Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 01:51
Static task
static1
General
-
Target
55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe
-
Size
4.7MB
-
MD5
95b3db782cd79a1b4f92f8b493351630
-
SHA1
493a19b8ebbb70b4a20022a6843af9b782c28737
-
SHA256
55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd
-
SHA512
0187dbfda9268224e3f2545d87a452335ca479b8dab000c38675aebb84c04e686595cf5a2b06fa73cbc6a89af340b8c8e049fe1622fa47d48789dfbae98edff4
-
SSDEEP
98304:bLAQpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:bLbFmS3VjVEOeTtJHbdnrz7
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 9 IoCs
pid pid_target Process procid_target 1224 4740 WerFault.exe 81 4196 4740 WerFault.exe 81 3540 4740 WerFault.exe 81 1492 4740 WerFault.exe 81 1052 4740 WerFault.exe 81 3100 4740 WerFault.exe 81 1396 4740 WerFault.exe 81 1152 4740 WerFault.exe 81 5088 4740 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 116 wmic.exe Token: SeSecurityPrivilege 116 wmic.exe Token: SeTakeOwnershipPrivilege 116 wmic.exe Token: SeLoadDriverPrivilege 116 wmic.exe Token: SeSystemProfilePrivilege 116 wmic.exe Token: SeSystemtimePrivilege 116 wmic.exe Token: SeProfSingleProcessPrivilege 116 wmic.exe Token: SeIncBasePriorityPrivilege 116 wmic.exe Token: SeCreatePagefilePrivilege 116 wmic.exe Token: SeBackupPrivilege 116 wmic.exe Token: SeRestorePrivilege 116 wmic.exe Token: SeShutdownPrivilege 116 wmic.exe Token: SeDebugPrivilege 116 wmic.exe Token: SeSystemEnvironmentPrivilege 116 wmic.exe Token: SeRemoteShutdownPrivilege 116 wmic.exe Token: SeUndockPrivilege 116 wmic.exe Token: SeManageVolumePrivilege 116 wmic.exe Token: 33 116 wmic.exe Token: 34 116 wmic.exe Token: 35 116 wmic.exe Token: 36 116 wmic.exe Token: SeIncreaseQuotaPrivilege 116 wmic.exe Token: SeSecurityPrivilege 116 wmic.exe Token: SeTakeOwnershipPrivilege 116 wmic.exe Token: SeLoadDriverPrivilege 116 wmic.exe Token: SeSystemProfilePrivilege 116 wmic.exe Token: SeSystemtimePrivilege 116 wmic.exe Token: SeProfSingleProcessPrivilege 116 wmic.exe Token: SeIncBasePriorityPrivilege 116 wmic.exe Token: SeCreatePagefilePrivilege 116 wmic.exe Token: SeBackupPrivilege 116 wmic.exe Token: SeRestorePrivilege 116 wmic.exe Token: SeShutdownPrivilege 116 wmic.exe Token: SeDebugPrivilege 116 wmic.exe Token: SeSystemEnvironmentPrivilege 116 wmic.exe Token: SeRemoteShutdownPrivilege 116 wmic.exe Token: SeUndockPrivilege 116 wmic.exe Token: SeManageVolumePrivilege 116 wmic.exe Token: 33 116 wmic.exe Token: 34 116 wmic.exe Token: 35 116 wmic.exe Token: 36 116 wmic.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: 36 2216 WMIC.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4740 wrote to memory of 116 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 97 PID 4740 wrote to memory of 116 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 97 PID 4740 wrote to memory of 116 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 97 PID 4740 wrote to memory of 4244 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 106 PID 4740 wrote to memory of 4244 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 106 PID 4740 wrote to memory of 4244 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 106 PID 4244 wrote to memory of 2216 4244 cmd.exe 108 PID 4244 wrote to memory of 2216 4244 cmd.exe 108 PID 4244 wrote to memory of 2216 4244 cmd.exe 108 PID 4740 wrote to memory of 3204 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 109 PID 4740 wrote to memory of 3204 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 109 PID 4740 wrote to memory of 3204 4740 55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe 109 PID 3204 wrote to memory of 2660 3204 cmd.exe 111 PID 3204 wrote to memory of 2660 3204 cmd.exe 111 PID 3204 wrote to memory of 2660 3204 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe"C:\Users\Admin\AppData\Local\Temp\55ff82f3444fbd3cdea8970cb57ba87f65adcd84a27330c9788d671775a725bd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 5362⤵
- Program crash
PID:1224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 5602⤵
- Program crash
PID:4196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 5402⤵
- Program crash
PID:3540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 6162⤵
- Program crash
PID:1492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 6362⤵
- Program crash
PID:1052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 8122⤵
- Program crash
PID:3100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 12922⤵
- Program crash
PID:1396
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 13282⤵
- Program crash
PID:1152
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:2660
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1402⤵
- Program crash
PID:5088
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4740 -ip 47401⤵PID:1136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4740 -ip 47401⤵PID:4804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4740 -ip 47401⤵PID:1312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4740 -ip 47401⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4740 -ip 47401⤵PID:2208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4740 -ip 47401⤵PID:4224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4740 -ip 47401⤵PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4740 -ip 47401⤵PID:1244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4740 -ip 47401⤵PID:4444