Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    45s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25/11/2022, 09:30

Errors

Reason
Machine shutdown

General

  • Target

    ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe

  • Size

    625KB

  • MD5

    75758ea1bddf91e249edf6387adbd794

  • SHA1

    06c1256c9d5f8305a8b34580a4963b4fdf86377c

  • SHA256

    ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2

  • SHA512

    f53a9f02a46c73fb3d775e8fb73ae135097849e95448100cd87fbfeda91a4f8409231f8ee096512eedf3a6e49ed212b1a29eb493cd487b508fc20ff6d7acce1e

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets file execution options in registry 2 TTPs 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Modifies data under HKEY_USERS 37 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe
    "C:\Users\Admin\AppData\Local\Temp\ed80f23ce087e4141e31f7cc278932effeda192da2afa076ee03de28ffa058f2.exe"
    1⤵
    • Adds policy Run key to start application
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1388
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1520
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x504
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1112
      • C:\Windows\system32\gpscript.exe
        gpscript.exe /Shutdown
        1⤵
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\bdp0iEqE.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\bdp0iEqE.exe" 1
          2⤵
          • Executes dropped EXE
          • Sets file execution options in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1744

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\bdp0iEqE.exe

        Filesize

        819KB

        MD5

        3f059ad7f45b8e21153feaa5b1344562

        SHA1

        64d5a89f21779b1016f16a2e8f114cfbeeee565a

        SHA256

        08444d93daf531f559a371d2d3604d558752f05f12e772127fbdb83056118079

        SHA512

        30ebd0297e05c1fa00b90ef3aae5290bb49fbaa837e8906e123ab45f912c4c6021d59236596710ac33586697f62cfb3d55da449af448eb42e3f5f7f877fb9cc1

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\bdp0iEqE.exe

        Filesize

        819KB

        MD5

        3f059ad7f45b8e21153feaa5b1344562

        SHA1

        64d5a89f21779b1016f16a2e8f114cfbeeee565a

        SHA256

        08444d93daf531f559a371d2d3604d558752f05f12e772127fbdb83056118079

        SHA512

        30ebd0297e05c1fa00b90ef3aae5290bb49fbaa837e8906e123ab45f912c4c6021d59236596710ac33586697f62cfb3d55da449af448eb42e3f5f7f877fb9cc1

      • \Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\bdp0iEqE.exe

        Filesize

        819KB

        MD5

        3f059ad7f45b8e21153feaa5b1344562

        SHA1

        64d5a89f21779b1016f16a2e8f114cfbeeee565a

        SHA256

        08444d93daf531f559a371d2d3604d558752f05f12e772127fbdb83056118079

        SHA512

        30ebd0297e05c1fa00b90ef3aae5290bb49fbaa837e8906e123ab45f912c4c6021d59236596710ac33586697f62cfb3d55da449af448eb42e3f5f7f877fb9cc1

      • \Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\bdp0iEqE.exe

        Filesize

        819KB

        MD5

        3f059ad7f45b8e21153feaa5b1344562

        SHA1

        64d5a89f21779b1016f16a2e8f114cfbeeee565a

        SHA256

        08444d93daf531f559a371d2d3604d558752f05f12e772127fbdb83056118079

        SHA512

        30ebd0297e05c1fa00b90ef3aae5290bb49fbaa837e8906e123ab45f912c4c6021d59236596710ac33586697f62cfb3d55da449af448eb42e3f5f7f877fb9cc1

      • memory/1388-54-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

      • memory/1388-56-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

      • memory/1520-55-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

        Filesize

        8KB

      • memory/1744-64-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB