Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2023, 02:31
Static task
static1
General
-
Target
188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe
-
Size
695KB
-
MD5
1a63833858ebc050a7904b232d80ea98
-
SHA1
75214183c39f97a2b7ea5c7e6b85dc98b4234b0a
-
SHA256
188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75
-
SHA512
a3a48a368215c9b3097c8f821ac58955ba6fc933072b5889d6fedf83b74e2cd15fbf0e10beb889856abd5a21b19bf64797f05fcc6bdf1be8ff524cc8e13430a7
-
SSDEEP
12288:Qy90mtnyxSRJJderq3jGuO/Cb/+tZ9COLs9IoJgPKJ742WX63u18bzKLA+NY1T:QyTtyxSR4GCUb/+tXCH2OgPI4H63u18f
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 52509556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 52509556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 52509556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 52509556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 52509556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 52509556.exe -
Executes dropped EXE 4 IoCs
pid Process 4532 un963722.exe 1396 52509556.exe 1812 rk191907.exe 2252 si406889.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 52509556.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 52509556.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un963722.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un963722.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 892 sc.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 3092 1396 WerFault.exe 87 4964 1812 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1396 52509556.exe 1396 52509556.exe 1812 rk191907.exe 1812 rk191907.exe 2252 si406889.exe 2252 si406889.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1396 52509556.exe Token: SeDebugPrivilege 1812 rk191907.exe Token: SeDebugPrivilege 2252 si406889.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4732 wrote to memory of 4532 4732 188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe 86 PID 4732 wrote to memory of 4532 4732 188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe 86 PID 4732 wrote to memory of 4532 4732 188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe 86 PID 4532 wrote to memory of 1396 4532 un963722.exe 87 PID 4532 wrote to memory of 1396 4532 un963722.exe 87 PID 4532 wrote to memory of 1396 4532 un963722.exe 87 PID 4532 wrote to memory of 1812 4532 un963722.exe 93 PID 4532 wrote to memory of 1812 4532 un963722.exe 93 PID 4532 wrote to memory of 1812 4532 un963722.exe 93 PID 4732 wrote to memory of 2252 4732 188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe 96 PID 4732 wrote to memory of 2252 4732 188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe 96 PID 4732 wrote to memory of 2252 4732 188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe"C:\Users\Admin\AppData\Local\Temp\188bc9e4d4a1e08a29a6289130c3275d2ecf8e9d0bb7d9d507430894a27e6e75.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963722.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un963722.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\52509556.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\52509556.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 11084⤵
- Program crash
PID:3092
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk191907.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk191907.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 13244⤵
- Program crash
PID:4964
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si406889.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si406889.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1396 -ip 13961⤵PID:1336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1812 -ip 18121⤵PID:4540
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5bddaadcc91f12566dce088dfba102c2a
SHA16a141a09619ea3f5bbe2d946df9a8c427beb89f2
SHA256536a77d74988fc47e1d6b53be4701d289ecf4e3598b02adcd936b4f29017a4f4
SHA512f4b12e80f23ddbfd3c9fa79a009cb04e372f1ef6b48ea947b8c0fb14dfd3240c497be28023c78005b8dfd36a4080d98a9750606edf0a1fdfe57f53ef494e5c91
-
Filesize
136KB
MD5bddaadcc91f12566dce088dfba102c2a
SHA16a141a09619ea3f5bbe2d946df9a8c427beb89f2
SHA256536a77d74988fc47e1d6b53be4701d289ecf4e3598b02adcd936b4f29017a4f4
SHA512f4b12e80f23ddbfd3c9fa79a009cb04e372f1ef6b48ea947b8c0fb14dfd3240c497be28023c78005b8dfd36a4080d98a9750606edf0a1fdfe57f53ef494e5c91
-
Filesize
541KB
MD528a44fc49ae2f565da5559a792ee6712
SHA1531520f9557ce47522ed502eb87423fc3c5e8c23
SHA25616a125c6d406bc7cf8a5ec6d8a8d2b55026ad98052325a93457c1745130230f7
SHA512d6d754ef559b21f6f0c5c73185944e33518a25d9de5ef0ed457465c9a955361d036c9be8e9413f9f26bc93f0ed371cd53263eebf80c393cd58e65766c0c335d0
-
Filesize
541KB
MD528a44fc49ae2f565da5559a792ee6712
SHA1531520f9557ce47522ed502eb87423fc3c5e8c23
SHA25616a125c6d406bc7cf8a5ec6d8a8d2b55026ad98052325a93457c1745130230f7
SHA512d6d754ef559b21f6f0c5c73185944e33518a25d9de5ef0ed457465c9a955361d036c9be8e9413f9f26bc93f0ed371cd53263eebf80c393cd58e65766c0c335d0
-
Filesize
258KB
MD5c8da50db01eb8983d3ec7006e7986a60
SHA159cff2fdcea74373c228c6faaa29b99c4998a9b2
SHA256ac78483a3f0eaebae73fa4975e68cb60d351e1ed67d7c3dab6037a957374054a
SHA512ea08770f60a342baee8d8a7c227591eee5a1bfbd08c984ab051b6c3af310146575a973a13d7c5577636c2c07c033a12c0f44e5b5dda01d05f5fa057579ccf9da
-
Filesize
258KB
MD5c8da50db01eb8983d3ec7006e7986a60
SHA159cff2fdcea74373c228c6faaa29b99c4998a9b2
SHA256ac78483a3f0eaebae73fa4975e68cb60d351e1ed67d7c3dab6037a957374054a
SHA512ea08770f60a342baee8d8a7c227591eee5a1bfbd08c984ab051b6c3af310146575a973a13d7c5577636c2c07c033a12c0f44e5b5dda01d05f5fa057579ccf9da
-
Filesize
340KB
MD50a784a35b58cf3b50aa34ec895c3a0af
SHA1b39a0a1a0ae557d4eeba2a81bb1fd7372b461538
SHA256b9021b21935e00b602e2fddd13daee23e611f4a450ec99e92f3eceadf4934907
SHA512e50c8195ee86a1970ff5035d7c7a02490a86e1a3f514fdba011143e485992ea4bb7e838d92eebb7d3585be4024d8b5e333c47399a512c4a87ae8ce3e721032cb
-
Filesize
340KB
MD50a784a35b58cf3b50aa34ec895c3a0af
SHA1b39a0a1a0ae557d4eeba2a81bb1fd7372b461538
SHA256b9021b21935e00b602e2fddd13daee23e611f4a450ec99e92f3eceadf4934907
SHA512e50c8195ee86a1970ff5035d7c7a02490a86e1a3f514fdba011143e485992ea4bb7e838d92eebb7d3585be4024d8b5e333c47399a512c4a87ae8ce3e721032cb