Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/02/2024, 10:53

General

  • Target

    WinaeroTweaker-1.62.1.0-setup.exe

  • Size

    5.7MB

  • MD5

    157e743031c4e6be81ab205ee109f944

  • SHA1

    06c39459502adf9ccab19111bef0877b6f21d670

  • SHA256

    6c1ec6433e1d991ec587ae14bd00d9c37ed8395896caa6ce19e1b48a12a50346

  • SHA512

    eaa9a078a093bc108b28c1469cf82a301b2ce0a5d66e293f89d94a12d1dab383d4b79e60a6a9514555a692e23ca4c99fa67885cac9f04c584c80b1bfd6cd6e35

  • SSDEEP

    98304:nkL+yAKH/+GFeGCYKtl/gOGhpslPXCuutHpKx8o3zEOqWAwPWBCBnQX5FHin1KTc:c+5KH/+Grg5gOEuO8x8wAOPAwEynMFaN

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.62.1.0-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.62.1.0-setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\AppData\Local\Temp\is-BJ1SQ.tmp\WinaeroTweaker-1.62.1.0-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BJ1SQ.tmp\WinaeroTweaker-1.62.1.0-setup.tmp" /SL5="$F01C0,5091039,832000,C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.62.1.0-setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im winaerotweaker.exe /f
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3856
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im winaerotweakerhelper.exe /f
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3260
      • C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
        "C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4872
        • C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe
          "C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe" -profile="C:\Users\Admin" -sid="S-1-5-21-609813121-2907144057-1731107329-1000" -muil="en-US"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4772
          • C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe
            "C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe" -
            5⤵
            • Executes dropped EXE
            PID:4256
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://winaero.com/?utm_source=software&utm_medium=in-app&utm_campaign=winaerotweaker&utm_content=setupcheckbox
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:644
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd47ef46f8,0x7ffd47ef4708,0x7ffd47ef4718
          4⤵
            PID:3948
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,5463744365546165630,2594028126038775020,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
            4⤵
              PID:1748
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,5463744365546165630,2594028126038775020,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
              4⤵
                PID:960
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,5463744365546165630,2594028126038775020,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4992
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5463744365546165630,2594028126038775020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
                4⤵
                  PID:1628
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,5463744365546165630,2594028126038775020,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
                  4⤵
                    PID:4716
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:1412
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:1912

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Winaero Tweaker\WinaeroControls.dll

                  Filesize

                  428KB

                  MD5

                  e3053e6ca40b44d5937a5b6ca1de7fa1

                  SHA1

                  f0cd747c34834a82ad1a1860b41a53a0981e91ef

                  SHA256

                  aa1e84244d46228f198cf3e1373658032c2f4d01c25db1c4966ffb87eb9bdc8b

                  SHA512

                  c8176b29016d244c0760222a4f42dc3a05a189a8c139061db08e8aae6639734b7198f79514586fadea21616781975002bac9a6acd3b96167317045d9f81be265

                • C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

                  Filesize

                  5.1MB

                  MD5

                  bd58a64a60d76cc1cfa38fd1c27419f5

                  SHA1

                  db1f416b55131682547f007351ad859edc5468c2

                  SHA256

                  69ecfd7ad61617a769d230d6d6db082d965c5550f92c4913cd60ef47d3158d38

                  SHA512

                  ab11ffbf0b2d39a2255357dd22489610cf6ee1f2316f6028d7120454e31ffc9c0ea794be9d134afe7fea91606f38c14bbfcf19de0bd7d085f02964d1c3ecf32b

                • C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

                  Filesize

                  761KB

                  MD5

                  f75b66e78dc326799127de3382643c16

                  SHA1

                  5a93edefdcb89eed42ab28c2bfee7d7e7a313bba

                  SHA256

                  ea4165dc609237d80e744cee3350ca9ff1d627e308b869cec8b0ea5272bb0b4c

                  SHA512

                  3ac53f221e9f98055d610f61322b16582cd69e0ab42d238b96e831dacc436488e0ef8a7f44e23f4ae8bc0dcfa19151246fde32aba911e4bc576d0e32914dd138

