Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
51s -
max time network
71s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
26/04/2023, 18:13
Static task
static1
General
-
Target
94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe
-
Size
691KB
-
MD5
2939af54ec7ac240a0e1ecc621ad8e43
-
SHA1
a4cc3713140198dbfb6b52df85dea79f94e2998c
-
SHA256
94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4
-
SHA512
eaa4d3377320205811466d4c5fab57300f5d2413b785fdf29fde29bfcb891626f4b0e5e153e10d1ca6bec37711c696b4c30edacdc6b9e2edf414932ca3d3240d
-
SSDEEP
12288:1y90cDclXnR7Qwgx4A0LJuqLuZB/Sve2M7CGKANBfbzV/6u/m4kO:1yzKXnOw64NuqLAE22fANZbz3b
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 66425100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 66425100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 66425100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 66425100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 66425100.exe -
Executes dropped EXE 5 IoCs
pid Process 3620 un494736.exe 3940 66425100.exe 1004 rk878726.exe 60 rk878726.exe 3888 si568370.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 66425100.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 66425100.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce un494736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un494736.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1004 set thread context of 60 1004 rk878726.exe 69 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3940 66425100.exe 3940 66425100.exe 3888 si568370.exe 3888 si568370.exe 60 rk878726.exe 60 rk878726.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3940 66425100.exe Token: SeDebugPrivilege 60 rk878726.exe Token: SeDebugPrivilege 3888 si568370.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5104 wrote to memory of 3620 5104 94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe 66 PID 5104 wrote to memory of 3620 5104 94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe 66 PID 5104 wrote to memory of 3620 5104 94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe 66 PID 3620 wrote to memory of 3940 3620 un494736.exe 67 PID 3620 wrote to memory of 3940 3620 un494736.exe 67 PID 3620 wrote to memory of 3940 3620 un494736.exe 67 PID 3620 wrote to memory of 1004 3620 un494736.exe 68 PID 3620 wrote to memory of 1004 3620 un494736.exe 68 PID 3620 wrote to memory of 1004 3620 un494736.exe 68 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 1004 wrote to memory of 60 1004 rk878726.exe 69 PID 5104 wrote to memory of 3888 5104 94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe 70 PID 5104 wrote to memory of 3888 5104 94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe 70 PID 5104 wrote to memory of 3888 5104 94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe"C:\Users\Admin\AppData\Local\Temp\94ec63d53685ff39acbf43143cc01f43b987e4eb47f8febcd26d2f2fd5f300d4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un494736.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un494736.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66425100.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\66425100.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878726.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878726.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878726.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk878726.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si568370.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si568370.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
136KB
MD5e1c805d3cefe221689da30b8a2d944f2
SHA1a9a94fd89ed22c2a127c81f6e57f822eae1d9f26
SHA25632023b065401cf468d0088e334ad60bf12afc3d552030a6a3500e74500de735a
SHA5127801b1432717a8105f7f255d7387eaffa264eddf74e6b782776d548f9dbb82b5223c7412df3cbc8e91cc63988e2e04a8160280f697e93d0fa5d056dc183252e7
-
Filesize
537KB
MD54fb11bf5300f62d0e77fc85541b54d50
SHA162885f8ec5bd74d3edbc608cde64225933ca82fa
SHA25647e05cc0cb192afd85fa4ea11786edda55a4923ccda06b658b7da2abd96ac8ad
SHA512d040afffc23b2a08e749a87250e63a2f3a58a4edb4aa787b4653654d86429d20532c00985c7dd53e78492b9e4b6e1b3783e59097c7f5b676cacbe906769e2595
-
Filesize
537KB
MD54fb11bf5300f62d0e77fc85541b54d50
SHA162885f8ec5bd74d3edbc608cde64225933ca82fa
SHA25647e05cc0cb192afd85fa4ea11786edda55a4923ccda06b658b7da2abd96ac8ad
SHA512d040afffc23b2a08e749a87250e63a2f3a58a4edb4aa787b4653654d86429d20532c00985c7dd53e78492b9e4b6e1b3783e59097c7f5b676cacbe906769e2595
-
Filesize
259KB
MD5677c0da804037e1736c47c1fb7654ca4
SHA144fb874ab5a8f0b7df72e91395374a323bc0d12a
SHA256d3c70f503c5238a3d103fbb496af4e803bba8877bde4976f9be2889d3fd15312
SHA51296cee7f9f2775d1f3d38dc3620db2f859574f24fbb6d1799b74ddfc07c4d9988ffcc0e8f5c8fc9553113c80232156dc2cab643aab80036df0973a690ef92149e
-
Filesize
259KB
MD5677c0da804037e1736c47c1fb7654ca4
SHA144fb874ab5a8f0b7df72e91395374a323bc0d12a
SHA256d3c70f503c5238a3d103fbb496af4e803bba8877bde4976f9be2889d3fd15312
SHA51296cee7f9f2775d1f3d38dc3620db2f859574f24fbb6d1799b74ddfc07c4d9988ffcc0e8f5c8fc9553113c80232156dc2cab643aab80036df0973a690ef92149e
-
Filesize
342KB
MD594a3c0dcdf8071a0f0f6d7c56c8549d2
SHA15a2d0a547a28886a79fb744ddd0f1198872be170
SHA256dbaf987c89f5e8c3e5e30502264c2b27d50d9829152fa39294a69eecb1722cb3
SHA512cc990307f9a1c6cf495e607727bde45400d48f5f6e26cc218e9933be7bf709515394e84972172ab47a3b7de8887ec21c6371ded079e233b38d89cb542ba951f4
-
Filesize
342KB
MD594a3c0dcdf8071a0f0f6d7c56c8549d2
SHA15a2d0a547a28886a79fb744ddd0f1198872be170
SHA256dbaf987c89f5e8c3e5e30502264c2b27d50d9829152fa39294a69eecb1722cb3
SHA512cc990307f9a1c6cf495e607727bde45400d48f5f6e26cc218e9933be7bf709515394e84972172ab47a3b7de8887ec21c6371ded079e233b38d89cb542ba951f4
-
Filesize
342KB
MD594a3c0dcdf8071a0f0f6d7c56c8549d2
SHA15a2d0a547a28886a79fb744ddd0f1198872be170
SHA256dbaf987c89f5e8c3e5e30502264c2b27d50d9829152fa39294a69eecb1722cb3
SHA512cc990307f9a1c6cf495e607727bde45400d48f5f6e26cc218e9933be7bf709515394e84972172ab47a3b7de8887ec21c6371ded079e233b38d89cb542ba951f4