Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 04:35
Behavioral task
behavioral1
Sample
73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
Resource
win10v2004-20220812-en
General
-
Target
73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
-
Size
110KB
-
MD5
877996da419cb48838d9769b24f6016c
-
SHA1
1bd1a5ef7668b1a26eaa0c96c3ad7140428b9597
-
SHA256
73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46
-
SHA512
d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3
-
SSDEEP
3072:dUdvtJxKyKWGK3WtrHu6asw3rWe2LLcp/:dUdpzG2SrHxal3Ser
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SunJava.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SunJava.exe -
Executes dropped EXE 1 IoCs
pid Process 1852 SunJava.exe -
resource yara_rule behavioral2/memory/4248-132-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4248-136-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000b00000001e4f5-138.dat upx behavioral2/files/0x000b00000001e4f5-139.dat upx behavioral2/memory/1852-144-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4248-147-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1852-150-0x0000000000400000-0x0000000000434000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJava = "C:\\Users\\Admin\\AppData\\Roaming\\Sunjava\\SunJava.exe" 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings mspaint.exe -
Runs .reg file with regedit 1 IoCs
pid Process 3868 regedit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4408 mspaint.exe 4408 mspaint.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1852 SunJava.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 1852 SunJava.exe 1852 SunJava.exe 1852 SunJava.exe 1852 SunJava.exe 4408 mspaint.exe 4336 OpenWith.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4248 wrote to memory of 1852 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 90 PID 4248 wrote to memory of 1852 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 90 PID 4248 wrote to memory of 1852 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 90 PID 4248 wrote to memory of 3708 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 91 PID 4248 wrote to memory of 3708 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 91 PID 4248 wrote to memory of 3708 4248 73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe 91 PID 4596 wrote to memory of 4408 4596 explorer.exe 95 PID 4596 wrote to memory of 4408 4596 explorer.exe 95 PID 1852 wrote to memory of 1244 1852 SunJava.exe 96 PID 1852 wrote to memory of 1244 1852 SunJava.exe 96 PID 1852 wrote to memory of 1244 1852 SunJava.exe 96 PID 1852 wrote to memory of 4204 1852 SunJava.exe 99 PID 1852 wrote to memory of 4204 1852 SunJava.exe 99 PID 1852 wrote to memory of 4204 1852 SunJava.exe 99 PID 1852 wrote to memory of 3868 1852 SunJava.exe 101 PID 1852 wrote to memory of 3868 1852 SunJava.exe 101 PID 1852 wrote to memory of 3868 1852 SunJava.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe"C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Roaming\Sunjava\SunJava.exeC:\Users\Admin\AppData\Roaming\Sunjava\SunJava.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\makecab.exemakecab "C:\Users\Admin\AppData\Roaming\signons.sqlite" "C:\Users\Admin\AppData\Roaming\sig.cab"3⤵PID:1244
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "dir C:\ /a"3⤵PID:4204
-
-
C:\Windows\SysWOW64\regedit.exeregedit /e "C:\Users\Admin\AppData\Local\Temp\XZIOFAVD___Admin__Screen__10-21-07IE.reg" "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\"3⤵
- Runs .reg file with regedit
PID:3868
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg2⤵PID:3708
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg" /ForceBootstrapPaint3D2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4408
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:4288
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg
Filesize1.2MB
MD504ee3f40f19c1d1ff3a105d9d9b3a425
SHA1a2d69f21f7a349c9297f955d65cc0a7270ac2ea4
SHA256206de912b6a81a54aaf5376e7e45ec9de5db68860596e41796757cf91b909c80
SHA512fe4650d5221e5799f1365dc2a5f9664002da569f86ca51d9076b720eb602440de386ba6ce18d1824a85870ea3b80a490618890ce3f1b966fed16c7f8fe9bc980
-
Filesize
110KB
MD5877996da419cb48838d9769b24f6016c
SHA11bd1a5ef7668b1a26eaa0c96c3ad7140428b9597
SHA25673bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46
SHA512d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3
-
Filesize
110KB
MD5877996da419cb48838d9769b24f6016c
SHA11bd1a5ef7668b1a26eaa0c96c3ad7140428b9597
SHA25673bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46
SHA512d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3
-
Filesize
75B
MD5301a095ccbd67a5b228517e1eeab8a68
SHA17c2d91b8a59398957325153a4d1dfd5dcebe81a0
SHA256e54beebd083043c6a7a1a0a8029b50f3cded2a2833123d457a948204a959248a
SHA512f36a3073b1d6df2a941408138b6793bc27d0b75d1fc02afea3d274532828d6882ccf64909de3fd4a47f5e3198d6ade5a1aa7f2e05367a5ddca6d889f2724a675