Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
15/07/2022, 09:29
220715-lgbmgaacf2 1015/07/2022, 09:19
220715-lam2xsacc7 707/07/2020, 10:05
200707-ynncrekztj 10Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15/07/2022, 09:19
Static task
static1
Behavioral task
behavioral1
Sample
Genauto order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Genauto order.exe
Resource
win10v2004-20220414-en
General
-
Target
Genauto order.exe
-
Size
556KB
-
MD5
7d88edcbb610c519bafff302f31b5221
-
SHA1
bd95fbb0de8df563316a4559cee53a1bce1c97fb
-
SHA256
f8e17a185cddadfc5bb32941edbb87428cc13c1d2244695f03a69ed511d9a8f5
-
SHA512
0f0d5fe3c4a68337f764f8d5be96fb340400271aa783c9db268993e89c1d9d8867525cccff80df9aa7b1e610effbe4a2aaa1a3b6a6f54e00df04e7ba8817d3d9
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Genauto order.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Genauto order.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Genauto order.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1360 Genauto order.exe 1360 Genauto order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1360 Genauto order.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Genauto order.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Genauto order.exe