Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10/07/2020, 07:07

General

  • Target

    034c7d8fabacc35fd6312cf438124340.exe

  • Size

    1004KB

  • MD5

    034c7d8fabacc35fd6312cf438124340

  • SHA1

    e3bdb12270794012fd7fbb79637fc43119751f40

  • SHA256

    95129ce014d0264688c32aaddf7707ec591f6be1335f5cd67b44e9983b61da9b

  • SHA512

    957c6a136319b5360dd05e1c3f7f580a7601c6a8c39071268f17a4cc00a6d560db4233f0b96a65357fe6c369e434d7c173849028db31aa7f57b32e50e268ee2d

Malware Config

Signatures

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies control panel 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks whether UAC is enabled 1 IoCs
  • Modifies registry class 113 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Checks for installed software on the system 1 TTPs 29 IoCs
  • Kills process with taskkill 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Program crash 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Drops file in Windows directory 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\034c7d8fabacc35fd6312cf438124340.exe
    "C:\Users\Admin\AppData\Local\Temp\034c7d8fabacc35fd6312cf438124340.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Checks for installed software on the system
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Modifies system certificate store
    PID:3008
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C taskkill /F /PID 3008 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\034c7d8fabacc35fd6312cf438124340.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 3008
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2616
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:2720
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Modifies Internet Explorer settings
      • Modifies control panel
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Drops file in Windows directory
      PID:1632
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1632 -s 3480
        2⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Program crash
        PID:1732
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:1824

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1732-1-0x00000157D1030000-0x00000157D1031000-memory.dmp

      Filesize

      4KB

    • memory/1732-2-0x00000157D1030000-0x00000157D1031000-memory.dmp

      Filesize

      4KB

    • memory/1732-4-0x00000157D1EA0000-0x00000157D1EA1000-memory.dmp

      Filesize

      4KB

    • memory/1732-7-0x00000157D1F90000-0x00000157D1F91000-memory.dmp

      Filesize

      4KB

    • memory/1732-8-0x00000157CF390000-0x00000157CF391000-memory.dmp

      Filesize

      4KB

    • memory/1732-9-0x00000157CF3A0000-0x00000157CF3A1000-memory.dmp

      Filesize

      4KB