Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
128s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2023, 05:09
Static task
static1
Behavioral task
behavioral1
Sample
4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
Resource
win10v2004-20230220-en
General
-
Target
4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe
-
Size
360KB
-
MD5
3a9fbd43fea6701ab3111db334660d38
-
SHA1
98855962827d60522eb91f11be00d2969471f147
-
SHA256
4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3
-
SHA512
8f4e4ebff99f79358b43337eda9fa0e8f27daffa965691a738a4e421fcda382210df82939205f6e5218483e1ae04f93511df0136b5299c8bcd7e349ca54bef52
-
SSDEEP
6144:KSy+bnr+Fp0yN90QEdGayzdq9+slMoebwSdLdQsJM9i7yT48gAaXh:2Mrty90Gah98lt/Qs6zc5x
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" knTi12GV54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" knTi12GV54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ljdH59li82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ljdH59li82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" knTi12GV54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" knTi12GV54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection ljdH59li82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ljdH59li82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ljdH59li82.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ljdH59li82.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection knTi12GV54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" knTi12GV54.exe -
Executes dropped EXE 2 IoCs
pid Process 1268 knTi12GV54.exe 1916 ljdH59li82.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features knTi12GV54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" knTi12GV54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" ljdH59li82.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3628 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4752 1268 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1268 knTi12GV54.exe 1268 knTi12GV54.exe 1916 ljdH59li82.exe 1916 ljdH59li82.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1268 knTi12GV54.exe Token: SeDebugPrivilege 1916 ljdH59li82.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3760 wrote to memory of 1268 3760 4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe 84 PID 3760 wrote to memory of 1268 3760 4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe 84 PID 3760 wrote to memory of 1268 3760 4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe 84 PID 3760 wrote to memory of 1916 3760 4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe 90 PID 3760 wrote to memory of 1916 3760 4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe"C:\Users\Admin\AppData\Local\Temp\4dc320c75d8a5f17c2f1709ce46a4ff455e68e5f11e0a4f6ef817e34f9fb67e3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\knTi12GV54.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 10803⤵
- Program crash
PID:4752
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ljdH59li82.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1268 -ip 12681⤵PID:1944
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
362KB
MD55d81e061f10a4717c5280a205a96b146
SHA1f576d4064f994a265b98a3b504a0e128699b0ee2
SHA2564f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e
SHA512a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd
-
Filesize
362KB
MD55d81e061f10a4717c5280a205a96b146
SHA1f576d4064f994a265b98a3b504a0e128699b0ee2
SHA2564f5e241ccb185ff012b1867db8220ab0dc50e72f7a59c4eb58dbe9292f120f9e
SHA512a6dd3707251edca7f42acad1e643e35ef6786302bc2e530905bf854473b2c1548acecddba8f7430e6ed41d7839e10d0ef4db0a19b2b9e0e00b7bd1d2ffa657dd
-
Filesize
12KB
MD52ec4640232b1848ae68845f48a57f912
SHA1f104382796c69ca74f3c3305774819a738fc672f
SHA256a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e
SHA512db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26
-
Filesize
12KB
MD52ec4640232b1848ae68845f48a57f912
SHA1f104382796c69ca74f3c3305774819a738fc672f
SHA256a73dee9964005b1f37bf42680cb70acad7355ca2d481e0f4dd39036b870dd22e
SHA512db88d8f58550872a2a57bd2ae09900661ca92805f209652dc039f659a696da2b38e57f56fdf5922f50d968f4eada29361ef34fdf5b656c92867058f053a5be26