Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/04/2023, 20:01
Static task
static1
General
-
Target
c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe
-
Size
559KB
-
MD5
99b2da2c56a36a8a1728ea02bf8ff048
-
SHA1
05a4c904e88739523adfe60d4d3f305e771e0a0b
-
SHA256
c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e
-
SHA512
364aa41374e59599ecf92106e60801261f68b23f970cdb24e51b2e1f0ff19334fdf16478f4bfa2316c3c8252103c27289eca99f13b03425e1ac60f1be546de3b
-
SSDEEP
12288:Hy9013F/KJqa3pzMZJxbsG9aLYvSXi6XslT310Z2x:Hy0Ub3pzSh9aQH6Xslr1F
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it978393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it978393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it978393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it978393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it978393.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it978393.exe -
Executes dropped EXE 4 IoCs
pid Process 3936 ziJf3291.exe 1432 it978393.exe 220 kp376946.exe 1672 lr100346.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it978393.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziJf3291.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziJf3291.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 752 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1848 220 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1432 it978393.exe 1432 it978393.exe 220 kp376946.exe 220 kp376946.exe 1672 lr100346.exe 1672 lr100346.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1432 it978393.exe Token: SeDebugPrivilege 220 kp376946.exe Token: SeDebugPrivilege 1672 lr100346.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4192 wrote to memory of 3936 4192 c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe 85 PID 4192 wrote to memory of 3936 4192 c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe 85 PID 4192 wrote to memory of 3936 4192 c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe 85 PID 3936 wrote to memory of 1432 3936 ziJf3291.exe 86 PID 3936 wrote to memory of 1432 3936 ziJf3291.exe 86 PID 3936 wrote to memory of 220 3936 ziJf3291.exe 90 PID 3936 wrote to memory of 220 3936 ziJf3291.exe 90 PID 3936 wrote to memory of 220 3936 ziJf3291.exe 90 PID 4192 wrote to memory of 1672 4192 c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe 93 PID 4192 wrote to memory of 1672 4192 c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe 93 PID 4192 wrote to memory of 1672 4192 c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe"C:\Users\Admin\AppData\Local\Temp\c3b5ef6cd9d2733932510618d090a0c4302a26808e1f876c80771fb7430c432e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJf3291.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJf3291.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it978393.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it978393.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp376946.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp376946.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 10404⤵
- Program crash
PID:1848
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100346.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr100346.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 220 -ip 2201⤵PID:2544
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD549650cdcdc358bb2770f0062abeef88c
SHA1d6f7ec7758e9a80700b81bc7a549838ba99aacac
SHA25679e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59
SHA5127ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1
-
Filesize
136KB
MD549650cdcdc358bb2770f0062abeef88c
SHA1d6f7ec7758e9a80700b81bc7a549838ba99aacac
SHA25679e2e1c24f6eb497a4c8071e93ce7ef130b28621b085a3b9ac89a4ecf1ec4e59
SHA5127ca1453671b64b79f2144bb994b7768cc2320ca5da52f2e6ce4d8906f79dae4698943508678bfe02d17f2a7d7910fc42b84c3b605f1e1cea257955e64d0e02e1
-
Filesize
406KB
MD5c483196ee88fe78282e4f00d5dbb25e4
SHA1a2960e807eb53bcd36eb15a50753b8f59d4b091b
SHA2560789099e24076713fec8e42055f2adb6b7a631367b833c83373261c0b73d905f
SHA5123cb49cfacd762a2a4b27de48bdc1a41471050e35546b32dc00eca94be9b3c70d2b2f1dd532364febbd1b685db9225f7574ef542e4f238045d0cb7b9f975e78a3
-
Filesize
406KB
MD5c483196ee88fe78282e4f00d5dbb25e4
SHA1a2960e807eb53bcd36eb15a50753b8f59d4b091b
SHA2560789099e24076713fec8e42055f2adb6b7a631367b833c83373261c0b73d905f
SHA5123cb49cfacd762a2a4b27de48bdc1a41471050e35546b32dc00eca94be9b3c70d2b2f1dd532364febbd1b685db9225f7574ef542e4f238045d0cb7b9f975e78a3
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
352KB
MD55b2f2cc97b04644c0056cfbdc8b33d42
SHA1bc9ece3e2152c4b5c38e603a663ae381dca73e44
SHA2562e79d0c393535f7805930e25c990ce0d23e40845227d5fcc31cb366dd61ebcf4
SHA512a4d53dbefac1d90711c1f8149cd132d4d4089e6ce7bfd1bcca0f32e9923d6197bba9f3b244bdcb795a37e494018f5e262e436287c00ec0db911bc597c136b533
-
Filesize
352KB
MD55b2f2cc97b04644c0056cfbdc8b33d42
SHA1bc9ece3e2152c4b5c38e603a663ae381dca73e44
SHA2562e79d0c393535f7805930e25c990ce0d23e40845227d5fcc31cb366dd61ebcf4
SHA512a4d53dbefac1d90711c1f8149cd132d4d4089e6ce7bfd1bcca0f32e9923d6197bba9f3b244bdcb795a37e494018f5e262e436287c00ec0db911bc597c136b533