Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 03:39
Static task
static1
General
-
Target
3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe
-
Size
746KB
-
MD5
e5974f2bd53dada43315897b7c694400
-
SHA1
995bfd4cd02a73bda54a534cb86ac08fb5f3a038
-
SHA256
3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689
-
SHA512
4831760f789a12c18f257d4b548f2748a68fbc2b04b07d1511d22bcede80736f515850f329ec5bffefdc87068d9e05f0fb894203d3a3e60f68ecdeb3dcb612c4
-
SSDEEP
12288:uy90yejPqj4YKMQSZEZZKDhvapvYEu4B+k6BVYm9yIBtQXROsVgJqR0N:uyWSjNKMAZ0GYbloYQXNVoqm
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 84593723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 84593723.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 84593723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 84593723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 84593723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 84593723.exe -
Executes dropped EXE 4 IoCs
pid Process 1400 un573390.exe 2176 84593723.exe 3760 rk031604.exe 4816 si701920.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 84593723.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 84593723.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un573390.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un573390.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3904 2176 WerFault.exe 83 2040 3760 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2176 84593723.exe 2176 84593723.exe 3760 rk031604.exe 3760 rk031604.exe 4816 si701920.exe 4816 si701920.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2176 84593723.exe Token: SeDebugPrivilege 3760 rk031604.exe Token: SeDebugPrivilege 4816 si701920.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 832 wrote to memory of 1400 832 3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe 82 PID 832 wrote to memory of 1400 832 3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe 82 PID 832 wrote to memory of 1400 832 3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe 82 PID 1400 wrote to memory of 2176 1400 un573390.exe 83 PID 1400 wrote to memory of 2176 1400 un573390.exe 83 PID 1400 wrote to memory of 2176 1400 un573390.exe 83 PID 1400 wrote to memory of 3760 1400 un573390.exe 89 PID 1400 wrote to memory of 3760 1400 un573390.exe 89 PID 1400 wrote to memory of 3760 1400 un573390.exe 89 PID 832 wrote to memory of 4816 832 3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe 92 PID 832 wrote to memory of 4816 832 3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe 92 PID 832 wrote to memory of 4816 832 3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe"C:\Users\Admin\AppData\Local\Temp\3d1cba5c8fe9cfa6d8d906db8804fc47d831c4c075af2a98b5b91a6bb506c689.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un573390.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un573390.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84593723.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84593723.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 10844⤵
- Program crash
PID:3904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk031604.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk031604.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 13204⤵
- Program crash
PID:2040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si701920.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si701920.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2176 -ip 21761⤵PID:3796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3760 -ip 37601⤵PID:3240
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5b9f17cc95395f13838ba119abc3f742f
SHA1ecdbc7ef78234c1c7009fdbc6f744c511067767d
SHA2562e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15
SHA512bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca
-
Filesize
136KB
MD5b9f17cc95395f13838ba119abc3f742f
SHA1ecdbc7ef78234c1c7009fdbc6f744c511067767d
SHA2562e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15
SHA512bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca
-
Filesize
592KB
MD54822efbbdbe620c0080ac4abe837f2a4
SHA1df5e3766446ed0ed6a6cc96198b1d32060ddc44b
SHA25623a11074e33228d190515e85ca0e6c9c77b8725511441eb25870f20a903799ee
SHA5120bab4fc75bc9ae1b7877bb8952c6bb210193e10dfa51b50b93827c0a99d84ac0493d43d2274ee88c36f61a37f9ca669c28d4c456599e023deca1f3c4fafb4245
-
Filesize
592KB
MD54822efbbdbe620c0080ac4abe837f2a4
SHA1df5e3766446ed0ed6a6cc96198b1d32060ddc44b
SHA25623a11074e33228d190515e85ca0e6c9c77b8725511441eb25870f20a903799ee
SHA5120bab4fc75bc9ae1b7877bb8952c6bb210193e10dfa51b50b93827c0a99d84ac0493d43d2274ee88c36f61a37f9ca669c28d4c456599e023deca1f3c4fafb4245
-
Filesize
376KB
MD5ddd6cf90f594271b84767b4080abf59e
SHA1640f1b775792a2c9efe270fbfbc2151247bb7e0b
SHA25604c3d89b6dfcb2e0016a2ab92e5e659ae2054de05eb2a2355545dbe4371a3094
SHA51236807c075253f9b048a6e52b605e774e84ef323b4c310c83378ad56e785516d234729c534b9315aff01148b76c31321eb6503d845769d05bdff12e6c8c8eecab
-
Filesize
376KB
MD5ddd6cf90f594271b84767b4080abf59e
SHA1640f1b775792a2c9efe270fbfbc2151247bb7e0b
SHA25604c3d89b6dfcb2e0016a2ab92e5e659ae2054de05eb2a2355545dbe4371a3094
SHA51236807c075253f9b048a6e52b605e774e84ef323b4c310c83378ad56e785516d234729c534b9315aff01148b76c31321eb6503d845769d05bdff12e6c8c8eecab
-
Filesize
459KB
MD5ddb6f480aa4db96f43102b7d64ac308d
SHA1739cfbadc2541fb1e6771969762bafb528ea4134
SHA256fdfffe42b5db4128da66c8be3a06b1fdc2a650a50863879b945af48469b53bbc
SHA512b7b7bc0aa31368dea9ccd6e9b4f2ebf6dd9e8fc25bb2aa3ecad436dffd3d0c9c142f6558992fe3afedaeb672e084241be458796c1e7d07b4675b91448d8d2f0a
-
Filesize
459KB
MD5ddb6f480aa4db96f43102b7d64ac308d
SHA1739cfbadc2541fb1e6771969762bafb528ea4134
SHA256fdfffe42b5db4128da66c8be3a06b1fdc2a650a50863879b945af48469b53bbc
SHA512b7b7bc0aa31368dea9ccd6e9b4f2ebf6dd9e8fc25bb2aa3ecad436dffd3d0c9c142f6558992fe3afedaeb672e084241be458796c1e7d07b4675b91448d8d2f0a