 1432 stud.exe 1432 stud.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1400 wrote to memory of 1432 1400 stud.exe 24 PID 1400 wrote to memory of 1432 1400 stud.exe 24 PID 1400 wrote to memory of 1432 1400 stud.exe 24 PID 1400 wrote to memory of 1432 1400 stud.exe 24 PID 1284 wrote to memory of 480 1284 Explorer.EXE 25 PID 1284 wrote to memory of 480 1284 Explorer.EXE 25 PID 1284 wrote to memory of 480 1284 Explorer.EXE 25 PID 1284 wrote to memory of 480 1284 Explorer.EXE 25 PID 480 wrote to memory of 1016 480 wlanext.exe 26 PID 480 wrote to memory of 1016 480 wlanext.exe 26 PID 480 wrote to memory of 1016 480 wlanext.exe 26 PID 480 wrote to memory of 1016 480 wlanext.exe 26 PID 480 wrote to memory of 524 480 wlanext.exe 31 PID 480 wrote to memory of 524 480 wlanext.exe 31 PID 480 wrote to memory of 524 480 wlanext.exe 31 PID 480 wrote to memory of 524 480 wlanext.exe 31 PID 480 wrote to memory of 524 480 wlanext.exe 31 -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1400 stud.exe 1432 stud.exe 1432 stud.exe 1432 stud.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe 480 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1432 stud.exe Token: SeDebugPrivilege 480 wlanext.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\stud.exe"C:\Users\Admin\AppData\Local\Temp\stud.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\stud.exe"C:\Users\Admin\AppData\Local\Temp\stud.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- System policy modification
- Adds Run entry to policy start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:480 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\stud.exe"3⤵
- Deletes itself
PID:1016
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:524
-
-