Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
90s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
17/04/2023, 11:18
Static task
static1
General
-
Target
5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe
-
Size
980KB
-
MD5
12a5b2c98bbeebabb3f583e6c329217c
-
SHA1
7db94993d92c87e3e0cd97f2b142661d2c7a7fb1
-
SHA256
5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33
-
SHA512
8a9d6578d9afbb1c6ed81839a678c457559bbde6a6107b3778bcb16e52575eb74febcd4edfedf4b27716c30fdffdd2d5aef118f768b0ea005292da415e05711d
-
SSDEEP
24576:MycYTw6pQhVHfhISr5zRRVWX+PKoVgBFKWAELkXWt0QE:7cYsJhVZIqzRuOioQAWtP
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr326521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr326521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr326521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr326521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr326521.exe -
Executes dropped EXE 6 IoCs
pid Process 988 un697385.exe 4496 un894923.exe 4988 pr326521.exe 4856 qu626999.exe 4020 rk700955.exe 60 si879502.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr326521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr326521.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un697385.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un697385.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un894923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un894923.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 2112 60 WerFault.exe 72 4588 60 WerFault.exe 72 4484 60 WerFault.exe 72 2652 60 WerFault.exe 72 2684 60 WerFault.exe 72 4992 60 WerFault.exe 72 4300 60 WerFault.exe 72 3992 60 WerFault.exe 72 1196 60 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4988 pr326521.exe 4988 pr326521.exe 4856 qu626999.exe 4856 qu626999.exe 4020 rk700955.exe 4020 rk700955.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4988 pr326521.exe Token: SeDebugPrivilege 4856 qu626999.exe Token: SeDebugPrivilege 4020 rk700955.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3668 wrote to memory of 988 3668 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe 66 PID 3668 wrote to memory of 988 3668 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe 66 PID 3668 wrote to memory of 988 3668 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe 66 PID 988 wrote to memory of 4496 988 un697385.exe 67 PID 988 wrote to memory of 4496 988 un697385.exe 67 PID 988 wrote to memory of 4496 988 un697385.exe 67 PID 4496 wrote to memory of 4988 4496 un894923.exe 68 PID 4496 wrote to memory of 4988 4496 un894923.exe 68 PID 4496 wrote to memory of 4988 4496 un894923.exe 68 PID 4496 wrote to memory of 4856 4496 un894923.exe 69 PID 4496 wrote to memory of 4856 4496 un894923.exe 69 PID 4496 wrote to memory of 4856 4496 un894923.exe 69 PID 988 wrote to memory of 4020 988 un697385.exe 71 PID 988 wrote to memory of 4020 988 un697385.exe 71 PID 988 wrote to memory of 4020 988 un697385.exe 71 PID 3668 wrote to memory of 60 3668 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe 72 PID 3668 wrote to memory of 60 3668 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe 72 PID 3668 wrote to memory of 60 3668 5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe"C:\Users\Admin\AppData\Local\Temp\5abd4adb15675c3c00d77595705f1cbfd8db6adefd3070682cf171a663103c33.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un697385.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un697385.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un894923.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un894923.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr326521.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr326521.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu626999.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu626999.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk700955.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk700955.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si879502.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si879502.exe2⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 6443⤵
- Program crash
