Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2023, 15:57
Static task
static1
General
-
Target
50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe
-
Size
709KB
-
MD5
963ce75948926cb51620590068063dd0
-
SHA1
390f5b3837ac6a1719ae43b53a70740f128b1357
-
SHA256
50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c
-
SHA512
3cd14ccb9e38be45029d7341e595035055550eafa947531730db322af2ef6467e76219baa32f874c90b3cc1b4dec60e4a88d380145a188deb3c148699ee0efc6
-
SSDEEP
12288:Yy90Lu/gpJCz/llKF9FZbRhcrE8SVYXdXdso9q3LCwnRHzn0utqwQKmxsK:YyxgpJCn+dhcrzXdXdso9g1RjdEwQKRK
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr669017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr669017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr669017.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr669017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr669017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr669017.exe -
Executes dropped EXE 4 IoCs
pid Process 4544 un401540.exe 824 pr669017.exe 4300 qu573418.exe 4916 si798149.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr669017.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr669017.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un401540.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un401540.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4620 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 624 824 WerFault.exe 87 3660 4300 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 824 pr669017.exe 824 pr669017.exe 4300 qu573418.exe 4300 qu573418.exe 4916 si798149.exe 4916 si798149.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 824 pr669017.exe Token: SeDebugPrivilege 4300 qu573418.exe Token: SeDebugPrivilege 4916 si798149.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1848 wrote to memory of 4544 1848 50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe 86 PID 1848 wrote to memory of 4544 1848 50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe 86 PID 1848 wrote to memory of 4544 1848 50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe 86 PID 4544 wrote to memory of 824 4544 un401540.exe 87 PID 4544 wrote to memory of 824 4544 un401540.exe 87 PID 4544 wrote to memory of 824 4544 un401540.exe 87 PID 4544 wrote to memory of 4300 4544 un401540.exe 93 PID 4544 wrote to memory of 4300 4544 un401540.exe 93 PID 4544 wrote to memory of 4300 4544 un401540.exe 93 PID 1848 wrote to memory of 4916 1848 50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe 96 PID 1848 wrote to memory of 4916 1848 50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe 96 PID 1848 wrote to memory of 4916 1848 50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe"C:\Users\Admin\AppData\Local\Temp\50edaebd6034cf875b053d3675cada5bf21f96ec4019c45c7cde63cbe878f46c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401540.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un401540.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr669017.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr669017.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 10804⤵
- Program crash
PID:624
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu573418.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu573418.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 17364⤵
- Program crash
PID:3660
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si798149.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si798149.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 824 -ip 8241⤵PID:3104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4300 -ip 43001⤵PID:772
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD549650cdcdc358bb2770f0062abeef88c
SHA1d6f7ec7758e9a80700b81bc7a549838ba99aacac
SHA25679e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59
SHA5127ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1
-
Filesize
136KB
MD549650cdcdc358bb2770f0062abeef88c
SHA1d6f7ec7758e9a80700b81bc7a549838ba99aacac
SHA25679e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59
SHA5127ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1
-
Filesize
555KB
MD5a3f3f2021ff1defbe6ad2b2b5925086f
SHA191e0a7040cba847df133f35e6b75ab2622b3010b
SHA256533553acf43e2d889a2d94e2842f4a0342f5b196fd23ba1c4693e3385505db8a
SHA512655d266ddb0e01ac4ea7525a90cf510035e30e560f29158a6593939bf10ea51c3081f8003991e281de5790c8f795a198657bf495a9917d71cdfb6d29104cfe70
-
Filesize
555KB
MD5a3f3f2021ff1defbe6ad2b2b5925086f
SHA191e0a7040cba847df133f35e6b75ab2622b3010b
SHA256533553acf43e2d889a2d94e2842f4a0342f5b196fd23ba1c4693e3385505db8a
SHA512655d266ddb0e01ac4ea7525a90cf510035e30e560f29158a6593939bf10ea51c3081f8003991e281de5790c8f795a198657bf495a9917d71cdfb6d29104cfe70
-
Filesize
260KB
MD5e7a66f9c1fd281341a0cadc10186a4cb
SHA114afbab3a4a3d5de34b1bd37ea672c1848004d83
SHA256b6525b10863c3003806f22131a5e1f3d0d61aa5a945860032de41b7528e9cf4a
SHA5124250fceba22e5d5940b7b4e643cc901aa910b85d592e794a1dfa2074f1b26143244ad6f46ebbb9fa0d25df8a036200d6086a7c273a47d8805c916e87ae879ed2
-
Filesize
260KB
MD5e7a66f9c1fd281341a0cadc10186a4cb
SHA114afbab3a4a3d5de34b1bd37ea672c1848004d83
SHA256b6525b10863c3003806f22131a5e1f3d0d61aa5a945860032de41b7528e9cf4a
SHA5124250fceba22e5d5940b7b4e643cc901aa910b85d592e794a1dfa2074f1b26143244ad6f46ebbb9fa0d25df8a036200d6086a7c273a47d8805c916e87ae879ed2
-
Filesize
352KB
MD56d125a44344be1141495ff519cb484c2
SHA150d523b638cf2f090f1d4ff2360b468dfef431a9
SHA2560ee10e0cb6eea641afe14620a01dad5a54499b1f2ade2ace054134e3d09bf400
SHA5127e548bbad4d9bf1ea20262d2bdd57b0ab61f0f8bf52851b66be16578ddd395e272416af69a116944dc9616bb50504eeab664b2f3991f88134220e9f2d8dfc1af
-
Filesize
352KB
MD56d125a44344be1141495ff519cb484c2
SHA150d523b638cf2f090f1d4ff2360b468dfef431a9
SHA2560ee10e0cb6eea641afe14620a01dad5a54499b1f2ade2ace054134e3d09bf400
SHA5127e548bbad4d9bf1ea20262d2bdd57b0ab61f0f8bf52851b66be16578ddd395e272416af69a116944dc9616bb50504eeab664b2f3991f88134220e9f2d8dfc1af