Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2023, 20:18
Static task
static1
General
-
Target
56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe
-
Size
695KB
-
MD5
84b498c7f647c0ee360892ad959f4d49
-
SHA1
c316ab6829d918f4d241815ba8fe8a18320a129c
-
SHA256
56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73
-
SHA512
be62a91c88e618def55a16246066a84a57b4e057e4c3f72d5e5544c4f7fcb5c86f18170796df61c9d1ddea932e62e6570637163fa16288fb1f4254bb7d84af54
-
SSDEEP
12288:by90cn2Tq6iFZVfw2kpD1q4MBPT/iPTW0kXzwQTy3ZULH17CdC:byHMqTFffwFwBraPThkjwQ9Nv
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 01940173.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 01940173.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 01940173.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 01940173.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 01940173.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 01940173.exe -
Executes dropped EXE 4 IoCs
pid Process 2152 un003556.exe 3204 01940173.exe 1904 rk540032.exe 4828 si446626.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 01940173.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 01940173.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un003556.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un003556.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1236 3204 WerFault.exe 84 2192 1904 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3204 01940173.exe 3204 01940173.exe 1904 rk540032.exe 1904 rk540032.exe 4828 si446626.exe 4828 si446626.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3204 01940173.exe Token: SeDebugPrivilege 1904 rk540032.exe Token: SeDebugPrivilege 4828 si446626.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2152 1392 56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe 83 PID 1392 wrote to memory of 2152 1392 56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe 83 PID 1392 wrote to memory of 2152 1392 56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe 83 PID 2152 wrote to memory of 3204 2152 un003556.exe 84 PID 2152 wrote to memory of 3204 2152 un003556.exe 84 PID 2152 wrote to memory of 3204 2152 un003556.exe 84 PID 2152 wrote to memory of 1904 2152 un003556.exe 90 PID 2152 wrote to memory of 1904 2152 un003556.exe 90 PID 2152 wrote to memory of 1904 2152 un003556.exe 90 PID 1392 wrote to memory of 4828 1392 56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe 94 PID 1392 wrote to memory of 4828 1392 56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe 94 PID 1392 wrote to memory of 4828 1392 56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe"C:\Users\Admin\AppData\Local\Temp\56892286e12a3c3ae33d88c75db71c482970d0391e23ce2091bb93a1916c6e73.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un003556.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un003556.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\01940173.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\01940173.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 10644⤵
- Program crash
PID:1236
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk540032.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk540032.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 14404⤵
- Program crash
PID:2192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si446626.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si446626.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3204 -ip 32041⤵PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1904 -ip 19041⤵PID:4880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD573cae2858379cab7e68b9e5bf751c372
SHA138c375354bda6e5c8fb2579f1ef0416a6c65929a
SHA256e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c
SHA512343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8
-
Filesize
136KB
MD573cae2858379cab7e68b9e5bf751c372
SHA138c375354bda6e5c8fb2579f1ef0416a6c65929a
SHA256e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c
SHA512343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8
-
Filesize
541KB
MD584df962634f8d1f18e8f15dfc9edc8ef
SHA13a95e69dc5d8dd89379a0ccf28c1995840d352d1
SHA25605e9e1b837f103f51a8a363250660f79ad400f87aa8e8082563b6bafe9228f85
SHA512e72e1101985b3deb20904a953db15c78c6ea842b44d3b262c0fc2fd8d257b97fb633c61deb6c0158da45b78bad7f79e9a5a650b237c00be74cbd647d2a4edb0d
-
Filesize
541KB
MD584df962634f8d1f18e8f15dfc9edc8ef
SHA13a95e69dc5d8dd89379a0ccf28c1995840d352d1
SHA25605e9e1b837f103f51a8a363250660f79ad400f87aa8e8082563b6bafe9228f85
SHA512e72e1101985b3deb20904a953db15c78c6ea842b44d3b262c0fc2fd8d257b97fb633c61deb6c0158da45b78bad7f79e9a5a650b237c00be74cbd647d2a4edb0d
-
Filesize
258KB
MD5b14f30805aa1d3cde4c2c7fd767598ef
SHA1c0a8774d472048a389a0475fcae5f69bbc2bc840
SHA2568c173284f092cde27239f0920075ba0d58139834fae5a112c3ee19b8ea7bf869
SHA5128675ba866d40a57a2faba0df56a181ddd33206bb16ffe48a37d9a8164761c8217f0b737be55df7a700362c56edcd123c4d00323d88901e43cbb26ab47366610b
-
Filesize
258KB
MD5b14f30805aa1d3cde4c2c7fd767598ef
SHA1c0a8774d472048a389a0475fcae5f69bbc2bc840
SHA2568c173284f092cde27239f0920075ba0d58139834fae5a112c3ee19b8ea7bf869
SHA5128675ba866d40a57a2faba0df56a181ddd33206bb16ffe48a37d9a8164761c8217f0b737be55df7a700362c56edcd123c4d00323d88901e43cbb26ab47366610b
-
Filesize
340KB
MD585d8fcad6f481a035e8060b0bf93e740
SHA1c068f5c07cebb5a4d5b461471f7a8e81280ad424
SHA2568f279203ff865b9064bd9ebc502f47cb48504556f04d45cc3770ca7d598ce672
SHA5123bccd41a64054638614cadf6b9a08b2e2b171fc4b682249331434ed5af40349e4dab26b1d3fa3bf18aa399df46141396ad01369fc25cca859ab551d4a0ce6138
-
Filesize
340KB
MD585d8fcad6f481a035e8060b0bf93e740
SHA1c068f5c07cebb5a4d5b461471f7a8e81280ad424
SHA2568f279203ff865b9064bd9ebc502f47cb48504556f04d45cc3770ca7d598ce672
SHA5123bccd41a64054638614cadf6b9a08b2e2b171fc4b682249331434ed5af40349e4dab26b1d3fa3bf18aa399df46141396ad01369fc25cca859ab551d4a0ce6138