Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 11:21

General

  • Target

    d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd.exe

  • Size

    63KB

  • MD5

    c3c53916127596d5abee5060223f5f44

  • SHA1

    fed6c564dc6622c6eac2e892b63065449fe765be

  • SHA256

    d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd

  • SHA512

    05d8e1c70d6f9bafe6bdbc5c0bc34ead8614a10f6174a5dec65b7ace335022a0cff0c8c2093d699ba579783ab79736ae072e47d99d4699c05a49e002db3c24b3

  • SSDEEP

    1536:/rBK8fy+YY3rNSxCdax1FcCgEO4WErcGhxFKDMOOa7nouy8j:/rBK8fxYY3QxCdax/77OIrthxFK5jouV

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 14 IoCs
  • Modifies security service 2 TTPs 1 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 3 IoCs
  • Windows security bypass 2 TTPs 4 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 15 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 57 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd.exe
    "C:\Users\Admin\AppData\Local\Temp\d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Users\Admin\E696D64614\winlogon.exe
        "C:\Users\Admin\E696D64614\winlogon.exe"
        3⤵
        • Modifies firewall policy service
        • Modifies security service
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Sets file execution options in registry
        • Windows security modification
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:320
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

    Filesize

    7KB

    MD5

    128b756d3be59fd846a3a972b84b8fd1

    SHA1

    c1250b6e8cf32a2be6f3aefff7134a9ebd9ad664

    SHA256

    1885e5d1a69fc5b29df5095824f3b73c2fe27cac566797b0a5e502c1b6489432

    SHA512

    800c8eb3c547eee8bf4a963e2f525daacd387c171014453f640715ad964697b6375e2e70cccfda4f30397fb585fdab55ec739a311fb1f036182222c44fddf237

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

    Filesize

    232B

    MD5

    dee4a836c1c7d191c2f3620be312c245

    SHA1

    de9046a112016175b1ab1952ef5f24da58655c42

    SHA256

    ab44b85864bbb9a0681a45363ba1f59083d45f8ef4211a0316d135c00ac0fbef

    SHA512

    6095d69c1c0004499cd85da2c4d4be743bdd1f25fe7347cea058d12250a94594cbc3bba88c392817ee2fd3e55a4c1b37e7d5f5feacb15146dd1afd6f4ea0dad3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    340B

    MD5

    91cac0a2d35159b22a3bb15f88527e29

    SHA1

    e517cd2e4a6e8ba3a0773426b026bfbf44f8de61

    SHA256

    f03296906209d831fce29811667f7e0b010c5cea1516408871edd1d37be64500

    SHA512

    1969fc29879ba54bc85eeb4cf66f83c9afb49c3ce1dacecd803b79f252610fdc6d581f761cf400db5ac53501bad7d15ef8cb1b457795adf79beb674d17038926

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\12D21C2Q.txt

    Filesize

    608B

    MD5

    895f35efbb6d92f8dd4c1013a07a007f

    SHA1

    a93efd20ef12fc324f397451bf19b0b1b3610bdf

    SHA256

    136d2be6b405f315a0620ce95844b4a7e5ab0d92305e802386e05924fc7ad4ca

    SHA512

    d21b0c183bec7776e7818591582a8993784001436f87873e84abad8a7e1ffbfb3d5f2e17a35f903f8a8bdba17d204986ce9ac83c18bd2c7ae6791d290836be38

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    63KB

    MD5

    c3c53916127596d5abee5060223f5f44

    SHA1

    fed6c564dc6622c6eac2e892b63065449fe765be

    SHA256

    d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd

    SHA512

    05d8e1c70d6f9bafe6bdbc5c0bc34ead8614a10f6174a5dec65b7ace335022a0cff0c8c2093d699ba579783ab79736ae072e47d99d4699c05a49e002db3c24b3

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    63KB

    MD5

    c3c53916127596d5abee5060223f5f44

    SHA1

    fed6c564dc6622c6eac2e892b63065449fe765be

    SHA256

    d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd

    SHA512

    05d8e1c70d6f9bafe6bdbc5c0bc34ead8614a10f6174a5dec65b7ace335022a0cff0c8c2093d699ba579783ab79736ae072e47d99d4699c05a49e002db3c24b3

  • C:\Users\Admin\E696D64614\winlogon.exe

    Filesize

    63KB

    MD5

    c3c53916127596d5abee5060223f5f44

    SHA1

    fed6c564dc6622c6eac2e892b63065449fe765be

    SHA256

    d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd

    SHA512

    05d8e1c70d6f9bafe6bdbc5c0bc34ead8614a10f6174a5dec65b7ace335022a0cff0c8c2093d699ba579783ab79736ae072e47d99d4699c05a49e002db3c24b3

  • \Users\Admin\E696D64614\winlogon.exe

    Filesize

    63KB

    MD5

    c3c53916127596d5abee5060223f5f44

    SHA1

    fed6c564dc6622c6eac2e892b63065449fe765be

    SHA256

    d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd

    SHA512

    05d8e1c70d6f9bafe6bdbc5c0bc34ead8614a10f6174a5dec65b7ace335022a0cff0c8c2093d699ba579783ab79736ae072e47d99d4699c05a49e002db3c24b3

  • \Users\Admin\E696D64614\winlogon.exe

    Filesize

    63KB

    MD5

    c3c53916127596d5abee5060223f5f44

    SHA1

    fed6c564dc6622c6eac2e892b63065449fe765be

    SHA256

    d6c964b9b126170d97d39c6fa7238f7324ce9d7ce7f3efc77da52939d0a225dd

    SHA512

    05d8e1c70d6f9bafe6bdbc5c0bc34ead8614a10f6174a5dec65b7ace335022a0cff0c8c2093d699ba579783ab79736ae072e47d99d4699c05a49e002db3c24b3

  • memory/320-78-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/320-68-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/320-72-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/320-73-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/320-77-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/320-80-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/1624-79-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/1624-65-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/2000-56-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/2000-62-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/2000-57-0x0000000075501000-0x0000000075503000-memory.dmp

    Filesize

    8KB