Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 09:25
Static task
static1
Behavioral task
behavioral1
Sample
1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe
Resource
win10v2004-20230221-en
General
-
Target
1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe
-
Size
479KB
-
MD5
20b578125004cd9b23a8935e4b088a7b
-
SHA1
b6741599abfc42d7c99ecb821499f1ab3ae4893e
-
SHA256
1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e
-
SHA512
313718ca494217c2930cbe1adb6e325c8254432cfdf515e4067e7a9c2ee08d5ed56cd85992bcfe9ef8c9516b5d5cae9d8aca9dba3d53b1a03b7ecc5305635e1c
-
SSDEEP
12288:z2Mr0y90fYnv/F3ltTkXVqrQb0OMw2vvjlDpg1ZY:z2yGY3FVaXQU0Fw6vppgHY
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection k5294646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k5294646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k5294646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k5294646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k5294646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k5294646.exe -
Executes dropped EXE 3 IoCs
pid Process 4172 y6130138.exe 4740 k5294646.exe 4324 l1265522.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k5294646.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k5294646.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y6130138.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y6130138.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4740 k5294646.exe 4740 k5294646.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4740 k5294646.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1644 wrote to memory of 4172 1644 1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe 83 PID 1644 wrote to memory of 4172 1644 1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe 83 PID 1644 wrote to memory of 4172 1644 1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe 83 PID 4172 wrote to memory of 4740 4172 y6130138.exe 84 PID 4172 wrote to memory of 4740 4172 y6130138.exe 84 PID 4172 wrote to memory of 4740 4172 y6130138.exe 84 PID 4172 wrote to memory of 4324 4172 y6130138.exe 89 PID 4172 wrote to memory of 4324 4172 y6130138.exe 89 PID 4172 wrote to memory of 4324 4172 y6130138.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe"C:\Users\Admin\AppData\Local\Temp\1717944b9a0d01ef92a47b6d46b94fa140a50658977982a0d65f1d2f5fc7331e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6130138.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6130138.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5294646.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5294646.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1265522.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1265522.exe3⤵
- Executes dropped EXE
PID:4324
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
307KB
MD5e26ddcfd400bc6fe6ea555ae753e700a
SHA11143032b157c6c51461772bebc631970b3e20482
SHA25691db47afa98b34cc2ca4a7187747a549d2fad178fe3ec86da8f598662c51eb27
SHA512621011270e2318394e03d5ea34d36a68dcf494e515f112d761180e9378a9bec18a08218ff45026064a6dd06dd7a3ecfd5f874f4cbc1e6f3c7187ec6955369ded
-
Filesize
307KB
MD5e26ddcfd400bc6fe6ea555ae753e700a
SHA11143032b157c6c51461772bebc631970b3e20482
SHA25691db47afa98b34cc2ca4a7187747a549d2fad178fe3ec86da8f598662c51eb27
SHA512621011270e2318394e03d5ea34d36a68dcf494e515f112d761180e9378a9bec18a08218ff45026064a6dd06dd7a3ecfd5f874f4cbc1e6f3c7187ec6955369ded
-
Filesize
175KB
MD54311bdbfc7b0016fe6de239b75d6a8b4
SHA1edb03f9a79ef45e2abbd76035d6ef59184738000
SHA256777760bc357ac149a7bd203bb935c38151a419823bd6d8fe3c43fe781f055d4b
SHA512926903700be7add21a58a2c4a4cacfb81b63d234db3cb641594813d4d2803ea13675fbc41885156076693934599a9a4edcc74372c4ed145fa587afa2c63883b5
-
Filesize
175KB
MD54311bdbfc7b0016fe6de239b75d6a8b4
SHA1edb03f9a79ef45e2abbd76035d6ef59184738000
SHA256777760bc357ac149a7bd203bb935c38151a419823bd6d8fe3c43fe781f055d4b
SHA512926903700be7add21a58a2c4a4cacfb81b63d234db3cb641594813d4d2803ea13675fbc41885156076693934599a9a4edcc74372c4ed145fa587afa2c63883b5
-
Filesize
137KB
MD54beb0605aab42395f72afbc987065685
SHA174d88dab4d815987453391527223ce513580b41a
SHA256543ac3756de90c8cda77b6c52435d3e19937661460f250a196a54ecbdbe1d0cf
SHA51262c9a20649030b2c4c26b5dabcf9730875d70d27d5d2b2d6463e594bb6432947d5bade46df71643318b7fd42eff78fbeb6e2345e8d2e4831563dbf773d67fa73
-
Filesize
137KB
MD54beb0605aab42395f72afbc987065685
SHA174d88dab4d815987453391527223ce513580b41a
SHA256543ac3756de90c8cda77b6c52435d3e19937661460f250a196a54ecbdbe1d0cf
SHA51262c9a20649030b2c4c26b5dabcf9730875d70d27d5d2b2d6463e594bb6432947d5bade46df71643318b7fd42eff78fbeb6e2345e8d2e4831563dbf773d67fa73