Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23/04/2023, 18:37
Static task
static1
General
-
Target
0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe
-
Size
562KB
-
MD5
93d813664ebb81dd50757bea17860274
-
SHA1
763bb9b9e27079f9cfa44f7a6108652be5badeee
-
SHA256
0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40
-
SHA512
eca8aef508d5918fa146d291793f454d6adf008094022eeadafa9c61b0fed331042b996d4164c22c2b4fd36bdba5d5d4b4e922f53b5a51163a5e19d1f84b1e7e
-
SSDEEP
12288:Ty9032oCRu3wH8XEfopBPL0rbeaxjarqSVUhMl:Ty6gugcXEfiBaqoerqSVl
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" it895822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" it895822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" it895822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" it895822.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" it895822.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection it895822.exe -
Executes dropped EXE 4 IoCs
pid Process 3196 ziHP8930.exe 4164 it895822.exe 3172 kp826273.exe 488 lr668428.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" it895822.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziHP8930.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziHP8930.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3864 3172 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4164 it895822.exe 4164 it895822.exe 3172 kp826273.exe 3172 kp826273.exe 488 lr668428.exe 488 lr668428.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4164 it895822.exe Token: SeDebugPrivilege 3172 kp826273.exe Token: SeDebugPrivilege 488 lr668428.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4484 wrote to memory of 3196 4484 0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe 85 PID 4484 wrote to memory of 3196 4484 0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe 85 PID 4484 wrote to memory of 3196 4484 0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe 85 PID 3196 wrote to memory of 4164 3196 ziHP8930.exe 86 PID 3196 wrote to memory of 4164 3196 ziHP8930.exe 86 PID 3196 wrote to memory of 3172 3196 ziHP8930.exe 89 PID 3196 wrote to memory of 3172 3196 ziHP8930.exe 89 PID 3196 wrote to memory of 3172 3196 ziHP8930.exe 89 PID 4484 wrote to memory of 488 4484 0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe 93 PID 4484 wrote to memory of 488 4484 0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe 93 PID 4484 wrote to memory of 488 4484 0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe"C:\Users\Admin\AppData\Local\Temp\0ddd2e61d94f2dda4929887701067020c066c5487b8f25e04e65173fbb92ef40.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHP8930.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziHP8930.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it895822.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it895822.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp826273.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp826273.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 21164⤵
- Program crash
PID:3864
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr668428.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr668428.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3172 -ip 31721⤵PID:2792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
136KB
MD58c80b06d843bd6a7599a5be2075d9a55
SHA1caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2
SHA256e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e
SHA512cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded
-
Filesize
409KB
MD5dcc2845001dd4bb4ad264541d8585cb7
SHA1387b57d003595ddf4587ad002d37b742a45ba6ef
SHA256c49fea6d66c53c837841d332185a61a71be2de4f11d3b3fc4736ccf99a89c490
SHA5122d03d15ebbbc77d6a252e55815fdd61630b350ce228a02a9b106fa0bb6991f507b471b7395f4d6ec77fe5b31a06fe24f642267127a57e0a391f18cfa33be39e9
-
Filesize
409KB
MD5dcc2845001dd4bb4ad264541d8585cb7
SHA1387b57d003595ddf4587ad002d37b742a45ba6ef
SHA256c49fea6d66c53c837841d332185a61a71be2de4f11d3b3fc4736ccf99a89c490
SHA5122d03d15ebbbc77d6a252e55815fdd61630b350ce228a02a9b106fa0bb6991f507b471b7395f4d6ec77fe5b31a06fe24f642267127a57e0a391f18cfa33be39e9
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
360KB
MD5467a54f502867409778cdef96c874c4d
SHA1ed032092e1a3d703c8b30d2499e516ed478722a5
SHA256f1a3d4c9a12c01ef5e21084de646729d9dbf5fb53ece8663ebbd3593d439f275
SHA5126b6fff9dcd258d7eaf0f0afe219518babc356b6b1925e22bfa34f6650cbb5cb53e1ab2c4bc774444aa9476e39958952c9a5858e3fafdcc49eebb1c47ed964c62
-
Filesize
360KB
MD5467a54f502867409778cdef96c874c4d
SHA1ed032092e1a3d703c8b30d2499e516ed478722a5
SHA256f1a3d4c9a12c01ef5e21084de646729d9dbf5fb53ece8663ebbd3593d439f275
SHA5126b6fff9dcd258d7eaf0f0afe219518babc356b6b1925e22bfa34f6650cbb5cb53e1ab2c4bc774444aa9476e39958952c9a5858e3fafdcc49eebb1c47ed964c62