Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/04/2023, 21:28
Static task
static1
General
-
Target
edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe
-
Size
694KB
-
MD5
81e6a2908d447acd00f22e1cf9f04308
-
SHA1
013b76f0d2dde625a46819f47c7683b8619f104f
-
SHA256
edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a
-
SHA512
de1570d4424de34efc72dd0f42b4b36b28d703910227e3db281edaa16bd56dfc32af6df49761cf735dcb7ea120fc4cbc3c548561ae7aeaa8009477f10fcf7838
-
SSDEEP
12288:6y90pEKcj5k8ulRPUyeWbMJWs83co/HW0ElJ6ERSfT7DphaexuBFLXRg8Y9:6yoPcjslJUyeWbXVco/2pBWlbAvLB8
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr742782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr742782.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr742782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr742782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr742782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr742782.exe -
Executes dropped EXE 4 IoCs
pid Process 2388 un463773.exe 1684 pr742782.exe 3640 qu452027.exe 4444 si482489.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr742782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr742782.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un463773.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un463773.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2372 1684 WerFault.exe 84 3800 3640 WerFault.exe 87 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1684 pr742782.exe 1684 pr742782.exe 3640 qu452027.exe 3640 qu452027.exe 4444 si482489.exe 4444 si482489.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1684 pr742782.exe Token: SeDebugPrivilege 3640 qu452027.exe Token: SeDebugPrivilege 4444 si482489.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4260 wrote to memory of 2388 4260 edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe 83 PID 4260 wrote to memory of 2388 4260 edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe 83 PID 4260 wrote to memory of 2388 4260 edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe 83 PID 2388 wrote to memory of 1684 2388 un463773.exe 84 PID 2388 wrote to memory of 1684 2388 un463773.exe 84 PID 2388 wrote to memory of 1684 2388 un463773.exe 84 PID 2388 wrote to memory of 3640 2388 un463773.exe 87 PID 2388 wrote to memory of 3640 2388 un463773.exe 87 PID 2388 wrote to memory of 3640 2388 un463773.exe 87 PID 4260 wrote to memory of 4444 4260 edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe 90 PID 4260 wrote to memory of 4444 4260 edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe 90 PID 4260 wrote to memory of 4444 4260 edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe"C:\Users\Admin\AppData\Local\Temp\edf84954fa799e0375970160e6166c836441dd43e944b53f4acf53b0b973d17a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un463773.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un463773.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742782.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr742782.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 11004⤵
- Program crash
PID:2372
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu452027.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu452027.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 18164⤵
- Program crash
PID:3800
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si482489.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si482489.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1684 -ip 16841⤵PID:1116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3640 -ip 36401⤵PID:5080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
540KB
MD5c8720aaec8750352f7f2b7390161f96d
SHA1ad89e55974298c56b2d655fd3718295dbac810c3
SHA25621a0f54166a7619eef7990084419fd1eff25779d2380592a24373d36037a9ff5
SHA5123afa930cf871e9f2837c63cf378784610f97883b57aa14476cc9faf7bdf3770d5147b038049ad0859bc191728ebd542805bd285b689eb55c5beee30a4ecc2e4a
-
Filesize
540KB
MD5c8720aaec8750352f7f2b7390161f96d
SHA1ad89e55974298c56b2d655fd3718295dbac810c3
SHA25621a0f54166a7619eef7990084419fd1eff25779d2380592a24373d36037a9ff5
SHA5123afa930cf871e9f2837c63cf378784610f97883b57aa14476cc9faf7bdf3770d5147b038049ad0859bc191728ebd542805bd285b689eb55c5beee30a4ecc2e4a
-
Filesize
278KB
MD57540db5a0b0e2d1ec36eb6d1c6121d70
SHA13a6ac7996a2d528296efe897881ff583b4f18cd8
SHA25671aa483acba7f279f363600ea1f937cb82efd87a8281532fda290c5c55b3d813
SHA5125813219f4e199c155521d41ac32c862d1e892579561689b6b776e61a5a93c4eca11672ed2d7fac16c514d28d57fede9d2b43fc5f816b0595decfbc9fe1cede97
-
Filesize
278KB
MD57540db5a0b0e2d1ec36eb6d1c6121d70
SHA13a6ac7996a2d528296efe897881ff583b4f18cd8
SHA25671aa483acba7f279f363600ea1f937cb82efd87a8281532fda290c5c55b3d813
SHA5125813219f4e199c155521d41ac32c862d1e892579561689b6b776e61a5a93c4eca11672ed2d7fac16c514d28d57fede9d2b43fc5f816b0595decfbc9fe1cede97
-
Filesize
361KB
MD56ad6232ad21ab877e0a615a2d8cf0c76
SHA17e063c0e43e0dc7f88ce8aa94e6af5be92b24551
SHA25679c26fa15a09a50865c2ce7f243cf47f11ccec6212645a1bfeaec1882501fb95
SHA51232954386c1636bb0aee38783478604083d361dd65e578332df7ada40eba6e7dc0a58111c3424dd1903ae2430ce1b278f1cc709742908e9f582e2583a0d31ae3d
-
Filesize
361KB
MD56ad6232ad21ab877e0a615a2d8cf0c76
SHA17e063c0e43e0dc7f88ce8aa94e6af5be92b24551
SHA25679c26fa15a09a50865c2ce7f243cf47f11ccec6212645a1bfeaec1882501fb95
SHA51232954386c1636bb0aee38783478604083d361dd65e578332df7ada40eba6e7dc0a58111c3424dd1903ae2430ce1b278f1cc709742908e9f582e2583a0d31ae3d