Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
98s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
15/04/2023, 18:25
Static task
static1
General
-
Target
8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe
-
Size
942KB
-
MD5
3370fb1de1aa436397357c4794e83816
-
SHA1
a8c271ac38b1fd7a5b0e6d1107fec301ad27ee61
-
SHA256
8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509
-
SHA512
d892612e212fdb9d31728ba816279e966d8363d5c5102e41d406bf3c9f95b1d21a2d45ef38c15e5e495856ace2db64fbcf932a50013b05b6783ab87170cd9afc
-
SSDEEP
24576:wy/r+XNNk45u4tOFhtBvnz2QTNJboogZdiAoy:3j+ff5X8R9zNTDovdT
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it501764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it501764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it501764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it501764.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it501764.exe -
Executes dropped EXE 6 IoCs
pid Process 2592 ziQs1762.exe 2688 zidl6687.exe 4300 it501764.exe 5112 jr853861.exe 3752 kp637334.exe 3940 lr415924.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it501764.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziQs1762.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zidl6687.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zidl6687.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziQs1762.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 3412 3940 WerFault.exe 72 3908 3940 WerFault.exe 72 1660 3940 WerFault.exe 72 4020 3940 WerFault.exe 72 4632 3940 WerFault.exe 72 4656 3940 WerFault.exe 72 4744 3940 WerFault.exe 72 4856 3940 WerFault.exe 72 4872 3940 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4300 it501764.exe 4300 it501764.exe 5112 jr853861.exe 5112 jr853861.exe 3752 kp637334.exe 3752 kp637334.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4300 it501764.exe Token: SeDebugPrivilege 5112 jr853861.exe Token: SeDebugPrivilege 3752 kp637334.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3940 lr415924.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1012 wrote to memory of 2592 1012 8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe 66 PID 1012 wrote to memory of 2592 1012 8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe 66 PID 1012 wrote to memory of 2592 1012 8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe 66 PID 2592 wrote to memory of 2688 2592 ziQs1762.exe 67 PID 2592 wrote to memory of 2688 2592 ziQs1762.exe 67 PID 2592 wrote to memory of 2688 2592 ziQs1762.exe 67 PID 2688 wrote to memory of 4300 2688 zidl6687.exe 68 PID 2688 wrote to memory of 4300 2688 zidl6687.exe 68 PID 2688 wrote to memory of 5112 2688 zidl6687.exe 69 PID 2688 wrote to memory of 5112 2688 zidl6687.exe 69 PID 2688 wrote to memory of 5112 2688 zidl6687.exe 69 PID 2592 wrote to memory of 3752 2592 ziQs1762.exe 71 PID 2592 wrote to memory of 3752 2592 ziQs1762.exe 71 PID 2592 wrote to memory of 3752 2592 ziQs1762.exe 71 PID 1012 wrote to memory of 3940 1012 8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe 72 PID 1012 wrote to memory of 3940 1012 8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe 72 PID 1012 wrote to memory of 3940 1012 8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe"C:\Users\Admin\AppData\Local\Temp\8512f8af53c6a0c143c4949957d83630ded757de067cf79ac5812a3e1a8e2509.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQs1762.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQs1762.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidl6687.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidl6687.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it501764.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it501764.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr853861.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr853861.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp637334.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp637334.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr415924.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr415924.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 6203⤵
