Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 05:39
Static task
static1
General
-
Target
0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe
-
Size
700KB
-
MD5
a60c651df93b4187b6b8790f4af1c56a
-
SHA1
7545a23dffafbaa8914c81cdfba371da192ffc3e
-
SHA256
0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c
-
SHA512
41dfb7b303c8641c0829d613696a034819ec80d143dc3a7a05d81261b05ff093cb99d75ebef72add35c562d3e99d4a38c1358b85e47070b6246646aeebf5eccb
-
SSDEEP
12288:Vy90+6URh9O71tjn/Oi6koWOoyb7efvLFXbrCG2To9w1DClFDDXyPdxj:Vyd6Uqnn7r7WYpiGDwNOF2xj
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 40249885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 40249885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 40249885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 40249885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 40249885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 40249885.exe -
Executes dropped EXE 4 IoCs
pid Process 4772 un087680.exe 4220 40249885.exe 64 rk878885.exe 4436 si797154.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 40249885.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 40249885.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un087680.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un087680.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2148 4220 WerFault.exe 84 4312 64 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4220 40249885.exe 4220 40249885.exe 64 rk878885.exe 64 rk878885.exe 4436 si797154.exe 4436 si797154.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4220 40249885.exe Token: SeDebugPrivilege 64 rk878885.exe Token: SeDebugPrivilege 4436 si797154.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4460 wrote to memory of 4772 4460 0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe 83 PID 4460 wrote to memory of 4772 4460 0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe 83 PID 4460 wrote to memory of 4772 4460 0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe 83 PID 4772 wrote to memory of 4220 4772 un087680.exe 84 PID 4772 wrote to memory of 4220 4772 un087680.exe 84 PID 4772 wrote to memory of 4220 4772 un087680.exe 84 PID 4772 wrote to memory of 64 4772 un087680.exe 90 PID 4772 wrote to memory of 64 4772 un087680.exe 90 PID 4772 wrote to memory of 64 4772 un087680.exe 90 PID 4460 wrote to memory of 4436 4460 0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe 93 PID 4460 wrote to memory of 4436 4460 0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe 93 PID 4460 wrote to memory of 4436 4460 0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe"C:\Users\Admin\AppData\Local\Temp\0591cb0e4761ae3525cd71579378ee757411f1279205e8ca2ec48604cc59a97c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087680.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un087680.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40249885.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\40249885.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 10884⤵
- Program crash
PID:2148
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878885.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878885.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 12924⤵
- Program crash
PID:4312
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si797154.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si797154.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4220 -ip 42201⤵PID:1756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 64 -ip 641⤵PID:2148
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5b9f17cc95395f13838ba119abc3f742f
SHA1ecdbc7ef78234c1c7009fdbc6f744c511067767d
SHA2562e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15
SHA512bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca
-
Filesize
136KB
MD5b9f17cc95395f13838ba119abc3f742f
SHA1ecdbc7ef78234c1c7009fdbc6f744c511067767d
SHA2562e10845ea49bdd31991f80c88db940340e9f65c22eb3d1dc719e452fbcc17a15
SHA512bf05c4b13405337bf71e69e8b751af742b24d47de2a46be74a5bb86d37e6eee099ef11d871e3514b1ee9c9458c1ac8127b6858eaae04dfced284d1ec87e34bca
-
Filesize
546KB
MD5e4f526ac78acce025e91e89f0913e4df
SHA1d598a9c5693ad6284deea5a353b309268f4aedca
SHA2569c365e488d620886b59f5c2373561697bdc1f8a92519bf1258a674d7ee1e238b
SHA5123b46bcdefefeec9d9f1034d763f594582c378fb040322507f281d52c437f029286fe38b79797caf26f97814b0128f915f5ef340e2064dccdbab8b08868d9d9ad
-
Filesize
546KB
MD5e4f526ac78acce025e91e89f0913e4df
SHA1d598a9c5693ad6284deea5a353b309268f4aedca
SHA2569c365e488d620886b59f5c2373561697bdc1f8a92519bf1258a674d7ee1e238b
SHA5123b46bcdefefeec9d9f1034d763f594582c378fb040322507f281d52c437f029286fe38b79797caf26f97814b0128f915f5ef340e2064dccdbab8b08868d9d9ad
-
Filesize
269KB
MD5a7410f4fbb06094be68e707554b0e1ce
SHA142d901b3c5778f5f4422666260238c2eb812e73f
SHA256e2172460893bcd1ce2d12aa0b721b4c09b5c5dceaefa503fe2367cfcc8648e47
SHA512d743be49c02b95842fb804952266da654de0b31a7936a0c025b1cc061444f7649d59ba2c586c41f9200a5833cb837b16187afa5763df85c2b2ec84aad3fb35d9
-
Filesize
269KB
MD5a7410f4fbb06094be68e707554b0e1ce
SHA142d901b3c5778f5f4422666260238c2eb812e73f
SHA256e2172460893bcd1ce2d12aa0b721b4c09b5c5dceaefa503fe2367cfcc8648e47
SHA512d743be49c02b95842fb804952266da654de0b31a7936a0c025b1cc061444f7649d59ba2c586c41f9200a5833cb837b16187afa5763df85c2b2ec84aad3fb35d9
-
Filesize
353KB
MD50d66112775fe549d096c2a9b3130eb52
SHA1b756427c38a22966a9a9b672af0289109ae44e80
SHA2560fb1f85e4fc6ec73df5fd2750c82f4705d6ba5e53ca4f7557dc8167bf1b7d098
SHA512e9d192ff9356e1d830c4902f128b4e4cf628fda4b28b4b71629f70af05464b9e132efe4ce0fa45b8f2f6ff49e350587a1e598e2f1eebdcef95c5ec9b99b9087d
-
Filesize
353KB
MD50d66112775fe549d096c2a9b3130eb52
SHA1b756427c38a22966a9a9b672af0289109ae44e80
SHA2560fb1f85e4fc6ec73df5fd2750c82f4705d6ba5e53ca4f7557dc8167bf1b7d098
SHA512e9d192ff9356e1d830c4902f128b4e4cf628fda4b28b4b71629f70af05464b9e132efe4ce0fa45b8f2f6ff49e350587a1e598e2f1eebdcef95c5ec9b99b9087d