                • C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

                  Filesize

                  285KB

                  MD5

                  b95cc8d376d9043805efb1dbe856bc35

                  SHA1

                  de3568e46b898ea6e8d9835aa0f8d5445c792791

                  SHA256

                  ff94da1449c1e8461e69c3e9a70f5d28fc38d48f209944b756d6521c91f155ad

                  SHA512

                  a9dcd6a4398d5a114d663f8043b7e52b91caf1490344369965902e43641b793a845ed07347432dba95936b7e5442d481a571519028a158d78fe5b2faaace6c51

                • C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe

                  Filesize

                  330KB

                  MD5

                  8e0aec38406afacff9487529add32c74

                  SHA1

                  4a7973910178147b217107db30610bf3416f2745

                  SHA256

                  c789872a6141e19f9cb71abb8260c8303a2ac48dfd86f36912a4649800a78d39

                  SHA512

                  a29bac662446c238c787635654a1787471c484c5887cca5838361c232dca1d32220b50f36fe918b39db7d6f1976f0584332386340e96a7f85e2d71123014e62c

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WinaeroTweaker.exe.log

                  Filesize

                  1KB

                  MD5

                  baf55b95da4a601229647f25dad12878

                  SHA1

                  abc16954ebfd213733c4493fc1910164d825cac8

                  SHA256

                  ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                  SHA512

                  24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                  Filesize

                  152B

                  MD5

                  36bb45cb1262fcfcab1e3e7960784eaa

                  SHA1

                  ab0e15841b027632c9e1b0a47d3dec42162fc637

                  SHA256

                  7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

                  SHA512

                  02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                  Filesize

                  152B

                  MD5

                  1e3dc6a82a2cb341f7c9feeaf53f466f

                  SHA1

                  915decb72e1f86e14114f14ac9bfd9ba198fdfce

                  SHA256

                  a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

                  SHA512

                  0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                  Filesize

                  309B

                  MD5

                  ce9c7aa9c6624e361595e626f30bd660

                  SHA1

                  dd9794c534df4b99560037d4735dd5da8376cbc8

                  SHA256

                  deeacb4632fb9f078ac939c8c931b4239a1ee7f2af877a3fce7708ae8f7acb95

                  SHA512

                  af2dce094f9b25bff3d0f3652db0f54dc65247199c77b3802bf197f19ca7b3dcd137b44f51fe1eaa1837ce691c6929ad5d672398cd26e276e875acd1edb67e8f

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                  Filesize

                  6KB

                  MD5

                  005cd4dde8f53cd5644a03d35e99200a

                  SHA1

                  c14d4051bfbb4c2595cebdaf2c0a8db19b78ed26

                  SHA256

                  b40d959900eb1d3f78a5465ab90caed208fe4fde9ee93fc22cd311c252e9eb7f

                  SHA512

                  7d478d3dd8ebbc27d2a193d5db8f2b4065ab9829b027c2b80dfe9a57dcc97d238f2d5b6c9ff6e920acf385d401163db264c3f730578094dfcc541f77a34aec58

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                  Filesize

                  6KB

                  MD5

                  161bf3052c71a31b7d19c2edc9a01cb7

                  SHA1

                  81f080761f72a27a11bfa83f71f711e0bd1b0fa5

                  SHA256

                  9d09c3f3a6a018f823945b51da015af35a8b0d8fa17234e7ec676ca67cf63cc9

                  SHA512

                  b7e92e8e157e6d47399493b2d55b90a32efbfb21ff8fd3ad78e4d563213a8389e6521609a8ae074efb3ac893a4cdd31033983b4a3c452e13d25baeb9f353fbed

