Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/02/2023, 01:22
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20220812-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/1780-66-0x00000000063B0000-0x0000000006750000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 3 IoCs
pid Process 876 voiceadequovl.exe 1780 voiceadequovl.exe 1520 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 876 voiceadequovl.exe 876 voiceadequovl.exe 876 voiceadequovl.exe 876 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1780 set thread context of 1520 1780 voiceadequovl.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1292 powershell.exe 1324 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1780 voiceadequovl.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeIncreaseQuotaPrivilege 1216 wmic.exe Token: SeSecurityPrivilege 1216 wmic.exe Token: SeTakeOwnershipPrivilege 1216 wmic.exe Token: SeLoadDriverPrivilege 1216 wmic.exe Token: SeSystemProfilePrivilege 1216 wmic.exe Token: SeSystemtimePrivilege 1216 wmic.exe Token: SeProfSingleProcessPrivilege 1216 wmic.exe Token: SeIncBasePriorityPrivilege 1216 wmic.exe Token: SeCreatePagefilePrivilege 1216 wmic.exe Token: SeBackupPrivilege 1216 wmic.exe Token: SeRestorePrivilege 1216 wmic.exe Token: SeShutdownPrivilege 1216 wmic.exe Token: SeDebugPrivilege 1216 wmic.exe Token: SeSystemEnvironmentPrivilege 1216 wmic.exe Token: SeRemoteShutdownPrivilege 1216 wmic.exe Token: SeUndockPrivilege 1216 wmic.exe Token: SeManageVolumePrivilege 1216 wmic.exe Token: 33 1216 wmic.exe Token: 34 1216 wmic.exe Token: 35 1216 wmic.exe Token: SeIncreaseQuotaPrivilege 1216 wmic.exe Token: SeSecurityPrivilege 1216 wmic.exe Token: SeTakeOwnershipPrivilege 1216 wmic.exe Token: SeLoadDriverPrivilege 1216 wmic.exe Token: SeSystemProfilePrivilege 1216 wmic.exe Token: SeSystemtimePrivilege 1216 wmic.exe Token: SeProfSingleProcessPrivilege 1216 wmic.exe Token: SeIncBasePriorityPrivilege 1216 wmic.exe Token: SeCreatePagefilePrivilege 1216 wmic.exe Token: SeBackupPrivilege 1216 wmic.exe Token: SeRestorePrivilege 1216 wmic.exe Token: SeShutdownPrivilege 1216 wmic.exe Token: SeDebugPrivilege 1216 wmic.exe Token: SeSystemEnvironmentPrivilege 1216 wmic.exe Token: SeRemoteShutdownPrivilege 1216 wmic.exe Token: SeUndockPrivilege 1216 wmic.exe Token: SeManageVolumePrivilege 1216 wmic.exe Token: 33 1216 wmic.exe Token: 34 1216 wmic.exe Token: 35 1216 wmic.exe Token: SeIncreaseQuotaPrivilege 880 WMIC.exe Token: SeSecurityPrivilege 880 WMIC.exe Token: SeTakeOwnershipPrivilege 880 WMIC.exe Token: SeLoadDriverPrivilege 880 WMIC.exe Token: SeSystemProfilePrivilege 880 WMIC.exe Token: SeSystemtimePrivilege 880 WMIC.exe Token: SeProfSingleProcessPrivilege 880 WMIC.exe Token: SeIncBasePriorityPrivilege 880 WMIC.exe Token: SeCreatePagefilePrivilege 880 WMIC.exe Token: SeBackupPrivilege 880 WMIC.exe Token: SeRestorePrivilege 880 WMIC.exe Token: SeShutdownPrivilege 880 