Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2022, 07:22

General

  • Target

    8a93ed0f80b337ece9ffc9380fe6b69b6a1c7c25052a8f8eefecdc5a13e9966c.exe

  • Size

    632KB

  • MD5

    d3a9112f8479de6d0bb80daa086ee39d

  • SHA1

    c7044e763bddd442c7ff7504efe954ea4dbe6848

  • SHA256

    8a93ed0f80b337ece9ffc9380fe6b69b6a1c7c25052a8f8eefecdc5a13e9966c

  • SHA512

    0a604cea4bc5e13c6ac8bbbc381b9a1827e47ddde2b6713574e89ffd627eb2ac16be4760264a09d4894450d32359e9f2d233cef59dd5e9add6f1cf802f44d2d2

  • SSDEEP

    12288:QAEx4EoqHsQdmxl6zbr+F3KUf79EAN9IT6uOB2f/9E8k:LEx45zxI+bcTFY2dC

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a93ed0f80b337ece9ffc9380fe6b69b6a1c7c25052a8f8eefecdc5a13e9966c.exe
    "C:\Users\Admin\AppData\Local\Temp\8a93ed0f80b337ece9ffc9380fe6b69b6a1c7c25052a8f8eefecdc5a13e9966c.exe"
    1⤵
    • Adds Run key to start application
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cd C:\Users
      2⤵
        PID:4204
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +r +h +s desktop.ini
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3584
        • C:\Windows\system32\attrib.exe
          attrib +r +h +s desktop.ini
          3⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4500
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cd ..
        2⤵
          PID:4988
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c attrib +r C:\Users
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Windows\system32\attrib.exe
            attrib +r C:\Users
            3⤵
            • Views/modifies file attributes
            PID:1376
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c regsvr32 /u /s igfxpph.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /u /s igfxpph.dll
            3⤵
              PID:684
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4568
            • C:\Windows\system32\reg.exe
              reg delete HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers /f
              3⤵
              • Modifies registry class
              PID:3672
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3680
            • C:\Windows\system32\reg.exe
              reg add HKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\new /ve /d {D969A300-E7FF-11d0-A93B-00A0C90F2719}
              3⤵
              • Modifies registry class
              PID:3380
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:212
            • C:\Windows\system32\reg.exe
              reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v HotKeysCmds /f
              3⤵
                PID:1964
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1328
              • C:\Windows\system32\reg.exe
                reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v IgfxTray /f
                3⤵
                  PID:1920

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4936-135-0x00007FF690440000-0x00007FF690575000-memory.dmp

              Filesize

              1.2MB

            • memory/4936-152-0x00007FF690440000-0x00007FF690575000-memory.dmp

              Filesize

              1.2MB