Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 17:47
Static task
static1
General
-
Target
e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe
-
Size
695KB
-
MD5
5455061b8e9507ceb125e715919062fd
-
SHA1
d988671f80062006b1d1c61701a13d6ef069eeba
-
SHA256
e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8
-
SHA512
a51a7a6a86a90b9e36362514f005f9e9f1c80c26fa6a1841c3f3b41c25475ffa8a7753836ed44d2440fecb29952260cb227b6e090de2f6749f424d9277ee9a5e
-
SSDEEP
12288:xy903KNwvnOc9E9mCDPAwi46P9W8g89ppreUPcdC54dV45VNU73/CHxyr:xyT2OKE9LDG4CEo/GD/0NU7322
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 10322686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 10322686.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 10322686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 10322686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 10322686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 10322686.exe -
Executes dropped EXE 4 IoCs
pid Process 2244 un471209.exe 3208 10322686.exe 860 rk391955.exe 3868 si060864.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 10322686.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 10322686.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un471209.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un471209.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3404 3208 WerFault.exe 86 1904 860 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3208 10322686.exe 3208 10322686.exe 860 rk391955.exe 860 rk391955.exe 3868 si060864.exe 3868 si060864.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3208 10322686.exe Token: SeDebugPrivilege 860 rk391955.exe Token: SeDebugPrivilege 3868 si060864.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2244 1980 e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe 85 PID 1980 wrote to memory of 2244 1980 e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe 85 PID 1980 wrote to memory of 2244 1980 e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe 85 PID 2244 wrote to memory of 3208 2244 un471209.exe 86 PID 2244 wrote to memory of 3208 2244 un471209.exe 86 PID 2244 wrote to memory of 3208 2244 un471209.exe 86 PID 2244 wrote to memory of 860 2244 un471209.exe 95 PID 2244 wrote to memory of 860 2244 un471209.exe 95 PID 2244 wrote to memory of 860 2244 un471209.exe 95 PID 1980 wrote to memory of 3868 1980 e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe 100 PID 1980 wrote to memory of 3868 1980 e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe 100 PID 1980 wrote to memory of 3868 1980 e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe"C:\Users\Admin\AppData\Local\Temp\e3cc900664418e839d1c2c7684f75aa8e50afa3b367b8b2b0c3bf7b2d115baf8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471209.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un471209.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10322686.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\10322686.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 10804⤵
- Program crash
PID:3404
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk391955.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk391955.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 11924⤵
- Program crash
PID:1904
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si060864.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si060864.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3208 -ip 32081⤵PID:4136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 860 -ip 8601⤵PID:952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD573cae2858379cab7e68b9e5bf751c372
SHA138c375354bda6e5c8fb2579f1ef0416a6c65929a
SHA256e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c
SHA512343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8
-
Filesize
136KB
MD573cae2858379cab7e68b9e5bf751c372
SHA138c375354bda6e5c8fb2579f1ef0416a6c65929a
SHA256e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c
SHA512343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8
-
Filesize
541KB
MD5788cc3426dac7f71c21af4a4db04c3c4
SHA195b9844709a4640fc989784c01987dc4219f4d51
SHA25684a02d71a8c87d635516f0f98d1ea4ccd0b59165d36dd5b12128451fa97e3c05
SHA512eafd9ca8c2b8a93dcc94d2987b5b60e9d35dc889b5ba24b70485bb1089d933be77c2353069f77b318b6cdc05523bac8c34b8cf47324e7b8047d010f1f6f410aa
-
Filesize
541KB
MD5788cc3426dac7f71c21af4a4db04c3c4
SHA195b9844709a4640fc989784c01987dc4219f4d51
SHA25684a02d71a8c87d635516f0f98d1ea4ccd0b59165d36dd5b12128451fa97e3c05
SHA512eafd9ca8c2b8a93dcc94d2987b5b60e9d35dc889b5ba24b70485bb1089d933be77c2353069f77b318b6cdc05523bac8c34b8cf47324e7b8047d010f1f6f410aa
-
Filesize
258KB
MD5bae76b87d73469eed9f4b5d4977e9713
SHA120ef504016fd05098a14138501f0b5bf1945c53c
SHA2568e72d76dc575b6ed772b34a00876ffc29d4d53daddb118c8b34c3e07d275bf21
SHA512d51002edefc6ae60a6cb7367b5d1b2353564547d61d27956369cb47c71a21f4cfe5825abc4ea246e40f8d75ee854e0b952c26ff7987474e22349ddfb6b6b24de
-
Filesize
258KB
MD5bae76b87d73469eed9f4b5d4977e9713
SHA120ef504016fd05098a14138501f0b5bf1945c53c
SHA2568e72d76dc575b6ed772b34a00876ffc29d4d53daddb118c8b34c3e07d275bf21
SHA512d51002edefc6ae60a6cb7367b5d1b2353564547d61d27956369cb47c71a21f4cfe5825abc4ea246e40f8d75ee854e0b952c26ff7987474e22349ddfb6b6b24de
-
Filesize
341KB
MD56bdfa0add99b8ff5b2e6b85001272a45
SHA11d648a38e022711fc070ae556135a5ac594bf7b5
SHA256d8bface69271995a468246afdb238d031ad25dba3995f5f0ccea87ab3ac8528f
SHA5125659620b9aca37bfaa6e46483edf65fc68a188acbf3b820a10cdaa6b4ad14adf1dafd34c883cd596ddc83ce2a4bd2e0aa65102e2f16ce1e652e4933d2e43484d
-
Filesize
341KB
MD56bdfa0add99b8ff5b2e6b85001272a45
SHA11d648a38e022711fc070ae556135a5ac594bf7b5
SHA256d8bface69271995a468246afdb238d031ad25dba3995f5f0ccea87ab3ac8528f
SHA5125659620b9aca37bfaa6e46483edf65fc68a188acbf3b820a10cdaa6b4ad14adf1dafd34c883cd596ddc83ce2a4bd2e0aa65102e2f16ce1e652e4933d2e43484d