Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
18/04/2023, 19:18
Static task
static1
General
-
Target
8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe
-
Size
1.1MB
-
MD5
d64edcff5aeff2aec2ee1bdcbd617d07
-
SHA1
3d3c1ba7c4bfbf4183d9708d1c1e00defa05cf4e
-
SHA256
8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f
-
SHA512
dda5fc962dd974e94381796e57183a886ce8bcc09c7423b2b41a957cb4c6dbf2febc172cfa5ff87ee553039da41bf43a24b8971d48b13a99e0edd8586b07117e
-
SSDEEP
24576:cyXV/saQXMbJDMroMrhCXocgtk6mYk2r:LXV/VQXoMUMrhCXocEk6mY9
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr471871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr471871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr471871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr471871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr471871.exe -
Executes dropped EXE 6 IoCs
pid Process 4108 un945094.exe 2072 un160677.exe 3812 pr471871.exe 2548 qu024203.exe 3204 rk832667.exe 348 si323136.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr471871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr471871.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un945094.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un160677.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" un160677.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un945094.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
pid pid_target Process procid_target 984 348 WerFault.exe 72 4756 348 WerFault.exe 72 3528 348 WerFault.exe 72 4796 348 WerFault.exe 72 2872 348 WerFault.exe 72 2760 348 WerFault.exe 72 1308 348 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3812 pr471871.exe 3812 pr471871.exe 2548 qu024203.exe 2548 qu024203.exe 3204 rk832667.exe 3204 rk832667.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3812 pr471871.exe Token: SeDebugPrivilege 2548 qu024203.exe Token: SeDebugPrivilege 3204 rk832667.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3612 wrote to memory of 4108 3612 8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe 66 PID 3612 wrote to memory of 4108 3612 8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe 66 PID 3612 wrote to memory of 4108 3612 8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe 66 PID 4108 wrote to memory of 2072 4108 un945094.exe 67 PID 4108 wrote to memory of 2072 4108 un945094.exe 67 PID 4108 wrote to memory of 2072 4108 un945094.exe 67 PID 2072 wrote to memory of 3812 2072 un160677.exe 68 PID 2072 wrote to memory of 3812 2072 un160677.exe 68 PID 2072 wrote to memory of 3812 2072 un160677.exe 68 PID 2072 wrote to memory of 2548 2072 un160677.exe 69 PID 2072 wrote to memory of 2548 2072 un160677.exe 69 PID 2072 wrote to memory of 2548 2072 un160677.exe 69 PID 4108 wrote to memory of 3204 4108 un945094.exe 71 PID 4108 wrote to memory of 3204 4108 un945094.exe 71 PID 4108 wrote to memory of 3204 4108 un945094.exe 71 PID 3612 wrote to memory of 348 3612 8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe 72 PID 3612 wrote to memory of 348 3612 8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe 72 PID 3612 wrote to memory of 348 3612 8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe"C:\Users\Admin\AppData\Local\Temp\8e798b6e766493c894935073db220a3440007f940a78c9f94045de6303fdec2f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un945094.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un945094.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un160677.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un160677.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr471871.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr471871.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu024203.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu024203.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk832667.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk832667.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si323136.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si323136.exe2⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 6203⤵
