Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
20/04/2023, 02:57
Static task
static1
General
-
Target
94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe
-
Size
827KB
-
MD5
76660ee327ef0fef2755b555491d785d
-
SHA1
c9b4cb2a1a8c23fa02af25b6c49ea7f88b66ac16
-
SHA256
94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5
-
SHA512
fe5eea58c4d8cad589f51bb32f0e32875fe86f7b174f3502ee72edb2fd501f3f6f85cfad413af5dbebe37a2d1d36d8901a0577a16446aaaaa65a13d145837d83
-
SSDEEP
12288:Py90qsitI+0deDCMsJ/zb8POJnmCQgDtJpFUIjcp7Hw2P2DZWer:Py8fFdJJ38WnXxDtH6IQ7D2D5
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it241763.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it241763.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it241763.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it241763.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it241763.exe -
Executes dropped EXE 6 IoCs
pid Process 4884 zich8004.exe 2064 zitO8881.exe 1744 it241763.exe 2416 jr955952.exe 1812 kp852116.exe 3260 lr993120.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it241763.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zitO8881.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zich8004.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zich8004.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zitO8881.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
pid pid_target Process procid_target 2780 3260 WerFault.exe 72 4356 3260 WerFault.exe 72 2244 3260 WerFault.exe 72 4772 3260 WerFault.exe 72 4512 3260 WerFault.exe 72 4588 3260 WerFault.exe 72 2496 3260 WerFault.exe 72 3756 3260 WerFault.exe 72 1084 3260 WerFault.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1744 it241763.exe 1744 it241763.exe 2416 jr955952.exe 2416 jr955952.exe 1812 kp852116.exe 1812 kp852116.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1744 it241763.exe Token: SeDebugPrivilege 2416 jr955952.exe Token: SeDebugPrivilege 1812 kp852116.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4616 wrote to memory of 4884 4616 94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe 66 PID 4616 wrote to memory of 4884 4616 94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe 66 PID 4616 wrote to memory of 4884 4616 94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe 66 PID 4884 wrote to memory of 2064 4884 zich8004.exe 67 PID 4884 wrote to memory of 2064 4884 zich8004.exe 67 PID 4884 wrote to memory of 2064 4884 zich8004.exe 67 PID 2064 wrote to memory of 1744 2064 zitO8881.exe 68 PID 2064 wrote to memory of 1744 2064 zitO8881.exe 68 PID 2064 wrote to memory of 2416 2064 zitO8881.exe 69 PID 2064 wrote to memory of 2416 2064 zitO8881.exe 69 PID 2064 wrote to memory of 2416 2064 zitO8881.exe 69 PID 4884 wrote to memory of 1812 4884 zich8004.exe 71 PID 4884 wrote to memory of 1812 4884 zich8004.exe 71 PID 4884 wrote to memory of 1812 4884 zich8004.exe 71 PID 4616 wrote to memory of 3260 4616 94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe 72 PID 4616 wrote to memory of 3260 4616 94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe 72 PID 4616 wrote to memory of 3260 4616 94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe"C:\Users\Admin\AppData\Local\Temp\94d6c463c205971378ea839bb8a9a3e8d386e89c5077766c70cc7b0f2aa980d5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zich8004.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zich8004.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zitO8881.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zitO8881.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it241763.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it241763.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr955952.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr955952.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp852116.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp852116.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr993120.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr993120.exe2⤵