WMIC.exe Token: SeDebugPrivilege 880 WMIC.exe Token: SeSystemEnvironmentPrivilege 880 WMIC.exe Token: SeRemoteShutdownPrivilege 880 WMIC.exe Token: SeUndockPrivilege 880 WMIC.exe Token: SeManageVolumePrivilege 880 WMIC.exe Token: 33 880 WMIC.exe Token: 34 880 WMIC.exe Token: 35 880 WMIC.exe Token: SeIncreaseQuotaPrivilege 880 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 584 wrote to memory of 876 584 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 584 wrote to memory of 876 584 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 584 wrote to memory of 876 584 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 584 wrote to memory of 876 584 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 876 wrote to memory of 1780 876 voiceadequovl.exe 29 PID 876 wrote to memory of 1780 876 voiceadequovl.exe 29 PID 876 wrote to memory of 1780 876 voiceadequovl.exe 29 PID 876 wrote to memory of 1780 876 voiceadequovl.exe 29 PID 1780 wrote to memory of 1292 1780 voiceadequovl.exe 30 PID 1780 wrote to memory of 1292 1780 voiceadequovl.exe 30 PID 1780 wrote to memory of 1292 1780 voiceadequovl.exe 30 PID 1780 wrote to memory of 1292 1780 voiceadequovl.exe 30 PID 1780 wrote to memory of 300 1780 voiceadequovl.exe 32 PID 1780 wrote to memory of 300 1780 voiceadequovl.exe 32 PID 1780 wrote to memory of 300 1780 voiceadequovl.exe 32 PID 1780 wrote to memory of 300 1780 voiceadequovl.exe 32 PID 300 wrote to memory of 1324 300 cmd.exe 34 PID 300 wrote to memory of 1324 300 cmd.exe 34 PID 300 wrote to memory of 1324 300 cmd.exe 34 PID 300 wrote to memory of 1324 300 cmd.exe 34 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1780 wrote to memory of 1520 1780 voiceadequovl.exe 35 PID 1520 wrote to memory of 1216 1520 voiceadequovl.exe 36 PID 1520 wrote to memory of 1216 1520 voiceadequovl.exe 36 PID 1520 wrote to memory of 1216 1520 voiceadequovl.exe 36 PID 1520 wrote to memory of 1216 1520 voiceadequovl.exe 36 PID 1520 wrote to memory of 1904 1520 voiceadequovl.exe 39 PID 1520 wrote to memory of 1904 1520 voiceadequovl.exe 39 PID 1520 wrote to memory of 1904 1520 voiceadequovl.exe 39 PID 1520 wrote to memory of 1904 1520 voiceadequovl.exe 39 PID 1904 wrote to memory of 880 1904 cmd.exe 41 PID 1904 wrote to memory of 880 1904 cmd.exe 41 PID 1904 wrote to memory of 880 1904 cmd.exe 41 PID 1904 wrote to memory of 880 1904 cmd.exe 41 PID 1520 wrote to memory of 1668 1520 voiceadequovl.exe 42 PID 1520 wrote to memory of 1668 1520 voiceadequovl.exe 42 PID 1520 wrote to memory of 1668 1520 voiceadequovl.exe 42 PID 1520 wrote to memory of 1668 1520 voiceadequovl.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:1668
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:1508
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
317.4MB
MD5500174a4b2a3fffbc90a75e48d2afbe1
SHA18d67ecedcb45a00e3da21fd59adedd6b5c7826dc
SHA25686a1d1df2cf80129046cdb7c6530b5ef85d6fd8afe6e69f4b7f1216c07fc5403
