Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
308s -
max time network
402s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe
Resource
win10v2004-20230221-en
General
-
Target
662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe
-
Size
618KB
-
MD5
51f46d7c3e0643880d6a7ad7f511e5af
-
SHA1
301e342102fae2537d136b0cb93fe6b332f3ab86
-
SHA256
662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373
-
SHA512
00d47cb9308436b9ad017a3894f6c9e41d32d5a44f03a78d7f9a19d31edc30a4688e2275cd1281c31bb201f168e17afc2592a8cf3b46ae8fee52bbe6034f28fe
-
SSDEEP
12288:1y90ILG7DRQs7RZYagSucZLjTHW5z1WPJ2v+1ZG:1yVoDV2ago165z1WPyQG
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 97711157.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 97711157.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 97711157.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 97711157.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 97711157.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 97711157.exe -
Executes dropped EXE 3 IoCs
pid Process 3584 st316088.exe 5088 97711157.exe 2696 kp809501.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 97711157.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce st316088.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" st316088.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5088 97711157.exe 5088 97711157.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5088 97711157.exe Token: SeDebugPrivilege 2696 kp809501.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5108 wrote to memory of 3584 5108 662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe 80 PID 5108 wrote to memory of 3584 5108 662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe 80 PID 5108 wrote to memory of 3584 5108 662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe 80 PID 3584 wrote to memory of 5088 3584 st316088.exe 81 PID 3584 wrote to memory of 5088 3584 st316088.exe 81 PID 3584 wrote to memory of 2696 3584 st316088.exe 82 PID 3584 wrote to memory of 2696 3584 st316088.exe 82 PID 3584 wrote to memory of 2696 3584 st316088.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe"C:\Users\Admin\AppData\Local\Temp\662561ce59f1d19d50c5f5e1f8e6c3ea9678269bae8f8d9d310bcc9053301373.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st316088.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st316088.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97711157.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\97711157.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp809501.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp809501.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
464KB
MD574b85911d011d404e1714414ca26c046
SHA1c991b22db2d7cb15b98de559db26469303ae5211
SHA2568fb000d4b5ea1e768814203fbe14c6015285dae7e2f31bc6607c973456ef84eb
SHA51206188b1df6c9e208dbcf2c87babafccfec8563de39ff38315d4b1b9adaba068cbf88c7f4c67af476e418f0a25decc618af05a0910e5f1f0381648f3b070e5036
-
Filesize
464KB
MD574b85911d011d404e1714414ca26c046
SHA1c991b22db2d7cb15b98de559db26469303ae5211
SHA2568fb000d4b5ea1e768814203fbe14c6015285dae7e2f31bc6607c973456ef84eb
SHA51206188b1df6c9e208dbcf2c87babafccfec8563de39ff38315d4b1b9adaba068cbf88c7f4c67af476e418f0a25decc618af05a0910e5f1f0381648f3b070e5036
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
478KB
MD5bfc0d391966cd5259c28a2ad2a0f0f3e
SHA1edf2be770c81666bfd2410810bb57949f2729219
SHA25685c63edc2a48594c62d06fd6e80ddc650b3dcde6151241d261514274ce30691c
SHA51219add3338ca8afc304e0c70f4a3490d7ec48fd55da41ec9938c5721efad53fa1f7028eede43c1ed05f2378e317198a9a8851cb670bdc7a24b99e0dbf3b211ed8
-
Filesize
478KB
MD5bfc0d391966cd5259c28a2ad2a0f0f3e
SHA1edf2be770c81666bfd2410810bb57949f2729219
SHA25685c63edc2a48594c62d06fd6e80ddc650b3dcde6151241d261514274ce30691c
SHA51219add3338ca8afc304e0c70f4a3490d7ec48fd55da41ec9938c5721efad53fa1f7028eede43c1ed05f2378e317198a9a8851cb670bdc7a24b99e0dbf3b211ed8