- Executes dropped EXE
PID:3260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 6203⤵
- Program crash
PID:2780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 7003⤵
- Program crash
PID:4356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 8403⤵
- Program crash
PID:2244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 8843⤵
- Program crash
PID:4772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 8443⤵
- Program crash
PID:4512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 8643⤵
- Program crash
PID:4588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 11243⤵
- Program crash
PID:2496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 11483⤵
- Program crash
PID:3756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 10963⤵
- Program crash
PID:1084
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5379f36862d9a1214949af646394a3c64
SHA1b7b6b7431f46a8bf54b9c749e4a3c58bebc284a9
SHA2563534201b908820ede10946f3bafecc76b8a4b27ca80b6d21a71e3778d1e0bacc
SHA5122f420e0d10b56caf0dbd4f07c3616d5a1b2ab96d27f43d167476fd39c7171ce072d53d1d17fa3eefb2aca0cccc2c0f5ff8a5d7795b0957ced64583b2f8faa11d
-
Filesize
256KB
MD5379f36862d9a1214949af646394a3c64
SHA1b7b6b7431f46a8bf54b9c749e4a3c58bebc284a9
SHA2563534201b908820ede10946f3bafecc76b8a4b27ca80b6d21a71e3778d1e0bacc
SHA5122f420e0d10b56caf0dbd4f07c3616d5a1b2ab96d27f43d167476fd39c7171ce072d53d1d17fa3eefb2aca0cccc2c0f5ff8a5d7795b0957ced64583b2f8faa11d
-
Filesize
568KB
MD5e664ec7640e2a192902fc1308d1c254f
SHA1a687796a5ee1089d961f7cb76a1143f24533cd16
SHA256787c783ed5000cf3cb95297e9d64eb35a238cf86ca4da062f31b1698bae1a712
SHA51269837ef53416378a68978ff55b208440eee450721224aa0751b85d3b8cf7f967c9b1fcfb3c4cc4b9eddfa26ff7e6bde4b1614a6df08931d8e98855416b3ab96a
-
Filesize
568KB
MD5e664ec7640e2a192902fc1308d1c254f
SHA1a687796a5ee1089d961f7cb76a1143f24533cd16
SHA256787c783ed5000cf3cb95297e9d64eb35a238cf86ca4da062f31b1698bae1a712
SHA51269837ef53416378a68978ff55b208440eee450721224aa0751b85d3b8cf7f967c9b1fcfb3c4cc4b9eddfa26ff7e6bde4b1614a6df08931d8e98855416b3ab96a
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
136KB
MD586810f340795831f3c2bd147981be929
SHA1573345e2c322720fa43f74d761ff1d48028f36c9
SHA256d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139
SHA512c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f
-
Filesize
414KB
MD58f727ea245762e2115f7dcc5b61e69ff
SHA1d91f7338f35553ac30dad3c1902ed26e72e12ec1
SHA256fa80b31ccf7d541cdc99e291bd029d26d414cef34e7e85739bfbf1416911c75a
SHA5125e6b858544bfd8e3afc41d6f46f0a02be325ba9813e1fa9c18bf731503292290f6d714059b7cec0d0ab1de848943e72eb3d6f3bbd21dc581ffa7a15dfebe5e92
-
Filesize
414KB
MD58f727ea245762e2115f7dcc5b61e69ff
SHA1d91f7338f35553ac30dad3c1902ed26e72e12ec1
SHA256fa80b31ccf7d541cdc99e291bd029d26d414cef34e7e85739bfbf1416911c75a
SHA5125e6b858544bfd8e3afc41d6f46f0a02be325ba9813e1fa9c18bf731503292290f6d714059b7cec0d0ab1de848943e72eb3d6f3bbd21dc581ffa7a15dfebe5e92
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD51333c1bfb1cafd976014befb91a1902f
SHA171449939a721a4acac911023b64749433ffd8214
SHA256b89c56fd4542d7517adde1437dc6006ff8542fe642dbe9ae3bc66ec0140d639c
SHA512a808f1f1fe48b7ca42619f8c9bf1a2d5d17bc2f5867666840ae47a7b48fda2e75d83b284f39e355edeb55bfa3d022e5530aba4fd72c0e6724d55cb1891aa9241
-
Filesize
360KB
MD51333c1bfb1cafd976014befb91a1902f
SHA171449939a721a4acac911023b64749433ffd8214
SHA256b89c56fd4542d7517adde1437dc6006ff8542fe642dbe9ae3bc66ec0140d639c
SHA512a808f1f1fe48b7ca42619f8c9bf1a2d5d17bc2f5867666840ae47a7b48fda2e75d83b284f39e355edeb55bfa3d022e5530aba4fd72c0e6724d55cb1891aa9241