Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
90s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
23/04/2023, 05:24
Static task
static1
General
-
Target
02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe
-
Size
706KB
-
MD5
75dc29b7bc1537145083daa16636089d
-
SHA1
29e314003354eb8457a47900cd71579f04308774
-
SHA256
02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b
-
SHA512
4c8e9fb2097b5047a79ce44577dc22800a53bd1e0bcbbc3d513cd8a422ed066934959133120a540d232660e728373c623ee9f461711b88926eb00d422f4afcb6
-
SSDEEP
12288:3y90hPqwv5flb6KtlIcb5LmfrdZDu1Gw/VpGMcpBv8OFTn1dqu7VJePv5Wnk5MR:3yqPNfjF11GjMIJRw3v6A
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr122364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr122364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr122364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr122364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr122364.exe -
Executes dropped EXE 4 IoCs
pid Process 2512 un079420.exe 2592 pr122364.exe 4740 qu750681.exe 1516 si334744.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr122364.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr122364.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un079420.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un079420.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2592 pr122364.exe 2592 pr122364.exe 4740 qu750681.exe 4740 qu750681.exe 1516 si334744.exe 1516 si334744.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2592 pr122364.exe Token: SeDebugPrivilege 4740 qu750681.exe Token: SeDebugPrivilege 1516 si334744.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2512 2476 02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe 66 PID 2476 wrote to memory of 2512 2476 02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe 66 PID 2476 wrote to memory of 2512 2476 02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe 66 PID 2512 wrote to memory of 2592 2512 un079420.exe 67 PID 2512 wrote to memory of 2592 2512 un079420.exe 67 PID 2512 wrote to memory of 2592 2512 un079420.exe 67 PID 2512 wrote to memory of 4740 2512 un079420.exe 68 PID 2512 wrote to memory of 4740 2512 un079420.exe 68 PID 2512 wrote to memory of 4740 2512 un079420.exe 68 PID 2476 wrote to memory of 1516 2476 02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe 70 PID 2476 wrote to memory of 1516 2476 02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe 70 PID 2476 wrote to memory of 1516 2476 02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe"C:\Users\Admin\AppData\Local\Temp\02538a6a91b4bbb6054af995ce8dab7c50e79450da1bbca2ae239c5f9ff1572b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un079420.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un079420.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr122364.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr122364.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu750681.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu750681.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si334744.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si334744.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
552KB
MD5670072e65944069d2f3109f53ba9c862
SHA109c08262ec764fee5b74373a65f2b8940b082fdc
SHA2569be89ff88b4e845a7a86cae86b2be03a78747bed615efa6d8992b395f0c8e43a
SHA5124990430129545fb9aec362447bd39205e95b3f8a9db4714cc316a500d1829ada5ad7f1becae7802566e4a588386af479f92120531737ae0b6e598d16667596ba
-
Filesize
552KB
MD5670072e65944069d2f3109f53ba9c862
SHA109c08262ec764fee5b74373a65f2b8940b082fdc
SHA2569be89ff88b4e845a7a86cae86b2be03a78747bed615efa6d8992b395f0c8e43a
SHA5124990430129545fb9aec362447bd39205e95b3f8a9db4714cc316a500d1829ada5ad7f1becae7802566e4a588386af479f92120531737ae0b6e598d16667596ba
-
Filesize
283KB
MD501d01b55d062e3748c431aa3f5dad536
SHA1a709d8f7d643642ebcb0daa3d5a2c4fd66281d77
SHA2567438fe3a52edd21474bae824c49c797ad051de55936e3fca5115123625800ca2
SHA5123ebdc00a250978034d7fac1afae7847806a2ae9d352870228a3f918453f11a16a834aa6dbf6c91be006190dd78bbe7c70e0413a400c0596f955b7c5dbcc16a76
-
Filesize
283KB
MD501d01b55d062e3748c431aa3f5dad536
SHA1a709d8f7d643642ebcb0daa3d5a2c4fd66281d77
SHA2567438fe3a52edd21474bae824c49c797ad051de55936e3fca5115123625800ca2
SHA5123ebdc00a250978034d7fac1afae7847806a2ae9d352870228a3f918453f11a16a834aa6dbf6c91be006190dd78bbe7c70e0413a400c0596f955b7c5dbcc16a76
-
Filesize
353KB
MD59050d75efee117cd41ff76058fd9de4a
SHA125ca9d65fd29d63807ae441e893fc9dfab42f879
SHA256bad01384accc2056793241206eaa43563649463cbd2a08d9104c7d2a823fcf88
SHA51266a17a57e827c7be2fb91c39c034fbfd30231fdb810ed049e6f26e99d701d2519f66eb5b8e190dd87c9bdd38546d427d8339c2ab20480b0c99fba0e0f1be9137
-
Filesize
353KB
MD59050d75efee117cd41ff76058fd9de4a
SHA125ca9d65fd29d63807ae441e893fc9dfab42f879
SHA256bad01384accc2056793241206eaa43563649463cbd2a08d9104c7d2a823fcf88
SHA51266a17a57e827c7be2fb91c39c034fbfd30231fdb810ed049e6f26e99d701d2519f66eb5b8e190dd87c9bdd38546d427d8339c2ab20480b0c99fba0e0f1be9137