Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
12/10/2023, 13:17
Static task
static1
Behavioral task
behavioral1
Sample
75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f.exe
Resource
win10-20230915-en
General
-
Target
75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f.exe
-
Size
1.4MB
-
MD5
816541fe9065c76454bb1039cad54434
-
SHA1
b6bfe27f4fcd52015e0f509da261b1cfe8cac495
-
SHA256
75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f
-
SHA512
5417ae419f90421f95ef99181873bd437b2a849268f0a73a1832bc0971131e919b44b5109d9cff7186719953431d98bae92122a05fdb6204c4e7bdaf8a427b47
-
SSDEEP
24576:6yueP2Hg//eO9yI8KlW2YvO7AE1iHapG64Gm35uhh5828NCn49VR932:Bqu//PYvYAoYap4Xuhd49p
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe -
Executes dropped EXE 4 IoCs
pid Process 4248 SX4XN16.exe 4100 mb4bE78.exe 3632 ee5uN93.exe 5016 1Hf27pz6.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" SX4XN16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" mb4bE78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ee5uN93.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5016 set thread context of 4908 5016 1Hf27pz6.exe 74 -
Program crash 1 IoCs
pid pid_target Process procid_target 2632 5016 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4908 AppLaunch.exe 4908 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4908 AppLaunch.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 404 wrote to memory of 4248 404 75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f.exe 70 PID 404 wrote to memory of 4248 404 75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f.exe 70 PID 404 wrote to memory of 4248 404 75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f.exe 70 PID 4248 wrote to memory of 4100 4248 SX4XN16.exe 71 PID 4248 wrote to memory of 4100 4248 SX4XN16.exe 71 PID 4248 wrote to memory of 4100 4248 SX4XN16.exe 71 PID 4100 wrote to memory of 3632 4100 mb4bE78.exe 72 PID 4100 wrote to memory of 3632 4100 mb4bE78.exe 72 PID 4100 wrote to memory of 3632 4100 mb4bE78.exe 72 PID 3632 wrote to memory of 5016 3632 ee5uN93.exe 73 PID 3632 wrote to memory of 5016 3632 ee5uN93.exe 73 PID 3632 wrote to memory of 5016 3632 ee5uN93.exe 73 PID 5016 wrote to memory of 4908 5016 1Hf27pz6.exe 74 PID 5016 wrote to memory of 4908 5016 1Hf27pz6.exe 74 PID 5016 wrote to memory of 4908 5016 1Hf27pz6.exe 74 PID 5016 wrote to memory of 4908 5016 1Hf27pz6.exe 74 PID 5016 wrote to memory of 4908 5016 1Hf27pz6.exe 74 PID 5016 wrote to memory of 4908 5016 1Hf27pz6.exe 74 PID 5016 wrote to memory of 4908 5016 1Hf27pz6.exe 74 PID 5016 wrote to memory of 4908 5016 1Hf27pz6.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f.exe"C:\Users\Admin\AppData\Local\Temp\75ddc04fa1bfa1627018336f3ddd0294d076059f3bfc088336b85ed45cc8277f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX4XN16.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SX4XN16.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mb4bE78.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mb4bE78.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ee5uN93.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ee5uN93.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Hf27pz6.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Hf27pz6.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 5526⤵
- Program crash
PID:2632
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD567ee01dd85b0a1acd50e86e516b8c7ba
SHA1688d3aa8ffeecdb42ad82ae7ff1e18d3518d02b7
SHA256dc336f41dba4d0d940c5a6c3d1c87b6dd572bff2ae88a6a56fb9596d4d4c3fd4
SHA5120517d4c9da247dae473475c45a954dd9fbcec13c88df4c3e9c42c50f94fcf086ae78afb26c759c033a7d82bb3cf4dc826e1661f134a59fa8c95574ff0d5a3eb4
-
Filesize
1.3MB
MD567ee01dd85b0a1acd50e86e516b8c7ba
SHA1688d3aa8ffeecdb42ad82ae7ff1e18d3518d02b7
SHA256dc336f41dba4d0d940c5a6c3d1c87b6dd572bff2ae88a6a56fb9596d4d4c3fd4
SHA5120517d4c9da247dae473475c45a954dd9fbcec13c88df4c3e9c42c50f94fcf086ae78afb26c759c033a7d82bb3cf4dc826e1661f134a59fa8c95574ff0d5a3eb4
-
Filesize
896KB
MD5866e88195d687f07e6cd8fc82ea1be54
SHA1b911fc235375485043eb1fc148fd2018aac96ba7
SHA256497fa10d01d1b83a494685389283b2d22099a4d259c1590e6422931fd0fdafc5
SHA5121c03e330302dd2d7c7ffe321c4977a72f9e5c11d0798f143ac250644a9d80af00b81217c43df43c7fd84a856879774e0f7f19111c0a567f919b34c82d0c267e6
-
Filesize
896KB
MD5866e88195d687f07e6cd8fc82ea1be54
SHA1b911fc235375485043eb1fc148fd2018aac96ba7
SHA256497fa10d01d1b83a494685389283b2d22099a4d259c1590e6422931fd0fdafc5
SHA5121c03e330302dd2d7c7ffe321c4977a72f9e5c11d0798f143ac250644a9d80af00b81217c43df43c7fd84a856879774e0f7f19111c0a567f919b34c82d0c267e6
-
Filesize
533KB
MD55f087f00ecc28e643029722c751445d3
SHA194bc1ba6c0c9097e17252b930c4e249106150a25
SHA256ccd766757cbe0379e749f628aafaad01502bc034593e07d8e63a074270663b74
SHA512883596d6486acd5cff2d8140c8b9f64aab483014c21f066ec89030897077a7455fa708d7458a745a0977fbaa3eb56a4d9c5e8e82828bb5cf2d6dec7f740b6877
-
Filesize
533KB
MD55f087f00ecc28e643029722c751445d3
SHA194bc1ba6c0c9097e17252b930c4e249106150a25
SHA256ccd766757cbe0379e749f628aafaad01502bc034593e07d8e63a074270663b74
SHA512883596d6486acd5cff2d8140c8b9f64aab483014c21f066ec89030897077a7455fa708d7458a745a0977fbaa3eb56a4d9c5e8e82828bb5cf2d6dec7f740b6877
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81