Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
207s -
max time network
276s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe
Resource
win10v2004-20230221-en
General
-
Target
7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe
-
Size
1.3MB
-
MD5
a2b7a1f87ca533a7b348f8240d54c0e9
-
SHA1
bb9dc4fdbf8892b2c7669bc95cf97e3e22694e20
-
SHA256
7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644
-
SHA512
37361eb9000b50a5f9637458bd401d4d0924c3a23fdc1bc9877fd31cccfb2b34db5f6fa11591fea9b936f1ef4b1277985d782567af73ae8490eb1f3637be46a1
-
SSDEEP
24576:QyCArgU9mIrkDQu+IkJq7tJyc7mDYBuK7J4zPnTFVrJ/iQ:XCAkbxC4ZJ6hK7wTFT
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection n4159844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" n4159844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" n4159844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" n4159844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" n4159844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" n4159844.exe -
Executes dropped EXE 4 IoCs
pid Process 228 z6292979.exe 3828 z9301734.exe 3932 z3082283.exe 1948 n4159844.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features n4159844.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" n4159844.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z3082283.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z6292979.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z6292979.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z9301734.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z9301734.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z3082283.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1948 n4159844.exe 1948 n4159844.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1948 n4159844.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4172 wrote to memory of 228 4172 7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe 79 PID 4172 wrote to memory of 228 4172 7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe 79 PID 4172 wrote to memory of 228 4172 7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe 79 PID 228 wrote to memory of 3828 228 z6292979.exe 80 PID 228 wrote to memory of 3828 228 z6292979.exe 80 PID 228 wrote to memory of 3828 228 z6292979.exe 80 PID 3828 wrote to memory of 3932 3828 z9301734.exe 81 PID 3828 wrote to memory of 3932 3828 z9301734.exe 81 PID 3828 wrote to memory of 3932 3828 z9301734.exe 81 PID 3932 wrote to memory of 1948 3932 z3082283.exe 82 PID 3932 wrote to memory of 1948 3932 z3082283.exe 82 PID 3932 wrote to memory of 1948 3932 z3082283.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe"C:\Users\Admin\AppData\Local\Temp\7e0bd04d134d19f7a52d52b67d64d5123b5f8845a004e1d2a63cd580828bd644.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6292979.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6292979.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9301734.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9301734.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3082283.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3082283.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n4159844.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n4159844.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD58079776b6a061d3a31c887259e911f0f
SHA11458a5d426101ab2e3c6c4432afe26dad854adab
SHA256c346d44a0777738e41f7a095c7b325f4ae2a3ef51e3337d0720775a96fbb6528
SHA5128004a58a24ac2c667c2eaa88331e32c0376b576f3b4d9b3322e0d8554cd58854d4a689ce590be7d6474168aaad39097db6853562ad396dca4d6b9025659e104d
-
Filesize
1.1MB
MD58079776b6a061d3a31c887259e911f0f
SHA11458a5d426101ab2e3c6c4432afe26dad854adab
SHA256c346d44a0777738e41f7a095c7b325f4ae2a3ef51e3337d0720775a96fbb6528
SHA5128004a58a24ac2c667c2eaa88331e32c0376b576f3b4d9b3322e0d8554cd58854d4a689ce590be7d6474168aaad39097db6853562ad396dca4d6b9025659e104d
-
Filesize
620KB
MD58cf3b894d309480522d188d136d914b0
SHA1e412cc06813361e9d1a97a708e46f902f7e50203
SHA25640382fc4c5399556d77332e6798ef2bd05c60cbe6b454801cbd7c48807cfcc5d
SHA51242cadce3ebd5b8f8b3a2f60df56b089ae0cfa69308b2c37e45d7f1e97c1c4de2783f752bbec0337b2f5f4175827815ee907c4ab365d1193564d8c76e647c0db6
-
Filesize
620KB
MD58cf3b894d309480522d188d136d914b0
SHA1e412cc06813361e9d1a97a708e46f902f7e50203
SHA25640382fc4c5399556d77332e6798ef2bd05c60cbe6b454801cbd7c48807cfcc5d
SHA51242cadce3ebd5b8f8b3a2f60df56b089ae0cfa69308b2c37e45d7f1e97c1c4de2783f752bbec0337b2f5f4175827815ee907c4ab365d1193564d8c76e647c0db6
-
Filesize
416KB
MD5efb63f09726d6f25f72c778af703a554
SHA12cd25b33b7fed62e0abf4b51f85ddc42e2310362
SHA256b54296eedccda843c9ca4e6b56aa48930b242646c9cecf2690f4a33ce6137e18
SHA51215317c62e5f95c4cb23c2cc920e463bb2b65808092272ce5cf0c4a92c52d10da9115afc7c68929361f7d4bff29639464dbc9c78c01e4f50b20764956b33a281a
-
Filesize
416KB
MD5efb63f09726d6f25f72c778af703a554
SHA12cd25b33b7fed62e0abf4b51f85ddc42e2310362
SHA256b54296eedccda843c9ca4e6b56aa48930b242646c9cecf2690f4a33ce6137e18
SHA51215317c62e5f95c4cb23c2cc920e463bb2b65808092272ce5cf0c4a92c52d10da9115afc7c68929361f7d4bff29639464dbc9c78c01e4f50b20764956b33a281a
-
Filesize
360KB
MD52f135b7a50669638855a101b3119221e
SHA13a32de8034cbdf0ea7c1203e6c685472fadc6064
SHA25683d4e88d0dc7e94adc22a5c1f396a453d55ba8d865ffec906d689541ea500dc9
SHA512d8b2c323e84d7881c0297edb6003820600ee00ad522a42e152a472c9c2410a2394211eb3260db31fc0d52949c803b17d90b2e57524cc4e41c0be765ca90e0942
-
Filesize
360KB
MD52f135b7a50669638855a101b3119221e
SHA13a32de8034cbdf0ea7c1203e6c685472fadc6064
SHA25683d4e88d0dc7e94adc22a5c1f396a453d55ba8d865ffec906d689541ea500dc9
SHA512d8b2c323e84d7881c0297edb6003820600ee00ad522a42e152a472c9c2410a2394211eb3260db31fc0d52949c803b17d90b2e57524cc4e41c0be765ca90e0942