Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
82s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 21:35
Static task
static1
General
-
Target
7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe
-
Size
695KB
-
MD5
b41df39c86e8bbff6deb15b02db488f1
-
SHA1
1be27cca3d1d33bc4ec2e8cc1ccb016702490ed5
-
SHA256
7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664
-
SHA512
5283465d5c49bc3acf412b2762478138225dce348c4335038c75dd128c885454466a9ec0ae9fdb5ac4cd1a9c7f0d8963f4eaf846b6a381d09459c9d54d81670e
-
SSDEEP
12288:Py90G/sP6Wie07Z8o8UbIK9BiCDzax8IkqLSbZeNA2s6:PylfZ79tIK9ECk8fbZaAd6
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 11789496.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 11789496.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 11789496.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 11789496.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 11789496.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 11789496.exe -
Executes dropped EXE 4 IoCs
pid Process 3972 un370216.exe 396 11789496.exe 436 rk720685.exe 3356 si036499.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 11789496.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 11789496.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un370216.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un370216.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1256 396 WerFault.exe 86 4868 436 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 396 11789496.exe 396 11789496.exe 436 rk720685.exe 436 rk720685.exe 3356 si036499.exe 3356 si036499.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 396 11789496.exe Token: SeDebugPrivilege 436 rk720685.exe Token: SeDebugPrivilege 3356 si036499.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3376 wrote to memory of 3972 3376 7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe 85 PID 3376 wrote to memory of 3972 3376 7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe 85 PID 3376 wrote to memory of 3972 3376 7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe 85 PID 3972 wrote to memory of 396 3972 un370216.exe 86 PID 3972 wrote to memory of 396 3972 un370216.exe 86 PID 3972 wrote to memory of 396 3972 un370216.exe 86 PID 3972 wrote to memory of 436 3972 un370216.exe 95 PID 3972 wrote to memory of 436 3972 un370216.exe 95 PID 3972 wrote to memory of 436 3972 un370216.exe 95 PID 3376 wrote to memory of 3356 3376 7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe 100 PID 3376 wrote to memory of 3356 3376 7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe 100 PID 3376 wrote to memory of 3356 3376 7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe"C:\Users\Admin\AppData\Local\Temp\7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370216.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370216.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11789496.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11789496.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 10884⤵
- Program crash
PID:1256
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk720685.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk720685.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 16204⤵
- Program crash
PID:4868
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si036499.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si036499.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 396 -ip 3961⤵PID:3356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 436 -ip 4361⤵PID:4392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD573cae2858379cab7e68b9e5bf751c372
SHA138c375354bda6e5c8fb2579f1ef0416a6c65929a
SHA256e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c
SHA512343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8
-
Filesize
136KB
MD573cae2858379cab7e68b9e5bf751c372
SHA138c375354bda6e5c8fb2579f1ef0416a6c65929a
SHA256e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c
SHA512343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8
-
Filesize
541KB
MD56057ef77379a0a454b5f77253efde380
SHA11e1eef08edd657282a35aad5edf54102515fbab2
SHA256bd388398e7331607568318f2e7680e8febcd65597686696c87c9ac174b41c4de
SHA5129fc233573d24031b93061405fda77cb1d7f82b0e38b09dfadbd039ec9e6c2b73aebc607c096d2a50db3bdd6ccd0db029932c34c05c95f3e87f7a1c340c7f296d
-
Filesize
541KB
MD56057ef77379a0a454b5f77253efde380
SHA11e1eef08edd657282a35aad5edf54102515fbab2
SHA256bd388398e7331607568318f2e7680e8febcd65597686696c87c9ac174b41c4de
SHA5129fc233573d24031b93061405fda77cb1d7f82b0e38b09dfadbd039ec9e6c2b73aebc607c096d2a50db3bdd6ccd0db029932c34c05c95f3e87f7a1c340c7f296d
-
Filesize
257KB
MD54097446966a1f8e5bc5e5dc449d594fb
SHA121b5ade485267fbc111fd46ca9aa10458251a520
SHA256aa03b1948bd7bf8ee8048959a27386f6d631b2d4873588befeededa192ce7cd3
SHA5123f50b5cd6c26f5ab255dddb69e02f5dbcc7d5f1d3e66474a5c262ef3c085a8dd4bb3545a0a8faa5ddc530a89aaf4c981c57de631c035fc39a2c25838e2b567fa
-
Filesize
257KB
MD54097446966a1f8e5bc5e5dc449d594fb
SHA121b5ade485267fbc111fd46ca9aa10458251a520
SHA256aa03b1948bd7bf8ee8048959a27386f6d631b2d4873588befeededa192ce7cd3
SHA5123f50b5cd6c26f5ab255dddb69e02f5dbcc7d5f1d3e66474a5c262ef3c085a8dd4bb3545a0a8faa5ddc530a89aaf4c981c57de631c035fc39a2c25838e2b567fa
-
Filesize
340KB
MD580af2c67431e948091ff0701e3810329
SHA171e5e57e3d12541d86a87fd87e9bf43cd6f7f748
SHA2569b0ce8368ca835ccd188ebb819ee56a259c806b2b488388a54b73ee9e592652a
SHA5120ab3035a29c36907855ab80560b6cef54dd337af0e42df23f635eea7eedce42516f1fe17fa168679fd6f0da96693444220650d0864e578d67a6f07a676e6b508
-
Filesize
340KB
MD580af2c67431e948091ff0701e3810329
SHA171e5e57e3d12541d86a87fd87e9bf43cd6f7f748
SHA2569b0ce8368ca835ccd188ebb819ee56a259c806b2b488388a54b73ee9e592652a
SHA5120ab3035a29c36907855ab80560b6cef54dd337af0e42df23f635eea7eedce42516f1fe17fa168679fd6f0da96693444220650d0864e578d67a6f07a676e6b508