Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/06/2024, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
WebModuleBrowser.exe
Resource
win7-20240611-en
General
-
Target
WebModuleBrowser.exe
-
Size
7.4MB
-
MD5
833de83d9255cbf8460b1c5847de8d4b
-
SHA1
b31ec31d0663802b21ea2aeed37377460025a6da
-
SHA256
2e3b753447ccd7d4a766dce1392d884fc6a3632d858f77ad19465a6504708ae6
-
SHA512
8bb0e6591fdb344f9b1d55cc78937ad4ae2205294f0d67553a80c73a3c8fbc5bdb23b87eb1f433ee0017e76423b5ee7d96217e7234c2b0ba599500361f67e736
-
SSDEEP
98304:8iKKwZccnGtg57ET+AjfN7TBrHJWGs2NyqeoNE/7SRYY2VymGu/m6zHAlA64TRRn:8RZccQFZ9TVHJack+YlGlSRRbCvU
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5064 powershell.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2416 icacls.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5064 powershell.exe 5064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5064 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1516 javaw.exe 1516 javaw.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5032 wrote to memory of 1516 5032 WebModuleBrowser.exe 81 PID 5032 wrote to memory of 1516 5032 WebModuleBrowser.exe 81 PID 1516 wrote to memory of 2416 1516 javaw.exe 82 PID 1516 wrote to memory of 2416 1516 javaw.exe 82 PID 1516 wrote to memory of 2832 1516 javaw.exe 84 PID 1516 wrote to memory of 2832 1516 javaw.exe 84 PID 2832 wrote to memory of 5064 2832 cmd.exe 86 PID 2832 wrote to memory of 5064 2832 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\WebModuleBrowser.exe"C:\Users\Admin\AppData\Local\Temp\WebModuleBrowser.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\WebModuleBrowser.exe" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\d197583f953320069dba662e8567830f.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath 'C:\'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD519417f189b8d3c7e08fdf39a410f3c3e
SHA15c21eb00ba14200b0a7b3c204c4ae8402308dc16
SHA256680badea33b66a63accf019980939f73cdd688b6d5b95de14f28186763a3cc1f
SHA5124fdb047e83a609d47482e3b8cf931d272bbc54359cfa51282795f26747df9b108a765d07f4ea9b0a9989aecc04372f2da2af657e9098775038f2bd8dc7e222ff
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
144B
MD52cb6fa89d02caea13770b09371923222
SHA17c3510c55537601bfc3b12361a170057f4736e99
SHA25627291f25d8c4c13bcc25f0267ab7c5a369fe6bd752da89f1751ed6b3f614de81
SHA5128060273a0fc363cc9e2ec9edd56cebe66d381c9fcb2c62c4f25594e0ab7cb9ab9a50cf13e96a682ba9b8753ee276a04346ed43621a9d23aed92837acc13eba7c