Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05/02/2023, 13:13
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20221111-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/604-66-0x00000000064D0000-0x0000000006870000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 2 IoCs
pid Process 1648 voiceadequovl.exe 604 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 1648 voiceadequovl.exe 1648 voiceadequovl.exe 1648 voiceadequovl.exe 1648 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 268 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 604 voiceadequovl.exe Token: SeDebugPrivilege 268 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1648 1636 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1636 wrote to memory of 1648 1636 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1636 wrote to memory of 1648 1636 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1636 wrote to memory of 1648 1636 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1648 wrote to memory of 604 1648 voiceadequovl.exe 29 PID 1648 wrote to memory of 604 1648 voiceadequovl.exe 29 PID 1648 wrote to memory of 604 1648 voiceadequovl.exe 29 PID 1648 wrote to memory of 604 1648 voiceadequovl.exe 29 PID 604 wrote to memory of 268 604 voiceadequovl.exe 30 PID 604 wrote to memory of 268 604 voiceadequovl.exe 30 PID 604 wrote to memory of 268 604 voiceadequovl.exe 30 PID 604 wrote to memory of 268 604 voiceadequovl.exe 30 PID 604 wrote to memory of 1964 604 voiceadequovl.exe 32 PID 604 wrote to memory of 1964 604 voiceadequovl.exe 32 PID 604 wrote to memory of 1964 604 voiceadequovl.exe 32 PID 604 wrote to memory of 1964 604 voiceadequovl.exe 32 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34 PID 1964 wrote to memory of 856 1964 cmd.exe 35 PID 1964 wrote to memory of 856 1964 cmd.exe 35 PID 1964 wrote to memory of 856 1964 cmd.exe 35 PID 1964 wrote to memory of 856 1964 cmd.exe 35 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34 PID 604 wrote to memory of 292 604 voiceadequovl.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵PID:856
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵PID:292
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵PID:988
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:2028
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵PID:964
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:764
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
358.8MB
MD5f0390527a9ed51b8831c44cff822cd78
SHA13076fa6c46cc9b918f272940a4eb6c6375be59c9
SHA25633a538291cf11e43c96aaf8f49c3baf53f4021af2d0c28c14a1f87267d23668e
SHA512b38395e8b031e76f928f15b7301b62c6c8e41d9548d25e3632c8b4dd122059952427313027bc118bc520a9c52e2ae948bd1ac0081f5ef540cddf4d821473d987
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5aacb5d545ab23291d902a832663bced5
SHA10cb35393b862495c5e559c3dbfd1a01e8a81903d
SHA256ae97a4ca400973e084222a371284bdb9fe424895c6fcbea0afa1574318d8f34e
SHA5127e56983812b5108d0c5f835c2c55720d75b40fe9f9287a1513a3d83221ecc167688390264db141541dd5df48c4e0c42326beb43a01d1aa6d4bb44d260ef0c003
-
Filesize
234.9MB
MD5f8cef10f4cc14e615b11824f5de52d1a
SHA1e1cdc22d6db4b902c5cd4a1b34218098fdec77d0
SHA25638ffeb0cac3c616e826dbea90fc1036b4d409b31aade2bf7a2e5ef45e563d581
SHA51282b08a0e39bd80f8f653ba74b7af879b212c6cec48ebb56c92bd9d94adf224ba64f68ed468c651e1ac8e3629206eb26d117626a223b551220bd02b21fed5f2c1
-
Filesize
237.2MB
MD50dbf4888c96f66592c66167664eaf1da
SHA13b45908246c1c0d34c397d0be1fe6c1819c648ab
SHA256cfe5a88c14bd4a3e8a5f5ad1c8ab755f9ddd5db1cc91180c34d65cb75cbdeb1a
SHA512103ecb46fa9b7cfe1d74730fc50b61f1c75f904372da30c6e4075cc5f7805edb3c4cd4b1b1dec557c783fa74b66b0d0aa8d9e9826c9e217225421aeb9b66780d
-
Filesize
34.5MB
MD5588b03dc03c6d6a6b97f3eede814defc
SHA1be80f2ac8eb683bea473fbb0a2befbfe72bd8bbd
SHA256f087369ee10b902f9c0b530a5d08396ade507fd8211fcc5ff88f1f91c405c89a
SHA5124dca64662ab11a2ada5345f54d370f5eaa0a56455fcdf5c1ba7f56d3db2348dc9764fbf853b1c61a58e5403d6aab1b38b198fe16b201390eae4c2c9a3d474525
-
Filesize
239.3MB
MD5883dd57a2d0f53cbde9299cac770e83d
SHA1250dd82a45484d5e9c57bdf1c3803ad501173a11
SHA256b6e8e44fbfebf0b3db0e759d9919197efb4d651acedb50fc25b8eed7a97f546c
SHA51280e87d39065964ac7015c2c91bdca1c45973d4d052abf62e3f1f3ca3587e022b301433093526e3000a626bd71c474bc5a0990e8bb4c26c10273a2b50872c9ba9
-
Filesize
237.9MB
MD5e4489a0cf61d4d4c5b4d0d8201151482
SHA1608bba78f1835f4df5270ff48a9224c865c6dd4e
SHA25662f3190d4d8c21ac1f9861a0350d7d4c0737571bd502af61cf27c0ff2fe18ca2
SHA51212f71a3831fc13f5c21759defdf5dcfdff7b8de0a1527726415b6ab31289dc29ff0180cf27a4540323a60c66d0617e1cbd6bb61857b36038660b3e575fb95955
-
Filesize
238.1MB
MD59a9e6b95e4cb08ef82c91f6862934ae1
SHA18c09238b1075c88ac832f7e3491a187c3e1619fd
SHA2564a562e39479feac9f324a69d4f2377c35cf6c23c21d1cc0a340856f9f34a71c2
SHA512c04c10053f39224620ac35e54c763c7739753df6cefdc20e2f80f59b43d7e262a7850e2f8d7d52d9b11a1f33a21cdb36e0f191c27b459ef6e0c0f506e68254e5
-
Filesize
236.3MB
MD5fa9c46ee58a567430ca285afd15ff859
SHA1638e161ed137cfbc4570e7acbf02db123a5e9983
SHA25662258f5392e904dd171ac89475a18b773e0e355039a4ad5e706b702a1a469b8d
SHA512560233f2dc5767273d3820722c4f9c0ebfb84bc44bf15ea4b7df73ab946d20979a9a308c984e9697df874ffc0af886f844d2b1a848bb5044368be045432a971f