Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10_x64 -
resource
win10 -
submitted
07/07/2020, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
stud.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
stud.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
stud.exe
-
Size
755KB
-
MD5
6044900d66376321ad6f237d1b465ecc
-
SHA1
0147db0583256b648680a54573b288f9167cca67
-
SHA256
9099123ab27c467c09e2483339756820e29e6d8cd3d0346305d3873902e4af65
-
SHA512
03fdca6dfdccc2a17abbfb42adfb5a89a5e2a32b9929efde0689da17967db406dd55f057162d2324605254c354130c8b73077fa9bc4bf23053878ffc5f239076
Score
8/10
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Txdrplnix\hzkdwv_xtyp_rv0.exe raserver.exe -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer raserver.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\06BXN6XXLXL = "C:\\Program Files (x86)\\Txdrplnix\\hzkdwv_xtyp_rv0.exe" raserver.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3008 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3236 wrote to memory of 3360 3236 stud.exe 67 PID 3236 wrote to memory of 3360 3236 stud.exe 67 PID 3236 wrote to memory of 3360 3236 stud.exe 67 PID 3008 wrote to memory of 3848 3008 Explorer.EXE 68 PID 3008 wrote to memory of 3848 3008 Explorer.EXE 68 PID 3008 wrote to memory of 3848 3008 Explorer.EXE 68 PID 3848 wrote to memory of 2892 3848 raserver.exe 69 PID 3848 wrote to memory of 2892 3848 raserver.exe 69 PID 3848 wrote to memory of 2892 3848 raserver.exe 69 PID 3848 wrote to memory of 1776 3848 raserver.exe 71 PID 3848 wrote to memory of 1776 3848 raserver.exe 71 PID 3848 wrote to memory of 1776 3848 raserver.exe 71 PID 3848 wrote to memory of 3172 3848 raserver.exe 73 PID 3848 wrote to memory of 3172 3848 raserver.exe 73 PID 3848 wrote to memory of 3172 3848 raserver.exe 73 -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 3236 stud.exe 3360 stud.exe 3360 stud.exe 3360 stud.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3236 set thread context of 3360 3236 stud.exe 67 PID 3360 set thread context of 3008 3360 stud.exe 56 PID 3848 set thread context of 3008 3848 raserver.exe 56 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3360 stud.exe Token: SeDebugPrivilege 3848 raserver.exe Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3008 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 3236 stud.exe 3236 stud.exe 3360 stud.exe 3360 stud.exe 3360 stud.exe 3360 stud.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe 3848 raserver.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\stud.exe"C:\Users\Admin\AppData\Local\Temp\stud.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\stud.exe"C:\Users\Admin\AppData\Local\Temp\stud.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3360
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Drops file in Program Files directory
- System policy modification
- Adds Run entry to policy start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3848 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\stud.exe"3⤵PID:2892
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1776
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3172
-
-