Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
94s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
19/04/2023, 20:44
Static task
static1
General
-
Target
f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe
-
Size
827KB
-
MD5
f68d925cb037645724c3d985364cb3bf
-
SHA1
e8653d6a211a691ccf951de21c91b28e2c47bbbd
-
SHA256
f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6
-
SHA512
736a059bf1d54f4d911e7c305508c092a727aac56a539ce3cc033e5b4fb348f50bb30948590b15511298274724efde941001379cae52d528717f3fa59f365954
-
SSDEEP
24576:Xyl9+gA3eQ6b2s29gnWATPk8pMsAf6/jRz725:ilMt6b2F9gnWh8upC/Q
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it896957.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it896957.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it896957.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it896957.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it896957.exe -
Executes dropped EXE 6 IoCs
pid Process 2488 zidj7493.exe 2560 ziHh3760.exe 3172 it896957.exe 3892 jr791644.exe 1964 kp411059.exe 4040 lr531544.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it896957.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zidj7493.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zidj7493.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziHh3760.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ziHh3760.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
pid pid_target Process procid_target 2580 4040 WerFault.exe 72 5048 4040 WerFault.exe 72 3904 4040 WerFault.exe 72 1408 4040 WerFault.exe 72 3928 4040 WerFault.exe 72 4736 4040 WerFault.exe 72 3488 4040 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3172 it896957.exe 3172 it896957.exe 3892 jr791644.exe 3892 jr791644.exe 1964 kp411059.exe 1964 kp411059.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3172 it896957.exe Token: SeDebugPrivilege 3892 jr791644.exe Token: SeDebugPrivilege 1964 kp411059.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2488 2156 f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe 66 PID 2156 wrote to memory of 2488 2156 f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe 66 PID 2156 wrote to memory of 2488 2156 f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe 66 PID 2488 wrote to memory of 2560 2488 zidj7493.exe 67 PID 2488 wrote to memory of 2560 2488 zidj7493.exe 67 PID 2488 wrote to memory of 2560 2488 zidj7493.exe 67 PID 2560 wrote to memory of 3172 2560 ziHh3760.exe 68 PID 2560 wrote to memory of 3172 2560 ziHh3760.exe 68 PID 2560 wrote to memory of 3892 2560 ziHh3760.exe 69 PID 2560 wrote to memory of 3892 2560 ziHh3760.exe 69 PID 2560 wrote to memory of 3892 2560 ziHh3760.exe 69 PID 2488 wrote to memory of 1964 2488 zidj7493.exe 71 PID 2488 wrote to memory of 1964 2488 zidj7493.exe 71 PID 2488 wrote to memory of 1964 2488 zidj7493.exe 71 PID 2156 wrote to memory of 4040 2156 f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe 72 PID 2156 wrote to memory of 4040 2156 f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe 72 PID 2156 wrote to memory of 4040 2156 f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe"C:\Users\Admin\AppData\Local\Temp\f9aee415a399e8abd0fba5b04405c726a45cd5ea93ea43d0a07efc90e7d0c1f6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidj7493.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidj7493.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziHh3760.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziHh3760.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it896957.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it896957.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr791644.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr791644.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp411059.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp411059.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr531544.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr531544.exe2⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 6163⤵
- Program crash
PID:2580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 6963⤵
- Program crash
PID:5048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 8323⤵
- Program crash
PID:3904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 8443⤵
- Program crash
PID:1408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 8723⤵
- Program crash
PID:3928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 8483⤵
- Program crash
PID:4736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 10803⤵
- Program crash
PID:3488
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD529d5723187610e96b5a4723eaf91c8ad
SHA1055b7e5ae5440b82d001ee2500b96072ec9e3522
SHA256b9d764777b81f560dde92ad97e707c8d597dd99a78ff0f949e9c74b744b43718
SHA51258b2eea69affdd121c07ab6d17c0040a7ca77ebe9c48a79fb91656168e61d33edbaf7f5dc5c2c16a96d9cd0985fc2f7fabd30a49631720e4934ce7f2d68ab3f3
-
Filesize
256KB
MD529d5723187610e96b5a4723eaf91c8ad
SHA1055b7e5ae5440b82d001ee2500b96072ec9e3522
SHA256b9d764777b81f560dde92ad97e707c8d597dd99a78ff0f949e9c74b744b43718
SHA51258b2eea69affdd121c07ab6d17c0040a7ca77ebe9c48a79fb91656168e61d33edbaf7f5dc5c2c16a96d9cd0985fc2f7fabd30a49631720e4934ce7f2d68ab3f3
-
Filesize
568KB
MD55380db20e95ccde5287d4f981ee97a86
SHA1948939290247d045099e46c9bd0ee0e4a74563db
SHA25604620d416bfa1c63478823de83c7e35386a133f283d31dac5976dcff482325d4
SHA51277696bef417c3b20d9aef589bebdfb7c0034f1b2a58b9b5ba27bd29c5503137d8f157899d006725e8170d8171312c9e93a12f2b933e24165e3984af55b1cf4a2
-
Filesize
568KB
MD55380db20e95ccde5287d4f981ee97a86
SHA1948939290247d045099e46c9bd0ee0e4a74563db
SHA25604620d416bfa1c63478823de83c7e35386a133f283d31dac5976dcff482325d4
SHA51277696bef417c3b20d9aef589bebdfb7c0034f1b2a58b9b5ba27bd29c5503137d8f157899d006725e8170d8171312c9e93a12f2b933e24165e3984af55b1cf4a2
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
414KB
MD5bc032b8208c0db06e280c13adb599d4f
SHA1dcba0605e0d1d719250274dc07463e7f40018dff
SHA2566b73b9bbca17d083a36b97f7aa216973d4e944f2309d5c3cfa13517dd04d2a10
SHA512d4bb9a1b2960957b8cf8ebdd4d4195e3b48feb1996c6da78b6ca2b6aaa8700bb7b5b5ea79d5d6362c1c611df9b86ab8132c090cca29a92caada6c47543f5604c
-
Filesize
414KB
MD5bc032b8208c0db06e280c13adb599d4f
SHA1dcba0605e0d1d719250274dc07463e7f40018dff
SHA2566b73b9bbca17d083a36b97f7aa216973d4e944f2309d5c3cfa13517dd04d2a10
SHA512d4bb9a1b2960957b8cf8ebdd4d4195e3b48feb1996c6da78b6ca2b6aaa8700bb7b5b5ea79d5d6362c1c611df9b86ab8132c090cca29a92caada6c47543f5604c
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD53c3048176a5d549348ee1857e951db00
SHA1447b0f400ab18c2f0c83b86e04e6e7870e9f183d
SHA256a390d67cca8820e86d83fb3ed917cb9f0ea15641644f2666186e35edc437545f
SHA5125ce19af3b6a8234c2e4b0b95d4e5ed1f6579c35097c023291e75b194f2ad252f9dbec1497428f1c156d79dd38b057734da417c03f27c8fc6aedd2897537ef422
-
Filesize
360KB
MD53c3048176a5d549348ee1857e951db00
SHA1447b0f400ab18c2f0c83b86e04e6e7870e9f183d
SHA256a390d67cca8820e86d83fb3ed917cb9f0ea15641644f2666186e35edc437545f
SHA5125ce19af3b6a8234c2e4b0b95d4e5ed1f6579c35097c023291e75b194f2ad252f9dbec1497428f1c156d79dd38b057734da417c03f27c8fc6aedd2897537ef422