Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
97s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2023, 11:59
Static task
static1
General
-
Target
92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe
-
Size
694KB
-
MD5
b5d1b8bee757a40c9ad4052616a1afa9
-
SHA1
3adc8e0c96393937206455aa6b5c85262d348ffd
-
SHA256
92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f
-
SHA512
53564fee73bd807ef77e27406895b256740a6747b10e2a0785d67c6455cb97db09fc5f154bf378525e0708759a87b360f662055bad519c876ae10a4e10c8c7a9
-
SSDEEP
12288:Ey90OU6dtdyMK/bd16ouYXcwv9AK1gmSQNZRhuVHc0iDMe76iBKWwB:EyZU6q/Z16Oci9p+mSWjid7e76iBr+
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 79492487.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 79492487.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 79492487.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 79492487.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 79492487.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 79492487.exe -
Executes dropped EXE 4 IoCs
pid Process 4156 un233288.exe 4760 79492487.exe 2016 rk768277.exe 3500 si212961.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 79492487.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 79492487.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un233288.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un233288.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2540 4760 WerFault.exe 86 744 2016 WerFault.exe 92 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4760 79492487.exe 4760 79492487.exe 2016 rk768277.exe 2016 rk768277.exe 3500 si212961.exe 3500 si212961.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4760 79492487.exe Token: SeDebugPrivilege 2016 rk768277.exe Token: SeDebugPrivilege 3500 si212961.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4504 wrote to memory of 4156 4504 92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe 85 PID 4504 wrote to memory of 4156 4504 92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe 85 PID 4504 wrote to memory of 4156 4504 92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe 85 PID 4156 wrote to memory of 4760 4156 un233288.exe 86 PID 4156 wrote to memory of 4760 4156 un233288.exe 86 PID 4156 wrote to memory of 4760 4156 un233288.exe 86 PID 4156 wrote to memory of 2016 4156 un233288.exe 92 PID 4156 wrote to memory of 2016 4156 un233288.exe 92 PID 4156 wrote to memory of 2016 4156 un233288.exe 92 PID 4504 wrote to memory of 3500 4504 92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe 95 PID 4504 wrote to memory of 3500 4504 92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe 95 PID 4504 wrote to memory of 3500 4504 92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe"C:\Users\Admin\AppData\Local\Temp\92177daeb2132961078300e75e80fad12331299c77f12b269fa037d89fa52e1f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233288.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un233288.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79492487.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\79492487.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 10884⤵
- Program crash
PID:2540
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768277.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk768277.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 20004⤵
- Program crash
PID:744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si212961.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si212961.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4760 -ip 47601⤵PID:4868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2016 -ip 20161⤵PID:3496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
540KB
MD57d586674121200257ab72e873e74137b
SHA18a248c496c62d1c517706422385dd187ffd7418f
SHA256b2743c8d70677103a56dcf0cea5cd28b74dc4001c445f8d317077cd9783c6514
SHA512e44b4419e62d2e5ce50f1985af7e7c82adac42e983ac4c681aae308600afe2c9d343251e9030189a325537b1044868f9784cb26a98c0cc010476c0f65aef999e
-
Filesize
540KB
MD57d586674121200257ab72e873e74137b
SHA18a248c496c62d1c517706422385dd187ffd7418f
SHA256b2743c8d70677103a56dcf0cea5cd28b74dc4001c445f8d317077cd9783c6514
SHA512e44b4419e62d2e5ce50f1985af7e7c82adac42e983ac4c681aae308600afe2c9d343251e9030189a325537b1044868f9784cb26a98c0cc010476c0f65aef999e
-
Filesize
264KB
MD5cc40bdf999b0ec5a7d68c1562f67f15c
SHA1e92bb4d1506233ba3d42fafedb87a5462b19a912
SHA25635ce24c4dc5b60f43f9f469496bbcd950cc6323a9ffe17a72664ef0858d000ec
SHA512fc95c565e04f56d1ad2ca9f6e9f1a7a2685327fcf48aad0aa2e4512365d1e160cd124f84deed9222289eb48da1caca4b01dbe17c6daa3207dea8d1d311809a5c
-
Filesize
264KB
MD5cc40bdf999b0ec5a7d68c1562f67f15c
SHA1e92bb4d1506233ba3d42fafedb87a5462b19a912
SHA25635ce24c4dc5b60f43f9f469496bbcd950cc6323a9ffe17a72664ef0858d000ec
SHA512fc95c565e04f56d1ad2ca9f6e9f1a7a2685327fcf48aad0aa2e4512365d1e160cd124f84deed9222289eb48da1caca4b01dbe17c6daa3207dea8d1d311809a5c
-
Filesize
348KB
MD5510b84bd22a3726f21a0dbe32d253b04
SHA1af626bcaa846dcb616f7cc09b1af2bcea3b51fb9
SHA2562fb2b3acca03f918289cc0d6e251a546dbdfcd7c2c3008d534adf45abf160bf2
SHA51218cef5278fdc5fe5e6816a0fb59d8b52a76e3e3f7b68b3921d7e74f12a8f8039f9266b0427ae1db51687190b0adad9bc908cac9f9f7d4f0221a457437deb19fc
-
Filesize
348KB
MD5510b84bd22a3726f21a0dbe32d253b04
SHA1af626bcaa846dcb616f7cc09b1af2bcea3b51fb9
SHA2562fb2b3acca03f918289cc0d6e251a546dbdfcd7c2c3008d534adf45abf160bf2
SHA51218cef5278fdc5fe5e6816a0fb59d8b52a76e3e3f7b68b3921d7e74f12a8f8039f9266b0427ae1db51687190b0adad9bc908cac9f9f7d4f0221a457437deb19fc