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                  Filesize

                  11KB

                  MD5

                  d064ee1d5363cc97018fdc89310a7f53

                  SHA1

                  5527fb2a0717461dc892dcccdfa0389fb439bf1f

                  SHA256

                  010364783060941241ce447668ce235ff29fd083b467e4f4d8e3a76f70da99e5

                  SHA512

                  6535615c3c108dff24de973a5537d836325be440446c0cb65fd36e21ec84af812b4c851a6d326d4c62c1d9b5de8a146682e5925dcd16145a835889aca6eaf642

                • C:\Users\Admin\AppData\Local\Temp\is-BJ1SQ.tmp\WinaeroTweaker-1.62.1.0-setup.tmp

                  Filesize

                  3.0MB

                  MD5

                  7ce94ddf4648f1d972c77764e24b527f

                  SHA1

                  a061a2bac5fdc29d03db7cef56b1e242f54b5b8b

                  SHA256

                  5f252a8d3629e51f265de8002be947a24a78b101330a71b4b01afbe59edd716d

                  SHA512

                  b15d4ff889bae492f3418c0d9ca0c1bbe89a3ffb95309924735873c166b937bba6da28dca451fb408204ab2704416ac0733547e8717b81e1d2a0fba0c116c47a

                • C:\Users\Admin\AppData\Local\Temp\is-QLI5K.tmp\_isetup\_iscrypt.dll

                  Filesize

                  2KB

                  MD5

                  a69559718ab506675e907fe49deb71e9

                  SHA1

                  bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                  SHA256

                  2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                  SHA512

                  e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                • memory/1548-86-0x0000000000400000-0x0000000000713000-memory.dmp

                  Filesize

                  3.1MB

                • memory/1548-6-0x0000000002810000-0x0000000002811000-memory.dmp

                  Filesize

                  4KB

                • memory/1548-15-0x0000000002810000-0x0000000002811000-memory.dmp

                  Filesize

                  4KB

                • memory/1548-12-0x0000000000400000-0x0000000000713000-memory.dmp

                  Filesize

                  3.1MB

                • memory/1548-31-0x0000000000400000-0x0000000000713000-memory.dmp

                  Filesize

                  3.1MB

                • memory/4772-215-0x000002BB63D60000-0x000002BB63D70000-memory.dmp

                  Filesize

                  64KB

                • memory/4772-212-0x000002BB63D60000-0x000002BB63D70000-memory.dmp

                  Filesize

                  64KB

                • memory/4772-211-0x00007FFD49930000-0x00007FFD4A3F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4772-216-0x000002BB673A0000-0x000002BB673C2000-memory.dmp

                  Filesize

                  136KB

                • memory/4772-217-0x000002BB63D60000-0x000002BB63D70000-memory.dmp

                  Filesize

                  64KB

                • memory/4772-218-0x00007FFD49930000-0x00007FFD4A3F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4848-1-0x0000000000400000-0x00000000004D8000-memory.dmp

                  Filesize

                  864KB

                • memory/4848-88-0x0000000000400000-0x00000000004D8000-memory.dmp

                  Filesize

                  864KB

                • memory/4848-11-0x0000000000400000-0x00000000004D8000-memory.dmp

                  Filesize

                  864KB

                • memory/4872-98-0x0000020F19A80000-0x0000020F19A86000-memory.dmp

                  Filesize

                  24KB

                • memory/4872-210-0x00007FFD49930000-0x00007FFD4A3F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4872-97-0x0000020F33B30000-0x0000020F33BA0000-memory.dmp

                  Filesize

                  448KB

                • memory/4872-95-0x0000020F33BA0000-0x0000020F33BB0000-memory.dmp

                  Filesize

                  64KB

                • memory/4872-94-0x0000020F33BC0000-0x0000020F33DF0000-memory.dmp

                  Filesize

                  2.2MB

                • memory/4872-83-0x00007FFD49930000-0x00007FFD4A3F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4872-82-0x0000020F19190000-0x0000020F196B6000-memory.dmp

                  Filesize

                  5.1MB