Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 06:15

General

  • Target

    1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354.exe

  • Size

    427KB

  • MD5

    9306620146bd6c6fc0b120b4fdd96030

  • SHA1

    f6ac490901ac67c36c0bee01069bb33f3d598cb7

  • SHA256

    1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354

  • SHA512

    aeef77ad6afc1018bcfcfc315e7489cc87cfaf092e0ff3d8bfdc34bb43f4c579adf145f7fd0d429b723f40eabe19ae7e1078aa2fdb998c6b95a12f188b69df12

  • SSDEEP

    1536:Y44SJs5DY6oDAFfdCm3BGwV6bPkxnbNnhd5bsqk6XmChI6HpwKAK:Y41JGY6oUFfdCm1ASJhPNFmF2WK

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354.exe
    "C:\Users\Admin\AppData\Local\Temp\1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Users\Admin\AppData\Local\Temp\1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354.exe
      C:\Users\Admin\AppData\Local\Temp\1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Users\Admin\E696D64614\winlogon.exe
          C:\Users\Admin\E696D64614\winlogon.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Modifies system certificate store
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Users\Admin\E696D64614\winlogon.exe
            "C:\Users\Admin\E696D64614\winlogon.exe"
            5⤵
            • Modifies firewall policy service
            • Modifies security service
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Windows security bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Sets file execution options in registry
            • Drops startup file
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            • Modifies registry class
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:1928
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1696
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1616

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3538626A1FCCCA43C7E18F220BDD9B02

      Filesize

      978B

      MD5

      2d91264c94c970ddc9159553c8853242

      SHA1

      f831c21ca6e8c2b6b95eeb3f34b723483de9d225

      SHA256

      2c13a6576d8adf70868a56cb16b8d5aa9473d51ffc0d85abcf4166433ad2b38d

      SHA512

      b1e7f429022e23b8bc65efbfc36daa33a6ee5ee4e9033932cf610e895d9476ffd71ae214a5ef8feef748673ed7bb03213ffcd09bd6c14e3a165276de15a5ca67

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      61KB

      MD5

      3dcf580a93972319e82cafbc047d34d5

      SHA1

      8528d2a1363e5de77dc3b1142850e51ead0f4b6b

      SHA256

      40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

      SHA512

      98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      1KB

      MD5

      28d104709bf1eb7d9b0f50c9b71f8ffb

      SHA1

      3622e9c08765df6b773b7f9d28819d289ddc5894

      SHA256

      9648713c60ba24ca1550adc7eafcf81438c6e059e63f778d4461fc23044213b3

      SHA512

      175dbcc54a2c013f87bebeced0ee569f9d56e5eeb67c65fb1f0c3ac55fdf9a07251abdbad951d270b635af0031840b48e4521aee7b211f68b18479e75e56a2cc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F

      Filesize

      472B

      MD5

      2befb6d38d8802be740315b6171c6809

      SHA1

      ec947f39280e50ffe1976280500eed76b66d280d

      SHA256

      e45e24a021be4e6834dd5ee9e992b966fbf9dccf54b15340555ba56d5a3568db

      SHA512

      a5aaa3d0786f0264dde5819bce9da1d7be2f8a68bbab5b422eab6371583008f4f17b080829736dd9cf6a9b07f0514e9fb8d02e83f03b16f480c034a0a451a2f0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3538626A1FCCCA43C7E18F220BDD9B02

      Filesize

      274B

      MD5

      d8eacbda291d617adcf1bcd156f49ced

      SHA1

      be7946edf04b1890f64c07b6d49ab057abcbf1a9

      SHA256

      fdd05eab9f51f4aa76e6a77c09af66c61d30cd191f75fe8f24a27488a0d2e3c4

      SHA512

      3f7b6589358e6b214c88e069016a9a17868943cbe66a51cfd069eb41640505d55f4660ad40f11fb581029fbc056ba7da39366fba2516db9cb0d57d8c914b5aeb

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      bcc5baee3dfe7d135fd4de0be979e98a

      SHA1

      47af14ee3f35c49543aa9208554f10409c3a3daf

      SHA256

      453947ed5d0b1a03209253bc77afcbf77631259ef00c40be1ef64aed67499787

      SHA512

      c7a74eb71826b373fe16d67357fde66a2d4d4eb8e6c9a54212a49f1a65139bc5e34b1686dc895bd0598beb499bb20089e73ed35c77205db43b5e4dc76623f3de

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      a8c599b97e3444f058e710f948d54378

      SHA1

      33ec3fc663b1cea4995f60b24c3bada10929b5f5

      SHA256

      692094617e93e09e7fb9c140709188c4ee49965c445661e759867d7500290bfa

      SHA512

      6a3881c4d1cc0e078d2d511005586c0268aa22cd4d139e3049d88c37b4f5a33fb53fcfd1373afb8a4faa6e062eb85135a1252c2a8f8eada18e4f8ecd8490dc96

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      e81885d1ac37bd41f6ea09aeeb49a69e

      SHA1

      56b34a68e4528e9593b44fc77c45aaffb8e49c78

      SHA256

      f06b4f569847ebd669c9007e3b0f8156a0d02c1136d30b7701d6e17655f36246

      SHA512

      2a340ce10a9eef24d72468f3682ce1860e12f032c2805ffe8ab51728e203d827c5f109f3d3e13b6319735b617c14ce092e1ab116f8541cc6d8278d201ad9ead5

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

      Filesize

      482B

      MD5

      2d264190cc6bd32bca20456f7c20293c

      SHA1

      9d4a844fb72d9abc987ac76df725069650a7a398

      SHA256

      254772a6f2321bb5c7c17264170181e765f86f5a68dc3e301bc6fa3c7d896b76

      SHA512

      ead002cdec044369086a061fad864450d14cbaaaa0e42197de85faded90fb9b131e999e5b1acd28543328e23ae3009452c83414ca14e600ece791dbc315e1694

