Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2022, 21:18

General

  • Target

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a.exe

  • Size

    4.0MB

  • MD5

    c67263056aff53ca1e39c81b736959f5

  • SHA1

    4f6403ffd2bce411b50be725d1f538078889dd4a

  • SHA256

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

  • SHA512

    1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

  • SSDEEP

    1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8:+YLmGO4W849NXO9RlK6gOxiDout

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a.exe
    "C:\Users\Admin\AppData\Local\Temp\5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:1704
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1924

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

    Filesize

    2KB

    MD5

    1c626eac6241b02b0082a76f150a3a8a

    SHA1

    b7c0c6ae1d3d5a2beaf4c4f3744cac6285f04858

    SHA256

    412116af67c3a894bee8821158ee91447ca6cfe0d5b43d0524e6c5af5defaf69

    SHA512

    8550f0ec9a9c5f152a3b5eb49a91084d3201589373b8d381233926f1ac34bd0c276fa1e3c9da75bd8297f417d9f566f4bf6b882107c7255522f745e6d446802a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    60KB

    MD5

    6c6a24456559f305308cb1fb6c5486b3

    SHA1

    3273ac27d78572f16c3316732b9756ebc22cb6ed

    SHA256

    efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

    SHA512

    587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

    Filesize

    1KB

    MD5

    48e98893438d04fa64bb49bbdafbf960

    SHA1

    e28578281fc80cb97275a94aa0e9da0db8285b87

    SHA256

    2ad261d743636a48688f1d3a1a9def925c6a7642db3dea12b8c23e5aac46719d

    SHA512

    9eb1160e51ce79e0a7055a053ac5f25d2ff8d7277f8af146c188a1bd24deddd12df219aeb410f072b26ccaa114b88d7680d474c86736a0ab3187ec7ee08c73b0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

    Filesize

    488B

    MD5

    3a3a52898311c509a4a4f65f509e1dca

    SHA1

    54f3323abbac27f7b6326022fb64056ad75d4c4f

    SHA256

    98a992a13085e94393db3d7c1d43387b876aac5bd299f3e467907ee2a4e3583a

    SHA512

    dbf51238b47e7ab1e7935d6a939ea7bb7e472426b5585c48de3f5493c444847c2ade625ca85ae0ac00a10c35c49863b63e70bce566e00d9fa116900c1e5b006c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    01a130b8274c5b799839e8f3cf871845

    SHA1

    4d7df07f2e3cce1c93045a86abd86b14eb2c944a

    SHA256

    77f2e5899059bb3b80a18897c153b7741bf082e378c2efe11683becc58e1ec4d

    SHA512

    ef114d535664f15226360f1d5a2eed7f2af6a12f066486ba7e317e7277f63eb52d61c35e21f8a411e60d3cd4b2502e7b04f16dfa56c318932508f067a199559d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    a52aca4cb434df0f554348f49bb517a5

    SHA1

    710a766b2d87b4f0d8ac22bd267ddaeedc992009

    SHA256

    ec53c7692e0986e35b4c1ea749d6eb2bb4415224c8bc509169a9883282e3f3b6

    SHA512

    0f2c826b4053b0ccd2f5cc6339236f53068803d2869ae1bad2e09637917bf5362fe602f7876c5f13d9ea137b1acdf94841942f1db3d4fcdf3804f43ca940693e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    33f6229606c59138efe02b54f514cad7

    SHA1

    69d16ba33e4b3b3fc2161cbe96d8da012b2efede

    SHA256

    22061a7046503ef8aa46d94d17efa974375f60a551cc66a75c27b5de6ddaada5

    SHA512

    5ad921b69bd6d7ab2f197cef3a8ae78409b7010b87a50673a046d6924019163a8e6c56ae683003dfed00e51d3c9b8330e90b14af45c0ff0ac67a20dc43e23e73

