Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2023, 06:51
Static task
static1
General
-
Target
2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe
-
Size
569KB
-
MD5
e16aa9c33b0b8bd510d86d8747a0e82f
-
SHA1
133bd312f8e1e3eaf246254c912b2d9fbfb978b4
-
SHA256
2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7
-
SHA512
f3e00ba5a7f331847ae4a712f874d8a8650283e09fcbc944a3111a4dfc0dc0607397fc3800263af3243bdfe4a2ddf95359ada4f5be0793471c6a4c3d2955e114
-
SSDEEP
12288:cy90+BBqBMbIU8w3hbrTyedSn0Y8405kpymxHNrYbGksfK:cyfBBqBZU8w3hf+ISns4aCYxj
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it372024.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it372024.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it372024.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it372024.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it372024.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it372024.exe -
Executes dropped EXE 4 IoCs
pid Process 4064 zimv9509.exe 3240 it372024.exe 116 kp219351.exe 4972 lr947039.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it372024.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zimv9509.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zimv9509.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1308 116 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3240 it372024.exe 3240 it372024.exe 116 kp219351.exe 116 kp219351.exe 4972 lr947039.exe 4972 lr947039.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3240 it372024.exe Token: SeDebugPrivilege 116 kp219351.exe Token: SeDebugPrivilege 4972 lr947039.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3768 wrote to memory of 4064 3768 2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe 83 PID 3768 wrote to memory of 4064 3768 2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe 83 PID 3768 wrote to memory of 4064 3768 2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe 83 PID 4064 wrote to memory of 3240 4064 zimv9509.exe 84 PID 4064 wrote to memory of 3240 4064 zimv9509.exe 84 PID 4064 wrote to memory of 116 4064 zimv9509.exe 89 PID 4064 wrote to memory of 116 4064 zimv9509.exe 89 PID 4064 wrote to memory of 116 4064 zimv9509.exe 89 PID 3768 wrote to memory of 4972 3768 2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe 95 PID 3768 wrote to memory of 4972 3768 2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe 95 PID 3768 wrote to memory of 4972 3768 2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe"C:\Users\Admin\AppData\Local\Temp\2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimv9509.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimv9509.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it372024.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it372024.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp219351.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp219351.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 19564⤵
- Program crash
PID:1308
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr947039.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr947039.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 116 -ip 1161⤵PID:1300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
136KB
MD59c75a048f066d01b19ed80dc6e7a7101
SHA17d37c8ef50e8b83fcdd44032fb082f226ab3d8c3
SHA256c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625
SHA512b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33
-
Filesize
415KB
MD58b261921f93827eea0e9b29b524baf24
SHA166924f135a98a1848bffba58ec9fb990f6181b36
SHA25648982a27952fbebbf7b9bb1cc56a55dfcb5b40a0770cfcef5235482768ba536d
SHA5122d79b5354023533b540963d5457feaf090c671325684f5b7d53b6804efc7668f9814dd277953f9da676e1afdb9b88831a4110015a43925359715c8ba972c74a4
-
Filesize
415KB
MD58b261921f93827eea0e9b29b524baf24
SHA166924f135a98a1848bffba58ec9fb990f6181b36
SHA25648982a27952fbebbf7b9bb1cc56a55dfcb5b40a0770cfcef5235482768ba536d
SHA5122d79b5354023533b540963d5457feaf090c671325684f5b7d53b6804efc7668f9814dd277953f9da676e1afdb9b88831a4110015a43925359715c8ba972c74a4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
382KB
MD5959353ae66c54a41d5d1c9dcef11209e
SHA1e8c3ab3e7de97a577044b2e00bcca6a0b69a82dd
SHA256c98de88bceedbf050f5250ae91cb8b8ed14a91916c7db4fc76a8a95018510491
SHA512a0d7e73985c6261840bdda03eb4dbacc8cd07990335ca48fb96aff203eee63d7a58fbd3c9d6258dd27ba430309a04344b945d450824d2c2402aa802235711a63
-
Filesize
382KB
MD5959353ae66c54a41d5d1c9dcef11209e
SHA1e8c3ab3e7de97a577044b2e00bcca6a0b69a82dd
SHA256c98de88bceedbf050f5250ae91cb8b8ed14a91916c7db4fc76a8a95018510491
SHA512a0d7e73985c6261840bdda03eb4dbacc8cd07990335ca48fb96aff203eee63d7a58fbd3c9d6258dd27ba430309a04344b945d450824d2c2402aa802235711a63