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F

      Filesize

      480B

      MD5

      b850a19d7eed7d1ad7cc0259b67111d8

      SHA1

      fa29a3de255197fc3b995b9363ab0ab9049b8175

      SHA256

      36b8f8934974702a161a6133a99f761068bb9bfc35b2d667b294ff7ed9fc064b

      SHA512

      74c6fc77b26502876c3dca04b1b49c8bf617c9e7d9cbcc539927807d63cbee3848eb6a0841e3cccf0125a0297adec1e5e555d90eb9130b7aa2f5c1e1bcb6a2cb

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

      Filesize

      242B

      MD5

      d9e3cacd1240c2815776f7818acfec53

      SHA1

      f0548e254e686e728d259b10510995f93df142ae

      SHA256

      ebbee6719ebb7c3bff27e2019fdcd7bed660fbab29be596144462d7ef94a39ac

      SHA512

      8962ecf894650861f1061136c7fd93117e0ed61fd56f88d7972fec871c29af39ba87a7b7bf3c54484f3e31726ef212e4830249fa3f9d12a6e96b9e5550dc6721

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GHVTKU3C.txt

      Filesize

      606B

      MD5

      bfdbe50e18ada2320ca2c2e083baa9d1

      SHA1

      99555181fcd021f887b61dcfa920a67af1d775c8

      SHA256

      4ef1cd4bf8047fc9ae915e47fc90eebc9530e7de18ce52eb33f88ce91861fe6e

      SHA512

      da457e2305576e0481bd912d1f388a8e9131285deaa5fd053080ea0aeb7e95ff26bd7e1d0e232a7b3c4c1723b8c36378e22cf7792d6b3552dd9ecb684f857344

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L0X75VRW.txt

      Filesize

      96B

      MD5

      0ee6abfcaf7b3c2222d2e9cd6aa2498f

      SHA1

      c234ed60f77d0d9fc59031af261f243519131257

      SHA256

      0a021870114bcda6d82e6e072a8313d6fba166acb8afb7c42f5fc281eca3cf4e

      SHA512

      c5b3dc648fa4422798f6863294252e671141fe69a8920085274641b799365d498445e4c323d719ec4190e2c51931a7a365e03efe413c61fb2b6b5e1e0b38486f

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      427KB

      MD5

      9306620146bd6c6fc0b120b4fdd96030

      SHA1

      f6ac490901ac67c36c0bee01069bb33f3d598cb7

      SHA256

      1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354

      SHA512

      aeef77ad6afc1018bcfcfc315e7489cc87cfaf092e0ff3d8bfdc34bb43f4c579adf145f7fd0d429b723f40eabe19ae7e1078aa2fdb998c6b95a12f188b69df12

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      427KB

      MD5

      9306620146bd6c6fc0b120b4fdd96030

      SHA1

      f6ac490901ac67c36c0bee01069bb33f3d598cb7

      SHA256

      1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354

      SHA512

      aeef77ad6afc1018bcfcfc315e7489cc87cfaf092e0ff3d8bfdc34bb43f4c579adf145f7fd0d429b723f40eabe19ae7e1078aa2fdb998c6b95a12f188b69df12

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      427KB

      MD5

      9306620146bd6c6fc0b120b4fdd96030

      SHA1

      f6ac490901ac67c36c0bee01069bb33f3d598cb7

      SHA256

      1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354

      SHA512

      aeef77ad6afc1018bcfcfc315e7489cc87cfaf092e0ff3d8bfdc34bb43f4c579adf145f7fd0d429b723f40eabe19ae7e1078aa2fdb998c6b95a12f188b69df12

    • C:\Users\Admin\E696D64614\winlogon.exe

      Filesize

      427KB

      MD5

      9306620146bd6c6fc0b120b4fdd96030

      SHA1

      f6ac490901ac67c36c0bee01069bb33f3d598cb7

      SHA256

      1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354

      SHA512

      aeef77ad6afc1018bcfcfc315e7489cc87cfaf092e0ff3d8bfdc34bb43f4c579adf145f7fd0d429b723f40eabe19ae7e1078aa2fdb998c6b95a12f188b69df12

    • \Users\Admin\E696D64614\winlogon.exe

      Filesize

      427KB

      MD5

      9306620146bd6c6fc0b120b4fdd96030

      SHA1

      f6ac490901ac67c36c0bee01069bb33f3d598cb7

      SHA256

      1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354

      SHA512

      aeef77ad6afc1018bcfcfc315e7489cc87cfaf092e0ff3d8bfdc34bb43f4c579adf145f7fd0d429b723f40eabe19ae7e1078aa2fdb998c6b95a12f188b69df12

    • \Users\Admin\E696D64614\winlogon.exe

      Filesize

      427KB

      MD5

      9306620146bd6c6fc0b120b4fdd96030

      SHA1

      f6ac490901ac67c36c0bee01069bb33f3d598cb7

      SHA256

      1d76f93140ab02b606738bf6a2c93d234e9807d2b471f0f8e61c4217e6a47354

      SHA512

      aeef77ad6afc1018bcfcfc315e7489cc87cfaf092e0ff3d8bfdc34bb43f4c579adf145f7fd0d429b723f40eabe19ae7e1078aa2fdb998c6b95a12f188b69df12

    • memory/1460-54-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1460-66-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1460-71-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1460-65-0x0000000075F81000-0x0000000075F83000-memory.dmp

      Filesize

      8KB

    • memory/1460-62-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1460-61-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1460-58-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1460-57-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1460-55-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1640-87-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1640-86-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/1928-93-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/1928-92-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/1928-106-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/1928-107-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/1928-88-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB