Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05/02/2023, 00:45
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20221111-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/844-66-0x0000000006460000-0x0000000006800000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 3 IoCs
pid Process 1432 voiceadequovl.exe 844 voiceadequovl.exe 1704 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 1432 voiceadequovl.exe 1432 voiceadequovl.exe 1432 voiceadequovl.exe 1432 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 844 set thread context of 1704 844 voiceadequovl.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1476 powershell.exe 1012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 844 voiceadequovl.exe Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeIncreaseQuotaPrivilege 812 wmic.exe Token: SeSecurityPrivilege 812 wmic.exe Token: SeTakeOwnershipPrivilege 812 wmic.exe Token: SeLoadDriverPrivilege 812 wmic.exe Token: SeSystemProfilePrivilege 812 wmic.exe Token: SeSystemtimePrivilege 812 wmic.exe Token: SeProfSingleProcessPrivilege 812 wmic.exe Token: SeIncBasePriorityPrivilege 812 wmic.exe Token: SeCreatePagefilePrivilege 812 wmic.exe Token: SeBackupPrivilege 812 wmic.exe Token: SeRestorePrivilege 812 wmic.exe Token: SeShutdownPrivilege 812 wmic.exe Token: SeDebugPrivilege 812 wmic.exe Token: SeSystemEnvironmentPrivilege 812 wmic.exe Token: SeRemoteShutdownPrivilege 812 wmic.exe Token: SeUndockPrivilege 812 wmic.exe Token: SeManageVolumePrivilege 812 wmic.exe Token: 33 812 wmic.exe Token: 34 812 wmic.exe Token: 35 812 wmic.exe Token: SeIncreaseQuotaPrivilege 812 wmic.exe Token: SeSecurityPrivilege 812 wmic.exe Token: SeTakeOwnershipPrivilege 812 wmic.exe Token: SeLoadDriverPrivilege 812 wmic.exe Token: SeSystemProfilePrivilege 812 wmic.exe Token: SeSystemtimePrivilege 812 wmic.exe Token: SeProfSingleProcessPrivilege 812 wmic.exe Token: SeIncBasePriorityPrivilege 812 wmic.exe Token: SeCreatePagefilePrivilege 812 wmic.exe Token: SeBackupPrivilege 812 wmic.exe Token: SeRestorePrivilege 812 wmic.exe Token: SeShutdownPrivilege 812 wmic.exe Token: SeDebugPrivilege 812 wmic.exe Token: SeSystemEnvironmentPrivilege 812 wmic.exe Token: SeRemoteShutdownPrivilege 812 wmic.exe Token: SeUndockPrivilege 812 wmic.exe Token: SeManageVolumePrivilege 812 wmic.exe Token: 33 812 wmic.exe Token: 34 812 wmic.exe Token: 35 812 wmic.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1792 wrote to memory of 1432 1792 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1792 wrote to memory of 1432 1792 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1792 wrote to memory of 1432 1792 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1792 wrote to memory of 1432 1792 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1432 wrote to memory of 844 1432 voiceadequovl.exe 29 PID 1432 wrote to memory of 844 1432 voiceadequovl.exe 29 PID 1432 wrote to memory of 844 1432 voiceadequovl.exe 29 PID 1432 wrote to memory of 844 1432 voiceadequovl.exe 29 PID 844 wrote to memory of 1476 844 voiceadequovl.exe 30 PID 844 wrote to memory of 1476 844 voiceadequovl.exe 30 PID 844 wrote to memory of 1476 844 voiceadequovl.exe 30 PID 844 wrote to memory of 1476 844 voiceadequovl.exe 30 PID 844 wrote to memory of 872 844 voiceadequovl.exe 32 PID 844 wrote to memory of 872 844 voiceadequovl.exe 32 PID 844 wrote to memory of 872 844 voiceadequovl.exe 32 PID 844 wrote to memory of 872 844 voiceadequovl.exe 32 PID 872 wrote to memory of 1012 872 cmd.exe 34 PID 872 wrote to memory of 1012 872 cmd.exe 34 PID 872 wrote to memory of 1012 872 cmd.exe 34 PID 872 wrote to memory of 1012 872 cmd.exe 34 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 844 wrote to memory of 1704 844 voiceadequovl.exe 35 PID 1704 wrote to memory of 812 1704 voiceadequovl.exe 36 PID 1704 wrote to memory of 812 1704 voiceadequovl.exe 36 PID 1704 wrote to memory of 812 1704 voiceadequovl.exe 36 PID 1704 wrote to memory of 812 1704 voiceadequovl.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:608
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:336
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:1220
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5df5b8bb1bbb97a60b1e68d2122f61f33
SHA11853e1bd23611e341b9295d578f2d2ab7dcadc2d
SHA256f7872c5495856b9fcfdd577e06d04d9fb3cf4ecbd538f8a4e5ee045ed91c6062
SHA512673ad195cc86fc5cd9f726925bad48b770a14a0ace55ab36f3d2de6f38ce778e220ac815fafa14cdb44538ee96cef94d543da98e7bc27431bb1ee44df818aca6
-
Filesize
263.4MB
MD5c26c1b256f0c886deb8bf4dc16c037bc
SHA18035226c9e66de18b136945d5e0e7df8f24febbb
SHA256ee4e4285238f761eacb5905ef1a4d621bcef5baf33c92234a763db4ab78a22cd
SHA512bd49034b601eed72882a8b5342db8af1be85c2714acb9a3af40167c27914f13e2181f5ed4eeaaa5b44950d436cd8d37947242615a6803f340b2650be5fc25ff5
-
Filesize
266.6MB
MD567facaca45c9360c98d1dffdb30dcce3
SHA179067980293e9c5d345a857c8b30b7487a3c5030
SHA256dd2053cee41a295ed3f32d66c84307291e092fb7c736413be4f50f8b9520cc1f
SHA512b474089a76587bbe64e76a6f429fbfc96b94dcdf0c505b53fc91dfe70dba0cdf1e9070b33cc5fd8cec7dcac7a7370e2641063bb38ef244c54670fe0aede4fd76
-
Filesize
118.4MB
MD50a23b4ee6441468c80ce052882ec4252
SHA1e4236b36e5053f3b3f19f3a2465a287dbd73129d
SHA2564e8e8b5310babe2f64ed537edb9da38020af3432154a954922525bea2fce43d8
SHA5127f86951ffe70cee083c042bc41c0c69d65f9e0d4617960b9fd68b368b79cea98a6b7bbefc7b79ab7cd4aa3b3233b624742f3e3c2d0a3e947f0daf7b068f14947
-
Filesize
265.8MB
MD53eb7eb351b6a9cdd68ba6d2afaf31295
SHA12f2fb4da1f06bace90b435019da9811cbc8cc71c
SHA256c58f2acdae34b4827f91e8ea31bded8bb13cc93ed59a26a3f1ac8999a6b2be2d
SHA5123b4e7a091baa7d25399ed5b2c3e72ba79c9c11fd9d9e831c703cc2f2e58d647019b7e0ba31d3255ea97d360d970c3db403e30617f199a1010297ec026d0d411b
-
Filesize
265.2MB
MD576bff958d8297a99ec1a78217477da42
SHA14e1e0b394b08bdd905b7ab594f5f63651128657b
SHA2568a3a1fe0dc57521b9696126708a99132837f0eeda47f23f9ea7c4f485d1a4483
SHA512b6432c6671ef86375a981f16a3a398bf1aabb04a7e1c725fddd77acb644a0637f67bf4c91dc70a1e0a6388d4660bfeb827118fc3ab6aa23423e4155d64b28415
-
Filesize
258.9MB
MD564d7c1c3b58492311446c15b9d5e979e
SHA1cfd1b1ddb49159d073ef204c4b3ab402f6f23472
SHA25615f1949df5aed468ae63c5e53fde356f75a2927801f7760f820e8e4898ecdba4
SHA5122d35a50b38102f3de62cc5e79a2adad867c97e2956d7c47f63e13fb7461c84dafc72dbddc7465d4a50cd8f30fa21ff4963911a5939da468a0853febb3454ac41
-
Filesize
261.1MB
MD5830aed7062a4fc8cc82db090aeb8e58c
SHA12fcc23a6b89739989cacfd064dce6c08bc3e7fda
SHA256c6dc34be88d041bb56bdc3229bb3d3286f62fc8fca6cf351599a31c3fcad57f2
SHA5123dad4e972e55563e50311c756a0eee6e8c0fc1478dc0d3c89ec62315da9e3100013d857b1cb3bdaca272d7e1b4f0073ddd6c83c4576d4854900c531c27275de2