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

    Filesize

    482B

    MD5

    36b713d255b81c10b1f082fa0d5ba131

    SHA1

    875f97a954ae4b5ecc32cdb11c34131378277fcb

    SHA256

    82f6979ea0a1e1cc7858ae677a6cce4ddd1213bc0de51c624b0188704d15e335

    SHA512

    3868a2d8b8dd5e3362aa4f53f3ddcfcaa3d50d9fd94cc084c94bfe7fc58160b8533fc0a03536c11498e3ba61590593f2d414b73603ef3ed6b4aab026abde795e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    bb247ae48e59a13211cf901503d74192

    SHA1

    4139a77750366257990ed13c9ecb28185a2c9af0

    SHA256

    6af865204dda649c10c8a0de4cac306c9a6e2c4834beb5f54cd36271f0ea98b3

    SHA512

    18a67ffd6f7fe8eeeaf77c6225420c8c6acd0142cc1f3f81ff0c2b019bc1456fb75bad92c747bbb47c634cc679084cf551bf8411edba1b56a08aa2f6f17b1fcb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I37M72AW.txt

    Filesize

    117B

    MD5

    b1c1b653ef4f06879818331eb4d1bfc2

    SHA1

    1b8fddb4d3695b907e163b57719692da8f3092bb

    SHA256

    7de6e87b8976a3c0ab38d60e5cc6cefe8313ff4d2eec6c47b9d7d60f8fdf1cb7

    SHA512

    79a624b3a81bb677bcfc0dd1657a46e27656d59a74ae370d53609a9d2d3b33a9cfb084ba609fd3fcb363c4a3dcc0446b761708fffca0f8adf3ec07ee0e3c08d9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q8M447N8.txt

    Filesize

    603B

    MD5

    7021dde2d01cbef83cb08ae841206ec6

    SHA1

    dfdc9eff6fc605f49bc7f611aaafc42f2edfa585

    SHA256

    b7f2a776b951c3ab46a7a1117d95594ffdd2ac1b391464124ab3af2e8d3ffd1b

    SHA512

    a27bf2b1bba0ceec649d8cc1bcb3b84ce44bc45f9da4c4bf416ef6bc501ffa29b8324e6f8a3ceb7edabe1ead65394eb783fab6f2bc6bfd094fe583418c61322b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U7O8Z4VG.txt

    Filesize

    96B

    MD5

    55aee6213b5a3410527cb6752172da0d

    SHA1

    ee8819ec94f63f69c768c0d924d384034381e58c

    SHA256

    db6313a9155aff40981e54423d9b0426a668702f75b0dc5ed41b3c378513809b

    SHA512

    6708c8a94e449cc5690598d0e39fb6b63e62e742a884ce9273f8f9faff3ce1db54cb76a638789d9ed2a90766a6aeeaab2d24f2f4fe46129a969715d8ae79c1d8

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    4.0MB

    MD5

    c67263056aff53ca1e39c81b736959f5

    SHA1

    4f6403ffd2bce411b50be725d1f538078889dd4a

    SHA256

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

    SHA512

    1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    4.0MB

    MD5

    c67263056aff53ca1e39c81b736959f5

    SHA1

    4f6403ffd2bce411b50be725d1f538078889dd4a

    SHA256

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

    SHA512

    1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    4.0MB

    MD5

    c67263056aff53ca1e39c81b736959f5

    SHA1

    4f6403ffd2bce411b50be725d1f538078889dd4a

    SHA256

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

    SHA512

    1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

  • \Users\Admin\E696D64614\winlogon.exe

    Filesize

    4.0MB

    MD5

    c67263056aff53ca1e39c81b736959f5

    SHA1

    4f6403ffd2bce411b50be725d1f538078889dd4a

    SHA256

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

    SHA512

    1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

  • \Users\Admin\E696D64614\winlogon.exe

    Filesize

    4.0MB

    MD5

    c67263056aff53ca1e39c81b736959f5

    SHA1

    4f6403ffd2bce411b50be725d1f538078889dd4a

    SHA256

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

    SHA512

    1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

  • memory/1412-66-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/1412-65-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB

  • memory/1704-77-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/1704-73-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/1704-72-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/1704-85-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/1704-68-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/1756-56-0x0000000075141000-0x0000000075143000-memory.dmp

    Filesize

    8KB

  • memory/1756-61-0x0000000000400000-0x0000000000447000-memory.dmp

    Filesize

    284KB