Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2023, 10:39
Static task
static1
General
-
Target
552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe
-
Size
707KB
-
MD5
c927bd121b07f0d863804dc458ca4055
-
SHA1
484f946abc1dde296d00512be3a46bba1d85e793
-
SHA256
552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8
-
SHA512
bb6499d94749bd9f81e4eae88c95c9521855b41cd0d86bf5acb5dce6dc22abdfd5bdd5064eb09074eb22c706413325763029b47237b0e4e730a495a447096fed
-
SSDEEP
12288:Jy90agTemBNIAjUjKmw+DPRVGcqu97uOJk6c/cQ8sAbokr:Jy+Tem2KD+LRVGsFUhGoQ
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr653934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr653934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr653934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr653934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr653934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr653934.exe -
Executes dropped EXE 4 IoCs
pid Process 4608 un501447.exe 3376 pr653934.exe 1136 qu174565.exe 2648 si886776.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr653934.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr653934.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un501447.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un501447.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4084 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 872 3376 WerFault.exe 85 1704 1136 WerFault.exe 91 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3376 pr653934.exe 3376 pr653934.exe 1136 qu174565.exe 1136 qu174565.exe 2648 si886776.exe 2648 si886776.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3376 pr653934.exe Token: SeDebugPrivilege 1136 qu174565.exe Token: SeDebugPrivilege 2648 si886776.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4120 wrote to memory of 4608 4120 552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe 84 PID 4120 wrote to memory of 4608 4120 552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe 84 PID 4120 wrote to memory of 4608 4120 552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe 84 PID 4608 wrote to memory of 3376 4608 un501447.exe 85 PID 4608 wrote to memory of 3376 4608 un501447.exe 85 PID 4608 wrote to memory of 3376 4608 un501447.exe 85 PID 4608 wrote to memory of 1136 4608 un501447.exe 91 PID 4608 wrote to memory of 1136 4608 un501447.exe 91 PID 4608 wrote to memory of 1136 4608 un501447.exe 91 PID 4120 wrote to memory of 2648 4120 552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe 94 PID 4120 wrote to memory of 2648 4120 552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe 94 PID 4120 wrote to memory of 2648 4120 552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe"C:\Users\Admin\AppData\Local\Temp\552d3d1b61cd87466d966a15ab52b3a52c94b9d5af910f9e73b5fa92b0b1c5d8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un501447.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un501447.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr653934.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr653934.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 10884⤵
- Program crash
PID:872
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu174565.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu174565.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 18084⤵
- Program crash
PID:1704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si886776.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si886776.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3376 -ip 33761⤵PID:3460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1136 -ip 11361⤵PID:3248
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD549650cdcdc358bb2770f0062abeef88c
SHA1d6f7ec7758e9a80700b81bc7a549838ba99aacac
SHA25679e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59
SHA5127ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1
-
Filesize
136KB
MD549650cdcdc358bb2770f0062abeef88c
SHA1d6f7ec7758e9a80700b81bc7a549838ba99aacac
SHA25679e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59
SHA5127ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1
-
Filesize
552KB
MD5af6f924f95965c32acdb3b279d300334
SHA1a8cda26ed882e117e52185af78b70f986a4ccd01
SHA256fd85f3ac6844a461959dee79f84b188b694af2573de55d37e3ed17d59455ffa0
SHA5123b5ac1b2e2fb8707ef651e4ebde4fb4a7357347d100df840ba92b4ee323944fae8ec39aa66c3f2a64ffef7f06247e6c2b1219e5b558c65580e89dbec0fdb8d6b
-
Filesize
552KB
MD5af6f924f95965c32acdb3b279d300334
SHA1a8cda26ed882e117e52185af78b70f986a4ccd01
SHA256fd85f3ac6844a461959dee79f84b188b694af2573de55d37e3ed17d59455ffa0
SHA5123b5ac1b2e2fb8707ef651e4ebde4fb4a7357347d100df840ba92b4ee323944fae8ec39aa66c3f2a64ffef7f06247e6c2b1219e5b558c65580e89dbec0fdb8d6b
-
Filesize
279KB
MD56a4a6f9ee4fba80ce792815e7247a8e2
SHA1b1c5c65dbc90681f985cf8db7b8e0d8013424f90
SHA2561d16d8f639aa51b4941f20319ddb1a01af96d43046d7d2d44b34c46a2fe875c9
SHA5127034903dfb79320e6e6e464140b6e070ab6e87ebad52badab5a3d006207deeb4ec9b41324f6e4a46877712554ba698e73b1d29aab280a9f940fa546214b66fb3
-
Filesize
279KB
MD56a4a6f9ee4fba80ce792815e7247a8e2
SHA1b1c5c65dbc90681f985cf8db7b8e0d8013424f90
SHA2561d16d8f639aa51b4941f20319ddb1a01af96d43046d7d2d44b34c46a2fe875c9
SHA5127034903dfb79320e6e6e464140b6e070ab6e87ebad52badab5a3d006207deeb4ec9b41324f6e4a46877712554ba698e73b1d29aab280a9f940fa546214b66fb3
-
Filesize
362KB
MD51b4b87292b34afaf3ab5b06da9f38e0d
SHA1e441a702caf9cc7bd4bd1cda14e0dba82be35532
SHA25663323a123f157bcd1ad4b18a57ba84b6cc3e79854c21fe1e4e5d371689ee0552
SHA51268c7647e0b39c990dd37e400a724670287c160c638c31cf6038a668c5b0d6d4e43ffa6f561dfd841641007907899be82881cf2c311527c2744d36649834859ed
-
Filesize
362KB
MD51b4b87292b34afaf3ab5b06da9f38e0d
SHA1e441a702caf9cc7bd4bd1cda14e0dba82be35532
SHA25663323a123f157bcd1ad4b18a57ba84b6cc3e79854c21fe1e4e5d371689ee0552
SHA51268c7647e0b39c990dd37e400a724670287c160c638c31cf6038a668c5b0d6d4e43ffa6f561dfd841641007907899be82881cf2c311527c2744d36649834859ed