Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2023, 08:40
Static task
static1
General
-
Target
29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe
-
Size
697KB
-
MD5
3f94c978968038d050a2e2efcd669659
-
SHA1
eb7c383666de6635708dfc5cec3231e21f3ce570
-
SHA256
29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd
-
SHA512
f551d938a0a5969723d44a471e2cf4c5ed118600739850654ba8796cdf446a74ddbb2ae91846788d5f76af04535264126fc7b70ae05bfb55086a4432361f8261
-
SSDEEP
12288:Ky90RW5Q4d6MdMbQRepoNgdqAuJwRIn5N0obBHAKkhHr8Ogj3kg5Rg3QQ:KysWT5epWAueTEBgKkhL8OgjN5Rm
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 19675200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 19675200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 19675200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 19675200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 19675200.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 19675200.exe -
Executes dropped EXE 4 IoCs
pid Process 4452 un298382.exe 4648 19675200.exe 4636 rk563974.exe 1832 si913532.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 19675200.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 19675200.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un298382.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un298382.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 100 4648 WerFault.exe 85 4192 4636 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4648 19675200.exe 4648 19675200.exe 4636 rk563974.exe 4636 rk563974.exe 1832 si913532.exe 1832 si913532.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4648 19675200.exe Token: SeDebugPrivilege 4636 rk563974.exe Token: SeDebugPrivilege 1832 si913532.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2000 wrote to memory of 4452 2000 29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe 84 PID 2000 wrote to memory of 4452 2000 29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe 84 PID 2000 wrote to memory of 4452 2000 29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe 84 PID 4452 wrote to memory of 4648 4452 un298382.exe 85 PID 4452 wrote to memory of 4648 4452 un298382.exe 85 PID 4452 wrote to memory of 4648 4452 un298382.exe 85 PID 4452 wrote to memory of 4636 4452 un298382.exe 88 PID 4452 wrote to memory of 4636 4452 un298382.exe 88 PID 4452 wrote to memory of 4636 4452 un298382.exe 88 PID 2000 wrote to memory of 1832 2000 29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe 91 PID 2000 wrote to memory of 1832 2000 29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe 91 PID 2000 wrote to memory of 1832 2000 29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe"C:\Users\Admin\AppData\Local\Temp\29c8cd2b396936d3726ccadc4d1e90e49c5a04247b4107abc5e42bdd995185bd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298382.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un298382.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19675200.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\19675200.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 11004⤵
- Program crash
PID:100
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk563974.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk563974.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 14964⤵
- Program crash
PID:4192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si913532.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si913532.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4648 -ip 46481⤵PID:2800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4636 -ip 46361⤵PID:4468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5bddaadcc91f12566dce088dfba102c2a
SHA16a141a09619ea3f5bbe2d946df9a8c427beb89f2
SHA256536a77d74988fc47e1d6b53be4701d289ecf4e3598b02adcd936b4f29017a4f4
SHA512f4b12e80f23ddbfd3c9fa79a009cb04e372f1ef6b48ea947b8c0fb14dfd3240c497be28023c78005b8dfd36a4080d98a9750606edf0a1fdfe57f53ef494e5c91
-
Filesize
136KB
MD5bddaadcc91f12566dce088dfba102c2a
SHA16a141a09619ea3f5bbe2d946df9a8c427beb89f2
SHA256536a77d74988fc47e1d6b53be4701d289ecf4e3598b02adcd936b4f29017a4f4
SHA512f4b12e80f23ddbfd3c9fa79a009cb04e372f1ef6b48ea947b8c0fb14dfd3240c497be28023c78005b8dfd36a4080d98a9750606edf0a1fdfe57f53ef494e5c91
-
Filesize
543KB
MD59cd680686b75e8566ad511b379f05880
SHA130f2623fc46acb049e51b4f14cd3692505efcf00
SHA25671ed15d4f3dcc2feb082c28f24e1c891020b75568626e3e03f2088066c1d7790
SHA5121e6f94680886a5c4c8c3f756f11b89755732e36cbb504d21c122e7e71b23689ef93a5f2d6c98f1edea9ac2c9c9763805576d0d1bfe92b73c8df3323a41e579a4
-
Filesize
543KB
MD59cd680686b75e8566ad511b379f05880
SHA130f2623fc46acb049e51b4f14cd3692505efcf00
SHA25671ed15d4f3dcc2feb082c28f24e1c891020b75568626e3e03f2088066c1d7790
SHA5121e6f94680886a5c4c8c3f756f11b89755732e36cbb504d21c122e7e71b23689ef93a5f2d6c98f1edea9ac2c9c9763805576d0d1bfe92b73c8df3323a41e579a4
-
Filesize
265KB
MD5c5f8cb4667d734edaaad95696e86fa39
SHA198bae27f66b618d8ede15cc1aeefa4b84b8a71e3
SHA25678af1767005600a561bdd5bbfbdbaf8b5d62085f2c2be8ef67b4dfe926222a74
SHA512b99fd7603e87723b1015768a5ba9c42778739d98dbb639cb0fbd163a1a51ac7ade64d61162a9b9e75c68d770824cecaaa031b28c164161bcbb6a3c32c1c88ee4
-
Filesize
265KB
MD5c5f8cb4667d734edaaad95696e86fa39
SHA198bae27f66b618d8ede15cc1aeefa4b84b8a71e3
SHA25678af1767005600a561bdd5bbfbdbaf8b5d62085f2c2be8ef67b4dfe926222a74
SHA512b99fd7603e87723b1015768a5ba9c42778739d98dbb639cb0fbd163a1a51ac7ade64d61162a9b9e75c68d770824cecaaa031b28c164161bcbb6a3c32c1c88ee4
-
Filesize
347KB
MD50645ffd52c6da42b2a5284d6d6194d5a
SHA1dfde38d1caa2f8f4bf0b4e894c62a1c667638228
SHA2560f7b711a60c3aa6c8d63ff0f06b2f84b67459281158ffd1ea5c7c3c57e4d0044
SHA51209a06f708c0b352ea2be4dbedd8e6f9dbbb55ed1bda6611300a99350e877265de9dc50a53507f53a667b8a44b1e473ebf790bee6b6b3c2fd40747ada83f90be3
-
Filesize
347KB
MD50645ffd52c6da42b2a5284d6d6194d5a
SHA1dfde38d1caa2f8f4bf0b4e894c62a1c667638228
SHA2560f7b711a60c3aa6c8d63ff0f06b2f84b67459281158ffd1ea5c7c3c57e4d0044
SHA51209a06f708c0b352ea2be4dbedd8e6f9dbbb55ed1bda6611300a99350e877265de9dc50a53507f53a667b8a44b1e473ebf790bee6b6b3c2fd40747ada83f90be3