Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
249s -
max time network
307s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 20:21 UTC
Static task
static1
Behavioral task
behavioral1
Sample
081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe
Resource
win10v2004-20230221-en
General
-
Target
081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe
-
Size
1.2MB
-
MD5
85b25951bc2f67e37a244014c1dd19ae
-
SHA1
30755b9515425d1cb57aeb8610c08d39021740d5
-
SHA256
081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089
-
SHA512
c6e03ee03ace08e2138a6568d6e863cfc4f727fb1a84685a71b065f5b4a9aad2bbfb4b7362bbf3c06ecce2da258bb92429e957911c8a9819dd731e88d86add00
-
SSDEEP
24576:+DTWYG5l2s+JcVCjiT/r0PTcuGzPP5lMcvBxenYLi1OuheoxY7qYV2GSBm:+DpG5wcVCjiTDbb35G0BjiUuh7xXw2L
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 190709580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 190709580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 190709580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 190709580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 190709580.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 190709580.exe -
Executes dropped EXE 3 IoCs
pid Process 2372 VZ957923.exe 1612 HG058549.exe 1112 190709580.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 190709580.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 190709580.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce VZ957923.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" VZ957923.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce HG058549.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" HG058549.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1112 190709580.exe 1112 190709580.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1112 190709580.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3812 wrote to memory of 2372 3812 081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe 80 PID 3812 wrote to memory of 2372 3812 081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe 80 PID 3812 wrote to memory of 2372 3812 081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe 80 PID 2372 wrote to memory of 1612 2372 VZ957923.exe 81 PID 2372 wrote to memory of 1612 2372 VZ957923.exe 81 PID 2372 wrote to memory of 1612 2372 VZ957923.exe 81 PID 1612 wrote to memory of 1112 1612 HG058549.exe 82 PID 1612 wrote to memory of 1112 1612 HG058549.exe 82 PID 1612 wrote to memory of 1112 1612 HG058549.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe"C:\Users\Admin\AppData\Local\Temp\081c7491d68ce53a69fcbce697a800b76db4f7d786c2b1ed551864928fe58089.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VZ957923.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VZ957923.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG058549.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\HG058549.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\190709580.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\190709580.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
-
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request153.141.79.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.20.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.232.18.117.in-addr.arpaIN PTRResponse
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
153.141.79.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 125 B 1 1
DNS Request
254.20.238.8.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
2.36.159.162.in-addr.arpa
-
360 B 5
DNS Request
183.59.114.20.in-addr.arpa
DNS Request
183.59.114.20.in-addr.arpa
DNS Request
183.59.114.20.in-addr.arpa
DNS Request
183.59.114.20.in-addr.arpa
DNS Request
183.59.114.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.232.18.117.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD5930848f4d972b28d262031b300e6a9fd
SHA1042c87a19d6faa9ac1875df7b0d2b2e6e0e88832
SHA256df2d2033319c4bde307ed96c4ff802f3fad906de8bb0aa2fefec5e8f5b40e726
SHA5126a9ac5f14e41f067807ecac05e3fa151677d0cbf9d51eaef6d953b1cf73dbfea6c6ca7d2aa9299052a3d077338a3bcc79c5af22f2e779a6f23085e1d9b4fe60a
-
Filesize
764KB
MD5930848f4d972b28d262031b300e6a9fd
SHA1042c87a19d6faa9ac1875df7b0d2b2e6e0e88832
SHA256df2d2033319c4bde307ed96c4ff802f3fad906de8bb0aa2fefec5e8f5b40e726
SHA5126a9ac5f14e41f067807ecac05e3fa151677d0cbf9d51eaef6d953b1cf73dbfea6c6ca7d2aa9299052a3d077338a3bcc79c5af22f2e779a6f23085e1d9b4fe60a
-
Filesize
592KB
MD54411c57112249950167e2fb10f3a5c21
SHA17ad1819dd9d6b34d5b189921ab4c0f9a945f7deb
SHA256581bcb58ddb1cd357ead0f01f7fad35528e2f94752e894d8cb16b52bb6f7cde3
SHA5126f0c00bd7cfbc18e476584458b861ce13ba40b3f771b579c2a55524af102fdfd0dc9bace19749e140041fdf9c225733bff619de2041a18f32f4ed8b01b61bb89
-
Filesize
592KB
MD54411c57112249950167e2fb10f3a5c21
SHA17ad1819dd9d6b34d5b189921ab4c0f9a945f7deb
SHA256581bcb58ddb1cd357ead0f01f7fad35528e2f94752e894d8cb16b52bb6f7cde3
SHA5126f0c00bd7cfbc18e476584458b861ce13ba40b3f771b579c2a55524af102fdfd0dc9bace19749e140041fdf9c225733bff619de2041a18f32f4ed8b01b61bb89
-
Filesize
378KB
MD5aa77ef7b31187dab2126982db6bddf63
SHA160c0c53ca68c8a166472150554d4f7d31a0605db
SHA2563c77f59c2c955bb799e085c3ae2171f7074cc9f54d725555b37fed026b217681
SHA51275fdeda4eb64fd77e5b54c4efc4ca1ef8d21d699f2f3bb40e80714bb72aeddf72172d3d6b65b6d26eb9e9b5b3cb70ecc78d7e7a3a1d3fdbd4771d117887c1622
-
Filesize
378KB
MD5aa77ef7b31187dab2126982db6bddf63
SHA160c0c53ca68c8a166472150554d4f7d31a0605db
SHA2563c77f59c2c955bb799e085c3ae2171f7074cc9f54d725555b37fed026b217681
SHA51275fdeda4eb64fd77e5b54c4efc4ca1ef8d21d699f2f3bb40e80714bb72aeddf72172d3d6b65b6d26eb9e9b5b3cb70ecc78d7e7a3a1d3fdbd4771d117887c1622