Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
202s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 11:57
Static task
static1
Behavioral task
behavioral1
Sample
8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe
Resource
win10v2004-20230915-en
General
-
Target
8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe
-
Size
1.3MB
-
MD5
f51f4b013f50935de63004231ff215ac
-
SHA1
acb35c3c9d52804a46b817413675fcb97eb8347b
-
SHA256
8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c
-
SHA512
733c16238e9e0861c5d5944cf66d108d1f2c4b032b33e1f20c3ef2a3f3b2cc1939de83af075781c869c6fcd1a0f21b9d821e56b0db3ecf05617e557b8f8790b1
-
SSDEEP
24576:0yR/69Eq+VC4sE0xTRlZUIBH451nwCgiiKJznv6Ag7F2UnEeFDYTl4RW:Ds6VCRPTRlZPBHosSJDv6AgfcTl4
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1oR72RN4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1oR72RN4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1oR72RN4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1oR72RN4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1oR72RN4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 1oR72RN4.exe -
.NET Reactor proctector 20 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/1072-28-0x0000000004A10000-0x0000000004A30000-memory.dmp net_reactor behavioral2/memory/1072-30-0x0000000004A80000-0x0000000004A90000-memory.dmp net_reactor behavioral2/memory/1072-33-0x0000000005090000-0x00000000050AE000-memory.dmp net_reactor behavioral2/memory/1072-34-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-37-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-35-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-39-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-41-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-43-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-45-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-47-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-49-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-51-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-53-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-55-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-57-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-59-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-61-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-63-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor behavioral2/memory/1072-65-0x0000000005090000-0x00000000050A8000-memory.dmp net_reactor -
Executes dropped EXE 5 IoCs
pid Process 1856 fV3XU73.exe 652 Ys2JF43.exe 3308 Wn7WR33.exe 1072 1oR72RN4.exe 3812 2XU9406.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1oR72RN4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1oR72RN4.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" fV3XU73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Ys2JF43.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Wn7WR33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1072 1oR72RN4.exe 1072 1oR72RN4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1072 1oR72RN4.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 432 wrote to memory of 1856 432 8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe 90 PID 432 wrote to memory of 1856 432 8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe 90 PID 432 wrote to memory of 1856 432 8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe 90 PID 1856 wrote to memory of 652 1856 fV3XU73.exe 91 PID 1856 wrote to memory of 652 1856 fV3XU73.exe 91 PID 1856 wrote to memory of 652 1856 fV3XU73.exe 91 PID 652 wrote to memory of 3308 652 Ys2JF43.exe 92 PID 652 wrote to memory of 3308 652 Ys2JF43.exe 92 PID 652 wrote to memory of 3308 652 Ys2JF43.exe 92 PID 3308 wrote to memory of 1072 3308 Wn7WR33.exe 93 PID 3308 wrote to memory of 1072 3308 Wn7WR33.exe 93 PID 3308 wrote to memory of 1072 3308 Wn7WR33.exe 93 PID 3308 wrote to memory of 3812 3308 Wn7WR33.exe 102 PID 3308 wrote to memory of 3812 3308 Wn7WR33.exe 102 PID 3308 wrote to memory of 3812 3308 Wn7WR33.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe"C:\Users\Admin\AppData\Local\Temp\8e2250e4bfca311f733166f8efc5aa7ae8af382f6ec4b00bb7fa7c782c4ac50c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fV3XU73.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fV3XU73.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ys2JF43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ys2JF43.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wn7WR33.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wn7WR33.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oR72RN4.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oR72RN4.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2XU9406.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2XU9406.exe5⤵
- Executes dropped EXE
PID:3812
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD53fb77d20aff2b6ca094c9625dbb502f4
SHA1b220baee9a89bb5a36bfce6da66d271654d2186c
SHA256c0172dbdd1ba77459382c3714ef4c648632f75ec6b19512d68112dee5fb0c2c6
SHA5123472f990cb6f623692b9da1568724f0581a0980b9decbab076e9ea4becb6d971cc1643c3fd42ee2e201a1f19dda4f889a8a31991939a57adf4e4a6ce0159a556
-
Filesize
1.1MB
MD53fb77d20aff2b6ca094c9625dbb502f4
SHA1b220baee9a89bb5a36bfce6da66d271654d2186c
SHA256c0172dbdd1ba77459382c3714ef4c648632f75ec6b19512d68112dee5fb0c2c6
SHA5123472f990cb6f623692b9da1568724f0581a0980b9decbab076e9ea4becb6d971cc1643c3fd42ee2e201a1f19dda4f889a8a31991939a57adf4e4a6ce0159a556
-
Filesize
743KB
MD5d06043165725d8a5e9998ad5ed37de75
SHA13a2ee472f97a11aae465f50a6ad7900ab80fac0b
SHA256ef3fbc0071830e13161a892b841c941d7d96172d80b72768326cb42234deefce
SHA51262a603ca78704946bcac545b5090de7a08a9eb0b4fec1630890b328b77867a83ebc168a66e20cb306227b89e451f136d70e935049550c14cdccc2b163cfceb2e
-
Filesize
743KB
MD5d06043165725d8a5e9998ad5ed37de75
SHA13a2ee472f97a11aae465f50a6ad7900ab80fac0b
SHA256ef3fbc0071830e13161a892b841c941d7d96172d80b72768326cb42234deefce
SHA51262a603ca78704946bcac545b5090de7a08a9eb0b4fec1630890b328b77867a83ebc168a66e20cb306227b89e451f136d70e935049550c14cdccc2b163cfceb2e
-
Filesize
365KB
MD5882de59b5981db18089f6bc9126fd97a
SHA168f62c232736f8fb032cd9847e418cf87be387b6
SHA2564f2b23ff228c7da4265514f6f45111a329c023e6a6bdbf105b370c707e638735
SHA512527024c7199c42d2603c1f3ef0afd7cab85721a27dbc1144ebefafa80edba4f71c331127b965f432d21368ef6ab9284d2434d1d8ba17b7f5f855a5fc732899f4
-
Filesize
365KB
MD5882de59b5981db18089f6bc9126fd97a
SHA168f62c232736f8fb032cd9847e418cf87be387b6
SHA2564f2b23ff228c7da4265514f6f45111a329c023e6a6bdbf105b370c707e638735
SHA512527024c7199c42d2603c1f3ef0afd7cab85721a27dbc1144ebefafa80edba4f71c331127b965f432d21368ef6ab9284d2434d1d8ba17b7f5f855a5fc732899f4
-
Filesize
195KB
MD57f726f7dac36a27880ea545866534dda
SHA1a644a86f8ffe8497101eb2c8ef69b859fb51119d
SHA2567d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a
SHA5128d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775
-
Filesize
195KB
MD57f726f7dac36a27880ea545866534dda
SHA1a644a86f8ffe8497101eb2c8ef69b859fb51119d
SHA2567d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a
SHA5128d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775
-
Filesize
180KB
MD53f305144feb3040cf41b216841537ec2
SHA1ae9066cc3b40be6250e7e6a90bcc2de160067b84
SHA25689fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1
SHA512ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e
-
Filesize
180KB
MD53f305144feb3040cf41b216841537ec2
SHA1ae9066cc3b40be6250e7e6a90bcc2de160067b84
SHA25689fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1
SHA512ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e