Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
14/04/2022, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Resource
win10v2004-20220331-en
General
-
Target
95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
-
Size
7.9MB
-
MD5
66eeed112f302db2ee39e58cf6eb0c2e
-
SHA1
7f614ccb6d175a343be4e9d18787f723e4a25e76
-
SHA256
95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00
-
SHA512
2009a6e680d208759cccef72ab3000e232eb323befe6217960eba42b53765e7df2833be36bd8a6fd0dd33c54624d49a8a1f49ad73f27ec8a92924b5bb43d7280
Malware Config
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 3412 TechSuiteUpdater.exe 2544 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation TechSuiteUpdater.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\IESettingSync 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe Set value (int) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3448 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe 3448 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe 3412 TechSuiteUpdater.exe 3412 TechSuiteUpdater.exe 3412 TechSuiteUpdater.exe 3412 TechSuiteUpdater.exe 3412 TechSuiteUpdater.exe 2544 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe 2544 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3448 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe Token: SeDebugPrivilege 3412 TechSuiteUpdater.exe Token: SeDebugPrivilege 2544 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2544 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe 2544 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3448 wrote to memory of 3412 3448 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe 92 PID 3448 wrote to memory of 3412 3448 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe 92 PID 3412 wrote to memory of 2544 3412 TechSuiteUpdater.exe 96 PID 3412 wrote to memory of 2544 3412 TechSuiteUpdater.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe"C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\TechSuiteUpdater.exe"C:\Users\Admin\AppData\Local\Temp\TechSuiteUpdater.exe" 1.0.7.0 3448 95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe False2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe"C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe"3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Filesize10.4MB
MD52ae302b589c44c3d0f675d34daf0e5c5
SHA1a0875a2fad02a83cd3522737aff202dccd40d9c9
SHA256620f5dc2875abb745d3660b17ff6b3c344ead9f08e4729dab20b7d9b6582649f
SHA512aff2f9fa2b8def6136e033fad512a14c5a11c1daab335180f60bc2bb709a57103ebd4ecb32f74da1a351c755806ac841daa01fa41585a71552bae7d0ac3cbaa9
-
C:\Users\Admin\AppData\Local\Temp\95d8491c3c3373ebea7ce7377c9f370282bc6a5241bdb4ebab524b39e49d6c00.exe
Filesize10.4MB
MD52ae302b589c44c3d0f675d34daf0e5c5
SHA1a0875a2fad02a83cd3522737aff202dccd40d9c9
SHA256620f5dc2875abb745d3660b17ff6b3c344ead9f08e4729dab20b7d9b6582649f
SHA512aff2f9fa2b8def6136e033fad512a14c5a11c1daab335180f60bc2bb709a57103ebd4ecb32f74da1a351c755806ac841daa01fa41585a71552bae7d0ac3cbaa9
-
Filesize
1.5MB
MD546adfcab1b505e4045615a60946b3e90
SHA199b36a6acc75118b98b7969daa9e6b818354f2e1
SHA25610c818e4fa3c9d50c5af50644762e5136db7ab0d5550d84f2e2e648f38f723d2
SHA512fbee21ae626c102978350a3bc7cd3c8ec8519641c3fb7cf03feba3c5327fd7fbd37a3f141babd07bf834c01c53d31828f27d4da3fb2dc1ab5a10e48f38892623
-
Filesize
1.5MB
MD546adfcab1b505e4045615a60946b3e90
SHA199b36a6acc75118b98b7969daa9e6b818354f2e1
SHA25610c818e4fa3c9d50c5af50644762e5136db7ab0d5550d84f2e2e648f38f723d2
SHA512fbee21ae626c102978350a3bc7cd3c8ec8519641c3fb7cf03feba3c5327fd7fbd37a3f141babd07bf834c01c53d31828f27d4da3fb2dc1ab5a10e48f38892623
-
Filesize
708B
MD5e64585e1903c3e83980be22939b7ec10
SHA12db883bb0aefedde4a722bb6f3f978b4abed6c94
SHA2561c276a34568174d147540a7e53a955a1fd7356ceb7ea1c89d48c628844b824ae
SHA5125adb5be80a643596d3e1a18d9ffd5dfbb83c63b2ead7121053c671bb1b01a41ded0510107303db631fcbdc911abf2b2ebd3a7f0445775c1f94b01d4b84651895
-
Filesize
10.4MB
MD52ae302b589c44c3d0f675d34daf0e5c5
SHA1a0875a2fad02a83cd3522737aff202dccd40d9c9
SHA256620f5dc2875abb745d3660b17ff6b3c344ead9f08e4729dab20b7d9b6582649f
SHA512aff2f9fa2b8def6136e033fad512a14c5a11c1daab335180f60bc2bb709a57103ebd4ecb32f74da1a351c755806ac841daa01fa41585a71552bae7d0ac3cbaa9