Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 21:18

General

  • Target

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a.exe

  • Size

    4.0MB

  • MD5

    c67263056aff53ca1e39c81b736959f5

  • SHA1

    4f6403ffd2bce411b50be725d1f538078889dd4a

  • SHA256

    5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

  • SHA512

    1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

  • SSDEEP

    1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8:+YLmGO4W849NXO9RlK6gOxiDout

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 18 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a.exe
    "C:\Users\Admin\AppData\Local\Temp\5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:628
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:1564
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3568

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

      Filesize

      2KB

      MD5

      1c626eac6241b02b0082a76f150a3a8a

      SHA1

      b7c0c6ae1d3d5a2beaf4c4f3744cac6285f04858

      SHA256

      412116af67c3a894bee8821158ee91447ca6cfe0d5b43d0524e6c5af5defaf69

      SHA512

      8550f0ec9a9c5f152a3b5eb49a91084d3201589373b8d381233926f1ac34bd0c276fa1e3c9da75bd8297f417d9f566f4bf6b882107c7255522f745e6d446802a

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      1KB

      MD5

      48e98893438d04fa64bb49bbdafbf960

      SHA1

      e28578281fc80cb97275a94aa0e9da0db8285b87

      SHA256

      2ad261d743636a48688f1d3a1a9def925c6a7642db3dea12b8c23e5aac46719d

      SHA512

      9eb1160e51ce79e0a7055a053ac5f25d2ff8d7277f8af146c188a1bd24deddd12df219aeb410f072b26ccaa114b88d7680d474c86736a0ab3187ec7ee08c73b0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

      Filesize

      488B

      MD5

      61a7cc53acf1404bf92640a2261e363d

      SHA1

      a20bccca1df83e2d66d1db0a3e592def6d3f68bc

      SHA256

      85c7dd641bd813bfb0ce7dffbb3bb472039c60fc7c82aa48d10d7831f07d0f32

      SHA512

      c3017f2a884972fe1fc9a7097e6e2fffd0fe77aa294ab0c18bab683915b61114c8ea9ba43d2e82c0dfc6b9ce8cb8279719f3e066f2399400b3f5c79f5a68dcc3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      482B

      MD5

      7995275fb0a8476f8d72cc661bcaf6b1

      SHA1

      5b7df1ae91ed819c5763d36bebbe12dcd09c264b

      SHA256

      18e6779313812a7f1556aca618bc3dd4ccbf8c5aca2cbf720d7ecc53cd9d06cf

      SHA512

      ba9e49f928e0d89c71d860623a039e8280326c9f00c9d57bd9a501177148e4caa22bcdbd38c0b3ea078c060a33dd6cb076624948b041fecd63a8244e73255ca7

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      4.0MB

      MD5

      c67263056aff53ca1e39c81b736959f5

      SHA1

      4f6403ffd2bce411b50be725d1f538078889dd4a

      SHA256

      5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

      SHA512

      1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      4.0MB

      MD5

      c67263056aff53ca1e39c81b736959f5

      SHA1

      4f6403ffd2bce411b50be725d1f538078889dd4a

      SHA256

      5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

      SHA512

      1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      4.0MB

      MD5

      c67263056aff53ca1e39c81b736959f5

      SHA1

      4f6403ffd2bce411b50be725d1f538078889dd4a

      SHA256

      5c9474db5b40323e40a6ff476beffe19fa7935dc3ade29d445fa8ac3079a187a

      SHA512

      1109b3fbe1040b3d3dca35c189106eb68f025fa8e5d2fa32236fb54229d95a0a544093c122aa650e9b699a99a09a9aaff86a547390190149cc71195a450fb7b4

    • memory/208-141-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/208-155-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/628-146-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/628-147-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/628-143-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/628-154-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/628-156-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4596-132-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB

    • memory/4596-140-0x0000000000400000-0x0000000000447000-memory.dmp

      Filesize

      284KB