- Program crash
PID:984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 7003⤵
- Program crash
PID:4756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 8403⤵
- Program crash
PID:3528
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 8803⤵
- Program crash
PID:4796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 8843⤵
- Program crash
PID:2872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 8883⤵
- Program crash
PID:2760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 10763⤵
- Program crash
PID:1308
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5f1cada3622a5d7ac8bd7c511639ccea9
SHA16c63f5857c1ef1d6f8ff76a9109b77846170266a
SHA2568127bc9f82467eca7c5d2360ebd6d4e275d341a1a254da42e088e78b24ad2655
SHA5127e3a4a960aa74316f0648b041b4885e1f417cb366a7d79f571e3cee50eb7f4bcfe7dcd44be82d3da222ab91f196bbfb2efa677fcb98d17908e17b25c7cfdc30c
-
Filesize
381KB
MD5f1cada3622a5d7ac8bd7c511639ccea9
SHA16c63f5857c1ef1d6f8ff76a9109b77846170266a
SHA2568127bc9f82467eca7c5d2360ebd6d4e275d341a1a254da42e088e78b24ad2655
SHA5127e3a4a960aa74316f0648b041b4885e1f417cb366a7d79f571e3cee50eb7f4bcfe7dcd44be82d3da222ab91f196bbfb2efa677fcb98d17908e17b25c7cfdc30c
-
Filesize
763KB
MD528e4841feff20fe8898b04370041f270
SHA1625910424d3b56a475c5cebd102c41727ec1b5c4
SHA256786ad480f3ad31f253864e61af7ecbc14a8fbaca9e5fbd82c1d1236681f04f19
SHA51240b48d3b8935689dae0bbe0eb201252beb22eddc73e5ea8a90ab4633a079359a92f8ffca0de44b89b17fa613ee6649710ab77d44eb38fdf100c785ce46da9e78
-
Filesize
763KB
MD528e4841feff20fe8898b04370041f270
SHA1625910424d3b56a475c5cebd102c41727ec1b5c4
SHA256786ad480f3ad31f253864e61af7ecbc14a8fbaca9e5fbd82c1d1236681f04f19
SHA51240b48d3b8935689dae0bbe0eb201252beb22eddc73e5ea8a90ab4633a079359a92f8ffca0de44b89b17fa613ee6649710ab77d44eb38fdf100c785ce46da9e78
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
609KB
MD54b843ced5338be9c1e732d525dc496d7
SHA1ab3b1ee1bceb44856b35e7a89aa914ea408c6fbd
SHA2567d2be463e5499de2966d9d8585f94f99c5c2c4a39946992c7eac44adb05517c2
SHA5124c1ad80a556dd0f5340cc402df29f23e9725caf5b10548ffd8e2561d026000f0b9eb8ace3690d11529e919627eefdda8ba2f64946375d323fe89246986936e14
-
Filesize
609KB
MD54b843ced5338be9c1e732d525dc496d7
SHA1ab3b1ee1bceb44856b35e7a89aa914ea408c6fbd
SHA2567d2be463e5499de2966d9d8585f94f99c5c2c4a39946992c7eac44adb05517c2
SHA5124c1ad80a556dd0f5340cc402df29f23e9725caf5b10548ffd8e2561d026000f0b9eb8ace3690d11529e919627eefdda8ba2f64946375d323fe89246986936e14
-
Filesize
403KB
MD525a18f0193a33f31988bcbc763b79e20
SHA112958812f51f9d370031bcf51b8002b2b14019d2
SHA25661fc5ac4e966aab5dc63c208c78bb9ce9e7ac2f9dad4a5ba8ed7bfa40fec6edd
SHA512f62343733a3c0e0140e2639667df3002f3aa7435c6a3f1a75d7ca8fc36e0f964d5e3fd9d492f474da85d22a490e5abf36349d8ec30bbaa97ef20b67400ff069e
-
Filesize
403KB
MD525a18f0193a33f31988bcbc763b79e20
SHA112958812f51f9d370031bcf51b8002b2b14019d2
SHA25661fc5ac4e966aab5dc63c208c78bb9ce9e7ac2f9dad4a5ba8ed7bfa40fec6edd
SHA512f62343733a3c0e0140e2639667df3002f3aa7435c6a3f1a75d7ca8fc36e0f964d5e3fd9d492f474da85d22a490e5abf36349d8ec30bbaa97ef20b67400ff069e
-
Filesize
485KB
MD56581191b8da937c1246fb24dc8f24149
SHA15787c94c5d56fc8c04b81b3a2ca175c99f18cce6
SHA256d3bbcfa524244e7a5a98becc6388691728ddbb030966f50e26d4c54c81ae3149
SHA5125e6d22fbece6836dd935f9755c8dd849b9a677bb014d635a957f0e834beb2d933496dede99dcf98b3944006f708b0a6382943bc50b76ec482c57d3009186bd25
-
Filesize
485KB
MD56581191b8da937c1246fb24dc8f24149
SHA15787c94c5d56fc8c04b81b3a2ca175c99f18cce6
SHA256d3bbcfa524244e7a5a98becc6388691728ddbb030966f50e26d4c54c81ae3149
SHA5125e6d22fbece6836dd935f9755c8dd849b9a677bb014d635a957f0e834beb2d933496dede99dcf98b3944006f708b0a6382943bc50b76ec482c57d3009186bd25