PID:2112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 7203⤵
- Program crash
PID:4588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 8483⤵
- Program crash
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 8563⤵
- Program crash
PID:2652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 8843⤵
- Program crash
PID:2684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 8963⤵
- Program crash
PID:4992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 11243⤵
- Program crash
PID:4300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 11603⤵
- Program crash
PID:3992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 12043⤵
- Program crash
PID:1196
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246KB
MD51141efb7cc1de7dc0739d7b3fb735ab5
SHA19c4f1513eae1d586233def9ac91950d61cf1113d
SHA256df2ba359f7a856f9a54385425d004fb2b045171a5f1bc2972f44e7fccb8e9580
SHA5129b660a4b7ef00e12c4d835eb20fb9f3cda8b029eabed2f2377356853a8ba0ea9a75068669528ea6f093a6051128264d0c96be52dee6491075ff36f7134329782
-
Filesize
246KB
MD51141efb7cc1de7dc0739d7b3fb735ab5
SHA19c4f1513eae1d586233def9ac91950d61cf1113d
SHA256df2ba359f7a856f9a54385425d004fb2b045171a5f1bc2972f44e7fccb8e9580
SHA5129b660a4b7ef00e12c4d835eb20fb9f3cda8b029eabed2f2377356853a8ba0ea9a75068669528ea6f093a6051128264d0c96be52dee6491075ff36f7134329782
-
Filesize
706KB
MD529a82749a1286873a33ec86e089e772c
SHA129f7b746d33bcdaaaaa0f7ff96abb0f6b508faac
SHA25666ceacd4b7cacc001c66c66f3758618446aae8bb31d75b4f73fc0498865435ad
SHA51222205ec35ad1f42cb2a93ddfa7c2413eb29a0fc985a4e738f6faf933f15266d70e50b36498a4b54dc05a1d24af49f17bbb15c0bb2af516d748a2e302f39a7b3d
-
Filesize
706KB
MD529a82749a1286873a33ec86e089e772c
SHA129f7b746d33bcdaaaaa0f7ff96abb0f6b508faac
SHA25666ceacd4b7cacc001c66c66f3758618446aae8bb31d75b4f73fc0498865435ad
SHA51222205ec35ad1f42cb2a93ddfa7c2413eb29a0fc985a4e738f6faf933f15266d70e50b36498a4b54dc05a1d24af49f17bbb15c0bb2af516d748a2e302f39a7b3d
-
Filesize
136KB
MD5359db2338ae0f977dcf10e90cf9816fb
SHA194126cb670e5f434e555c991c967e0ee98fae552
SHA2565f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc
SHA512d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc
-
Filesize
136KB
MD5359db2338ae0f977dcf10e90cf9816fb
SHA194126cb670e5f434e555c991c967e0ee98fae552
SHA2565f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc
SHA512d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc
-
Filesize
552KB
MD59310d9f696d13503de1fd1cac419f430
SHA1644edc5c06bf2762e366b2a8c4acd8a8af946089
SHA2560b6d8b04d21afef1efb97a238094585157bfae6ca6f61fc03b88b031db7e4dc4
SHA51256ec4e89937fcefda292c5271db0835e93345ae130fa343020eaa9d023e619880b46c7f010001a0851411b333c0dae70f2f00fde2942975064e2d3aa0983c65c
-
Filesize
552KB
MD59310d9f696d13503de1fd1cac419f430
SHA1644edc5c06bf2762e366b2a8c4acd8a8af946089
SHA2560b6d8b04d21afef1efb97a238094585157bfae6ca6f61fc03b88b031db7e4dc4
SHA51256ec4e89937fcefda292c5271db0835e93345ae130fa343020eaa9d023e619880b46c7f010001a0851411b333c0dae70f2f00fde2942975064e2d3aa0983c65c
-
Filesize
254KB
MD5b2b187b249bb640fce19729541466401
SHA12f29e11fe1cc499ebbd029e1a22bcb16ad1d329d
SHA256262c499542d1dbc36bb2fec32c32e947f08249df8d8a4fab0dc2b3b96a7ee70c
SHA512ac1e4f293a72861961977fb3446713ff3e826f686c43a17c28ecae3aa2be8af9aa8e97f7bd253e1729e04e5e59a585e07d41d2eefdfc16618ffe929f2f3af9e0
-
Filesize
254KB
MD5b2b187b249bb640fce19729541466401
SHA12f29e11fe1cc499ebbd029e1a22bcb16ad1d329d
SHA256262c499542d1dbc36bb2fec32c32e947f08249df8d8a4fab0dc2b3b96a7ee70c
SHA512ac1e4f293a72861961977fb3446713ff3e826f686c43a17c28ecae3aa2be8af9aa8e97f7bd253e1729e04e5e59a585e07d41d2eefdfc16618ffe929f2f3af9e0
-
Filesize
337KB
MD522c2f286706d373193b719008fff8366
SHA1c91efe0d4a705eea050a72e33ee2dad067ba1a87
SHA256676c6e245438d0cef25badd803ffe4e7f4d55e9855e8668cc1eb4c361a1c909b
SHA5121d275ae1036ba668a4a953e4deff17bb1845570c8aba2455e9a2371b12646947d70aff76b0695118610fc1e40fdae7a0646e9ea42d43d85867a7091db98bf3af
-
Filesize
337KB
MD522c2f286706d373193b719008fff8366
SHA1c91efe0d4a705eea050a72e33ee2dad067ba1a87
SHA256676c6e245438d0cef25badd803ffe4e7f4d55e9855e8668cc1eb4c361a1c909b
SHA5121d275ae1036ba668a4a953e4deff17bb1845570c8aba2455e9a2371b12646947d70aff76b0695118610fc1e40fdae7a0646e9ea42d43d85867a7091db98bf3af