Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 13:41
Static task
static1
General
-
Target
99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe
-
Size
566KB
-
MD5
57927773fae0de2eb20e52a06106a8b5
-
SHA1
772e71e185ba303d433cf843a2a2a4340e3ae593
-
SHA256
99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9
-
SHA512
ed0d056ee660fd11a8f210e7761a372f2796efa078c5bf1c41dafbc28ffad5a6c45c8c1a594b2a1098a7de44388d651dab32fb5ce8fc9a28d4d80e84ac11a651
-
SSDEEP
12288:Wy905uLgFSiNYDTmVUZmzdx36osHP78go3rxy:Wy+SiyDTmV9HlsggGU
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it391791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it391791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it391791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it391791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it391791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it391791.exe -
Executes dropped EXE 4 IoCs
pid Process 3252 ziJb4810.exe 2116 it391791.exe 4536 kp485623.exe 2340 lr069860.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it391791.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziJb4810.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziJb4810.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2040 4536 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2116 it391791.exe 2116 it391791.exe 4536 kp485623.exe 4536 kp485623.exe 2340 lr069860.exe 2340 lr069860.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2116 it391791.exe Token: SeDebugPrivilege 4536 kp485623.exe Token: SeDebugPrivilege 2340 lr069860.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3664 wrote to memory of 3252 3664 99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe 84 PID 3664 wrote to memory of 3252 3664 99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe 84 PID 3664 wrote to memory of 3252 3664 99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe 84 PID 3252 wrote to memory of 2116 3252 ziJb4810.exe 85 PID 3252 wrote to memory of 2116 3252 ziJb4810.exe 85 PID 3252 wrote to memory of 4536 3252 ziJb4810.exe 90 PID 3252 wrote to memory of 4536 3252 ziJb4810.exe 90 PID 3252 wrote to memory of 4536 3252 ziJb4810.exe 90 PID 3664 wrote to memory of 2340 3664 99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe 96 PID 3664 wrote to memory of 2340 3664 99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe 96 PID 3664 wrote to memory of 2340 3664 99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe"C:\Users\Admin\AppData\Local\Temp\99b6b989a63dc530504c590690728de7d98a47be5ecbff83af94a678dd7e73e9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJb4810.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziJb4810.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it391791.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it391791.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp485623.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp485623.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 13164⤵
- Program crash
PID:2040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr069860.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr069860.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4536 -ip 45361⤵PID:988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
412KB
MD56ae18d97b7bb8316e2cdbf9e41919cd1
SHA1bbe5e7f7d6583a28d7490388b539fef6bac78876
SHA256a29ee1042fb4394615054b88f3d65f1368f3be43ea739f05df8ead78144854df
SHA51255124f729a368ab28e52018f38277e7fe0701230cf87b5c8a6cc89680242fd90414ec9c037855bbaf84500dc746ef165c8f4ad217626e1eb253ec26b4ae3da83
-
Filesize
412KB
MD56ae18d97b7bb8316e2cdbf9e41919cd1
SHA1bbe5e7f7d6583a28d7490388b539fef6bac78876
SHA256a29ee1042fb4394615054b88f3d65f1368f3be43ea739f05df8ead78144854df
SHA51255124f729a368ab28e52018f38277e7fe0701230cf87b5c8a6cc89680242fd90414ec9c037855bbaf84500dc746ef165c8f4ad217626e1eb253ec26b4ae3da83
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
369KB
MD5e133744c45a1f140359a0ed8a58b1355
SHA120c9ff7f90e333719cf99bb77a642c982a182f5c
SHA2561d063b5951496d9c4f7b06afed55b25183f167e1c7c3e237164edb656e11d514
SHA512e9da8b7d1b5234c97ade304245850cc1dd00a0f22caa05a8c2af1c8e809784f24531ae9d3683d23db3932342db9cb335c239709db53b850b6d9b10eb9df516ab
-
Filesize
369KB
MD5e133744c45a1f140359a0ed8a58b1355
SHA120c9ff7f90e333719cf99bb77a642c982a182f5c
SHA2561d063b5951496d9c4f7b06afed55b25183f167e1c7c3e237164edb656e11d514
SHA512e9da8b7d1b5234c97ade304245850cc1dd00a0f22caa05a8c2af1c8e809784f24531ae9d3683d23db3932342db9cb335c239709db53b850b6d9b10eb9df516ab