- Program crash
PID:3412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 7003⤵
- Program crash
PID:3908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 8403⤵
- Program crash
PID:1660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 8283⤵
- Program crash
PID:4020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 8763⤵
- Program crash
PID:4632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 8523⤵
- Program crash
PID:4656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 11203⤵
- Program crash
PID:4744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 11523⤵
- Program crash
PID:4856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 11403⤵
- Program crash
PID:4872
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD5da8fa27c0d1e7ee3855aef315957461e
SHA13b847d83099e3c3ff4628549deb0ff98712fafc9
SHA256fe1fa4271fa2e955d24e7efe6115a7a99080112fc9b404810b24696b001e672a
SHA512d39c93d770aaf9492bd4f0c2857c9bb760bef1d86419206916c37bdd812c7d173fe2808710b6e9f9e5caf73bb0d53e8804f54ce1706d0e3eebf311cdaae88bc8
-
Filesize
396KB
MD5da8fa27c0d1e7ee3855aef315957461e
SHA13b847d83099e3c3ff4628549deb0ff98712fafc9
SHA256fe1fa4271fa2e955d24e7efe6115a7a99080112fc9b404810b24696b001e672a
SHA512d39c93d770aaf9492bd4f0c2857c9bb760bef1d86419206916c37bdd812c7d173fe2808710b6e9f9e5caf73bb0d53e8804f54ce1706d0e3eebf311cdaae88bc8
-
Filesize
619KB
MD5bcce2cd8de4a3bd78a5f4bc7d2d4b7ba
SHA126acd2e505e19bd4aeb4d28ef5fabdb43e5c67b1
SHA256cb13f0269d1851760d7ebf66361103535959ee38d6f22501194f45c27cffaaab
SHA5127d766777eff1359658cf1feb53713beec9a32d097ae55e808e2e10775fbc151cc01de4bd69cb1951e5eb57dce35fd0eca8b808432a4512ab46d53e102351b2e4
-
Filesize
619KB
MD5bcce2cd8de4a3bd78a5f4bc7d2d4b7ba
SHA126acd2e505e19bd4aeb4d28ef5fabdb43e5c67b1
SHA256cb13f0269d1851760d7ebf66361103535959ee38d6f22501194f45c27cffaaab
SHA5127d766777eff1359658cf1feb53713beec9a32d097ae55e808e2e10775fbc151cc01de4bd69cb1951e5eb57dce35fd0eca8b808432a4512ab46d53e102351b2e4
-
Filesize
136KB
MD5e7ae347f87257ec8c1177220be5cbfc1
SHA1d721e86ae2c268a7e42662987bfcd9ffe11ca0f2
SHA256733ccbf30055b9a527cc190ef42c803e4cb757572e24bae502298b09361bfd76
SHA5128b61ab2ba8646293e8f279ceed7044136f5a51c93b6af715ead76a6d82b8b39d05440771adae7d407d9458de1df45d7c430b8b8251c1ca69461ea9b555480f78
-
Filesize
136KB
MD5e7ae347f87257ec8c1177220be5cbfc1
SHA1d721e86ae2c268a7e42662987bfcd9ffe11ca0f2
SHA256733ccbf30055b9a527cc190ef42c803e4cb757572e24bae502298b09361bfd76
SHA5128b61ab2ba8646293e8f279ceed7044136f5a51c93b6af715ead76a6d82b8b39d05440771adae7d407d9458de1df45d7c430b8b8251c1ca69461ea9b555480f78
-
Filesize
465KB
MD5245da5d8d3ace104d1de280a2404031f
SHA10474d7e2a79cfdef56ec0ef41b055f11d7197fc7
SHA25689e95e41ac806bc7446adfda0fe61aa3dc6c38a2310738c480a642aa92a50c12
SHA512971fe92ded9f7c3cb6f65fe74d53228d24c717bb171351ff78ce250f9f701781a3f20ce91ba51340f1363dfcde5f17dfd96093e626168a97c9b0316cc3f3ac0c
-
Filesize
465KB
MD5245da5d8d3ace104d1de280a2404031f
SHA10474d7e2a79cfdef56ec0ef41b055f11d7197fc7
SHA25689e95e41ac806bc7446adfda0fe61aa3dc6c38a2310738c480a642aa92a50c12
SHA512971fe92ded9f7c3cb6f65fe74d53228d24c717bb171351ff78ce250f9f701781a3f20ce91ba51340f1363dfcde5f17dfd96093e626168a97c9b0316cc3f3ac0c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
486KB
MD501c3dfb19555a68497bbad29b6c7eec1
SHA1544dff572de55b9c90f320f94edf59fb358e410d
SHA256d6afc5e467bbd5b993b2f2f531b026d43eb0922421622a0d8d6832c2247de79e
SHA5125ac101cc5e4a7ed436a7495ccd864d9a111235b65d6134d1e1a1513779f822c68361d509f2433e5293223b515446408840bf0a509ea5e758d2e6137a57ddaf6c
-
Filesize
486KB
MD501c3dfb19555a68497bbad29b6c7eec1
SHA1544dff572de55b9c90f320f94edf59fb358e410d
SHA256d6afc5e467bbd5b993b2f2f531b026d43eb0922421622a0d8d6832c2247de79e
SHA5125ac101cc5e4a7ed436a7495ccd864d9a111235b65d6134d1e1a1513779f822c68361d509f2433e5293223b515446408840bf0a509ea5e758d2e6137a57ddaf6c