Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
131s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11/07/2020, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
79b7b9cc898ec6a19baa53da2018113b.exe
Resource
win7
0 signatures
0 seconds
General
-
Target
79b7b9cc898ec6a19baa53da2018113b.exe
-
Size
47KB
-
MD5
79b7b9cc898ec6a19baa53da2018113b
-
SHA1
5b9ccd21b0ba8dc8c8540a74a2dac3a1bade50aa
-
SHA256
d959ab3ffc54e02792ddc39c6109e1e72a3e48937c225c06f7692bb4f3ffd888
-
SHA512
8aa5ea16f32a5a582a041168e6fc341039c95fe7cf55740ff8a17c4d06e574264193a3ac7d60cadae6949eb7ceca813bffdc002ca5bd4beac324feeb2a65355c
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2416 79b7b9cc898ec6a19baa53da2018113b.exe Token: SeDebugPrivilege 2796 ek1vihfh.ztw.scr -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2796 2416 79b7b9cc898ec6a19baa53da2018113b.exe 68 PID 2416 wrote to memory of 2796 2416 79b7b9cc898ec6a19baa53da2018113b.exe 68 PID 2416 wrote to memory of 2796 2416 79b7b9cc898ec6a19baa53da2018113b.exe 68 -
Executes dropped EXE 1 IoCs
pid Process 2796 ek1vihfh.ztw.scr -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2796 ek1vihfh.ztw.scr -
Checks for installed software on the system 1 TTPs 29 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName ek1vihfh.ztw.scr Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName ek1vihfh.ztw.scr Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName ek1vihfh.ztw.scr Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName ek1vihfh.ztw.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName ek1vihfh.ztw.scr -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\79b7b9cc898ec6a19baa53da2018113b.exe"C:\Users\Admin\AppData\Local\Temp\79b7b9cc898ec6a19baa53da2018113b.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\ProgramData\ek1vihfh.ztw.scr"C:\ProgramData\ek1vihfh.ztw.scr" /S2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
PID:2796
-