Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
53s -
max time network
65s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
08/06/2023, 02:13
Static task
static1
General
-
Target
70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe
-
Size
121KB
-
MD5
294c6778c0b5de1d617a48ff0f690f58
-
SHA1
94b8e5eaeef8dca78cb4c438dee3583521939dd0
-
SHA256
70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5
-
SHA512
0c56dd8d361965386e67b9883589da9a1d00f36d58de882648ffb713919e93dd0fc3b38c74358e8eb4016ed9f34e42f26e4f12642f7bf78cbece82a858fdcaca
-
SSDEEP
3072:X9QLdsON8xxwaTq29LjK++E7LfWv98oyhuWVFrag1shbYrtvx:tQLvN8VTkEOWVFmZh8rt
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4028 set thread context of 3412 4028 70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe 67 -
Program crash 1 IoCs
pid pid_target Process procid_target 5032 4028 WerFault.exe 65 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3412 AppLaunch.exe 3412 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3412 AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4028 wrote to memory of 3412 4028 70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe 67 PID 4028 wrote to memory of 3412 4028 70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe 67 PID 4028 wrote to memory of 3412 4028 70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe 67 PID 4028 wrote to memory of 3412 4028 70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe 67 PID 4028 wrote to memory of 3412 4028 70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe"C:\Users\Admin\AppData\Local\Temp\70497b36ef699bece876e62c4ff4ec66f227cabeaf3730508a869ddc94883ce5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 4922⤵
- Program crash
PID:5032
-