Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
92s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
22/04/2023, 02:16
Static task
static1
General
-
Target
ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe
-
Size
706KB
-
MD5
97a6a2c76e63982557bbd1ef54f0512d
-
SHA1
0dcc9bf8c1708e2ed92160450f0ed12e9cbdd98a
-
SHA256
ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b
-
SHA512
a99882b19cb8944de10ecd6856415c6c8f0345de6b87aee2d8b83ef276da679e8e5436231fac0165d06d4152b974ecd4b8d80396fe0b0d4e753c4157e94b74e4
-
SSDEEP
12288:Ky90W9+jA1m5u1CvywUpxQAhniQWxl6BA/KgrsiUjODI+J91d4t:KydGA1m40K7rpouAtUjUlJ9U
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr451184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr451184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr451184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr451184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr451184.exe -
Executes dropped EXE 4 IoCs
pid Process 4556 un078904.exe 4752 pr451184.exe 4920 qu218053.exe 4676 si037367.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr451184.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr451184.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un078904.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un078904.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4752 pr451184.exe 4752 pr451184.exe 4920 qu218053.exe 4920 qu218053.exe 4676 si037367.exe 4676 si037367.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4752 pr451184.exe Token: SeDebugPrivilege 4920 qu218053.exe Token: SeDebugPrivilege 4676 si037367.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4188 wrote to memory of 4556 4188 ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe 66 PID 4188 wrote to memory of 4556 4188 ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe 66 PID 4188 wrote to memory of 4556 4188 ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe 66 PID 4556 wrote to memory of 4752 4556 un078904.exe 67 PID 4556 wrote to memory of 4752 4556 un078904.exe 67 PID 4556 wrote to memory of 4752 4556 un078904.exe 67 PID 4556 wrote to memory of 4920 4556 un078904.exe 68 PID 4556 wrote to memory of 4920 4556 un078904.exe 68 PID 4556 wrote to memory of 4920 4556 un078904.exe 68 PID 4188 wrote to memory of 4676 4188 ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe 70 PID 4188 wrote to memory of 4676 4188 ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe 70 PID 4188 wrote to memory of 4676 4188 ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe"C:\Users\Admin\AppData\Local\Temp\ea9f0760a85eaf8c80e137cdac113a7a9a5a69108ac4d0d3dce801402b64b40b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078904.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un078904.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451184.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr451184.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu218053.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu218053.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si037367.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si037367.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
552KB
MD581096fff0176cc375180989883138502
SHA165bcb1fe813370662cf126fc8bd1bc77b706b794
SHA256c6601a79b324a949e5930ca81af1ea35226fd32953209494f57410eeb07b2672
SHA51285b01bdcd0ad28f96df4fa7db1380c046a37495bda7cabc083092b19e79725a623c167caf62b88f184e5f1af3291b75ca3de4765670c3e21d4e0933324c15b33
-
Filesize
552KB
MD581096fff0176cc375180989883138502
SHA165bcb1fe813370662cf126fc8bd1bc77b706b794
SHA256c6601a79b324a949e5930ca81af1ea35226fd32953209494f57410eeb07b2672
SHA51285b01bdcd0ad28f96df4fa7db1380c046a37495bda7cabc083092b19e79725a623c167caf62b88f184e5f1af3291b75ca3de4765670c3e21d4e0933324c15b33
-
Filesize
299KB
MD59d1376936d0f0a91bb25fd6ab4e252ad
SHA1097ba0e42627708765b40f6716aa7670ec40ed65
SHA256da601ede82012ec6239e0c0d480a70c4f6e3c50ec67ad070621e8c8c5cacd540
SHA5128694e3799ac6c5606a8bc361fc437cc3df189b6c88d6a301a9b693f736121248738be1f808689e1453852fcfdd80822647d373124908613835df94f84c17d789
-
Filesize
299KB
MD59d1376936d0f0a91bb25fd6ab4e252ad
SHA1097ba0e42627708765b40f6716aa7670ec40ed65
SHA256da601ede82012ec6239e0c0d480a70c4f6e3c50ec67ad070621e8c8c5cacd540
SHA5128694e3799ac6c5606a8bc361fc437cc3df189b6c88d6a301a9b693f736121248738be1f808689e1453852fcfdd80822647d373124908613835df94f84c17d789
-
Filesize
381KB
MD58e9c06501f11808e0d413cc6be8d19a1
SHA13308487f02d2d54ecbe59fbbf23e65341fd0d623
SHA256f2508a79c1ec8c9b09dfca5d5340bd2bf77a0224f0fa95ff744d2098f7be33e5
SHA5122d2c3e4cef54b697f99c7719029e6d4945e8953c925f09d8c498cd92cf566ff909f804537f716951a6630e23eca87502e9e77e77722cdcf64f90beabb34ba775
-
Filesize
381KB
MD58e9c06501f11808e0d413cc6be8d19a1
SHA13308487f02d2d54ecbe59fbbf23e65341fd0d623
SHA256f2508a79c1ec8c9b09dfca5d5340bd2bf77a0224f0fa95ff744d2098f7be33e5
SHA5122d2c3e4cef54b697f99c7719029e6d4945e8953c925f09d8c498cd92cf566ff909f804537f716951a6630e23eca87502e9e77e77722cdcf64f90beabb34ba775