SHA512df192b607fbc55b9fb65f3054b799d2d9df0e09c52a12b4f0eb35c5b95a0299f1a5ad081860a8f388d1e31953cec4f8b5142c034cc7bf32bd2fcedc13993301b
-
Filesize
313.4MB
MD5d96ad924539904ca7a4ba66a20ed78c4
SHA1b124fe46ecbd0d5cb37b157de20d8b098af028a1
SHA25683d53e2c2458f4f7c833aab23620182507b300a9be3ec4aee2f6dd5264f2d48e
SHA512b81886148d1a90cd1cd939ad3c02a7e49fa9df0ad1d6ca79c2bb74c75e0e114099a4f648d8fb58694279855c4f2809f5d4b862492491b4237691ced917a80949
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57c488cca3dc3f3af64c5208a13df1629
SHA166d39a474268bee204d484c7b82f053238290d71
SHA25694e6002ee5b3c3dc1bdd1eacc2ffa5d510bcf490ccbacdb34b85ae5c86758b56
SHA512bcb5a0cffa7c1429de1a51ad74d10eac28a97f9e66e64aec2485ac544fe18e772f96f3762ebbc205592e4782b5a4ab802af863194347df4058f901f4c1194f65
-
Filesize
267.4MB
MD54e696b7da43717178bbebadabf499782
SHA1e56e1c727ab11accd101e7e0ffbd12ee80c30d63
SHA25653727c08c81915532a8cf7fe0c4a320fbe100048a05b579fc697090cab9ca66c
SHA51251418cfd2425d49398a9c54d5c5a24bbda12571d96ccd870ed5e471fc68389d51db55f06e018aed2e3c2b131e84bee46150f3fae85f41e657c0b5a8ab4d6fdea
-
Filesize
257.1MB
MD549500a871077c456cbe8e1ae2d9aace9
SHA1b63e66b732697ca5829409c9f654e65e95024b33
SHA2567923672c8c4cc74dd2b1b21caa524f5e1201dc69188f3cc8947cb8096aeaa8ba
SHA5125da9404e6972012b0ecd1cd911a996d75b3cde4a4c70309c6c76e4463d51485f5a56a1ac984ec8cc17fd6e0ad4389e405db907bb47ba1ab73e77561f7eae0b35
-
Filesize
102.1MB
MD581525b7565bd23323a746d0c4355017b
SHA1890c1d2ba46696a60b2ab42026db73eee56eddb0
SHA2568f002051aaaf06a531c6c23eb37aadf7af9bbac32c1ea186d5d00cce5ba484cf
SHA5124e5db0ac4a64849e640f4603fba0f63c7a546b1512d432ed52a45974ad7964e266f4cffcfe0e84549e82d4be2b5297a84e2190a9b11aab7515b3d6ef45df0989
-
Filesize
286.1MB
MD5eb232e544a0426f7ee8293c3e1851a69
SHA1fa8fa8f8b068b535d1e0b4cab34f79bb104c4c68
SHA256e3b6027742327ed8415d14a5207bcb22253d1dfc4a1fb4db3e63eee1abb8c508
SHA5121c72a6f90aef6248bf4e768822444bbcce35f8aaa0e4e962efd864bf9f91fdf65dbf870776b47dbf989ed63e0d24a27ab21c50edd14136b8a8b6e42d8550e6ed
-
Filesize
277.0MB
MD57b2fb4025ccab83a23f16ebcaedd229a
SHA1df50942b8847f2a1905a3be441d738952e5aafd2
SHA2565dfe6a2277dd75a31a4cb5c3ab7428cc60e171bfb9eac30720b73e7597f899f3
SHA512ab4feb78d7693e27d7d5f46057d783d24b2e29ae823e137b60f806df1e07e132eac870dcf95b4da7d95a44a7e8f65320242ef7a3cb178a29d22fa15317a58f48
-
Filesize
282.3MB
MD535424a7d0b5f80991216d17968788b62
SHA11c0472a879f34e2f52486336ade427433b750f55
SHA2569912e92fa25a0524ee8ae454554c4e8aaddd0de3e2f824a4a7ced89675041a4b
SHA512a597a162b0e8798a2c5d128ceba3c1593a0f0b57df7a8774e8cfb2d39347e9ae2ac3d32ed81aba9edb770ea48d983a7ab7f935bbe69355e63a9ce1034bff43b8
-
Filesize
262.7MB
MD54b6a9c8cebdb8049e8cdb13b0486a092
SHA169b2489b75cf63d5c39ece13162169e9450b1c3e
SHA256737316c69474ab96ac81641d6270232eeb22265bb54435a6571942f151bedc17
SHA51278bf2aa37c21cec0c2f9e4a0b7a2d29858115c2240924677cde54673d4b0c30c34f40acdc15c6255f3ffe39b2fd44aef204369af7498f2c13a1d3b35bd76a0e4