Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2023, 10:06
Static task
static1
General
-
Target
fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe
-
Size
695KB
-
MD5
e5c7f2b6b62dff9e95c160a63e95c0cf
-
SHA1
52dc586e7c1783f723604fb78d0f3a2d22507c79
-
SHA256
fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e
-
SHA512
f930134ba5130b11882f1b52c18a2fec9dee6f453d278504dd6c25e306bebf7d81a58857fe181400a3efd46cd4c30d5622a4f4a83935d0b233eb362c8a1417e6
-
SSDEEP
12288:Zy90niAge5+LG9RzFiBW3rWecogh/q0gHedU2ld3j/dX+u4VT8nQFZRhuVHf0iDz:Zye2GfccrBcoggl8U2lNj/MTUyj8MTef
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 47101728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 47101728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 47101728.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 47101728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 47101728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 47101728.exe -
Executes dropped EXE 4 IoCs
pid Process 1380 un063342.exe 2168 47101728.exe 3744 rk063864.exe 3880 si566548.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 47101728.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 47101728.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un063342.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un063342.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1920 2168 WerFault.exe 83 4932 3744 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2168 47101728.exe 2168 47101728.exe 3744 rk063864.exe 3744 rk063864.exe 3880 si566548.exe 3880 si566548.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2168 47101728.exe Token: SeDebugPrivilege 3744 rk063864.exe Token: SeDebugPrivilege 3880 si566548.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1380 2312 fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe 82 PID 2312 wrote to memory of 1380 2312 fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe 82 PID 2312 wrote to memory of 1380 2312 fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe 82 PID 1380 wrote to memory of 2168 1380 un063342.exe 83 PID 1380 wrote to memory of 2168 1380 un063342.exe 83 PID 1380 wrote to memory of 2168 1380 un063342.exe 83 PID 1380 wrote to memory of 3744 1380 un063342.exe 89 PID 1380 wrote to memory of 3744 1380 un063342.exe 89 PID 1380 wrote to memory of 3744 1380 un063342.exe 89 PID 2312 wrote to memory of 3880 2312 fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe 92 PID 2312 wrote to memory of 3880 2312 fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe 92 PID 2312 wrote to memory of 3880 2312 fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe"C:\Users\Admin\AppData\Local\Temp\fc13e46ce90efb1b5c4070348990f7c9538823cf0aeac87fc50dfe2db04ad47e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un063342.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un063342.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47101728.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\47101728.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 10804⤵
- Program crash
PID:1920
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063864.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk063864.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 14284⤵
- Program crash
PID:4932
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si566548.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si566548.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2168 -ip 21681⤵PID:1628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3744 -ip 37441⤵PID:4576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
541KB
MD53e4b33cd8cf6f7f2bfb0082e8f4b9bae
SHA1225c47ab7087ab6f7c402a868d3f49511e1d4332
SHA256486d19d1ba95e75336f79b43259f2760f0d46105d2213631d8b2ca56acfa3331
SHA5129e7558d8524ec366d3e8fa5399fd4c2abfd426ff27d065439bf4ebfbc11335da992430ed8bde0b573580aa69dae5d6c0aff44c7b30ae551b2db9cde004490195
-
Filesize
541KB
MD53e4b33cd8cf6f7f2bfb0082e8f4b9bae
SHA1225c47ab7087ab6f7c402a868d3f49511e1d4332
SHA256486d19d1ba95e75336f79b43259f2760f0d46105d2213631d8b2ca56acfa3331
SHA5129e7558d8524ec366d3e8fa5399fd4c2abfd426ff27d065439bf4ebfbc11335da992430ed8bde0b573580aa69dae5d6c0aff44c7b30ae551b2db9cde004490195
-
Filesize
264KB
MD52ac2a70a02a0d8d3c7b3f1a9bbf26628
SHA11e6813dc131a5cd09c9213906a1227302dc43efe
SHA256d01896b6581ba0b323b555f6b80e4a322a57787ec971c3e5ce1035a92c9bda73
SHA512bf631468907c811b9c1326c358f27ec9226dfd9c13e5aa5a7de6f7ec231e0c7a137134a954ec0aef86d8d56cdfcb2c5a3381354e458b0ddc9254ac323c92ac42
-
Filesize
264KB
MD52ac2a70a02a0d8d3c7b3f1a9bbf26628
SHA11e6813dc131a5cd09c9213906a1227302dc43efe
SHA256d01896b6581ba0b323b555f6b80e4a322a57787ec971c3e5ce1035a92c9bda73
SHA512bf631468907c811b9c1326c358f27ec9226dfd9c13e5aa5a7de6f7ec231e0c7a137134a954ec0aef86d8d56cdfcb2c5a3381354e458b0ddc9254ac323c92ac42
-
Filesize
348KB
MD5249dbb64423a7247d09f1e38d35e4c50
SHA19dcd2873f78efe61fb03fc25283bebea106d3d13
SHA256bcbcfa55a9299de1b177ebe5a935a14daf76a70211511deb1920238047f1a2d2
SHA512679dc0a5e9dd885db20624636305c895c48e97b28fe3007a1b591ac572324fd7179a69f6e4094cc855f5d54706bed2fe51f2d1fff07c79cb608898f850ea5fa5
-
Filesize
348KB
MD5249dbb64423a7247d09f1e38d35e4c50
SHA19dcd2873f78efe61fb03fc25283bebea106d3d13
SHA256bcbcfa55a9299de1b177ebe5a935a14daf76a70211511deb1920238047f1a2d2
SHA512679dc0a5e9dd885db20624636305c895c48e97b28fe3007a1b591ac572324fd7179a69f6e4094cc855f5d54706bed2fe51f2d1fff07c79cb608898f850ea5fa5