Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 06:44
Static task
static1
General
-
Target
311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe
-
Size
4.7MB
-
MD5
dfadea302af88aa95c5e46d9c64b762a
-
SHA1
80f2a167f8933a0363139ae02934c2e9f72c3779
-
SHA256
311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f
-
SHA512
09292d20377bb68c5a8ac4ed977feb66ccbf7034f545c9fa64ef90ff55624cd6752da2f3a84e4326ef165ea6a6a8607605256563f6dd9bd50265de951a75b3f5
-
SSDEEP
98304:bLAcpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:b/bFmS3VjVEOeTtJHbdnrz7
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 9 IoCs
pid pid_target Process procid_target 1248 680 WerFault.exe 81 1456 680 WerFault.exe 81 3308 680 WerFault.exe 81 1868 680 WerFault.exe 81 2420 680 WerFault.exe 81 1652 680 WerFault.exe 81 228 680 WerFault.exe 81 1244 680 WerFault.exe 81 2932 680 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1644 wmic.exe Token: SeSecurityPrivilege 1644 wmic.exe Token: SeTakeOwnershipPrivilege 1644 wmic.exe Token: SeLoadDriverPrivilege 1644 wmic.exe Token: SeSystemProfilePrivilege 1644 wmic.exe Token: SeSystemtimePrivilege 1644 wmic.exe Token: SeProfSingleProcessPrivilege 1644 wmic.exe Token: SeIncBasePriorityPrivilege 1644 wmic.exe Token: SeCreatePagefilePrivilege 1644 wmic.exe Token: SeBackupPrivilege 1644 wmic.exe Token: SeRestorePrivilege 1644 wmic.exe Token: SeShutdownPrivilege 1644 wmic.exe Token: SeDebugPrivilege 1644 wmic.exe Token: SeSystemEnvironmentPrivilege 1644 wmic.exe Token: SeRemoteShutdownPrivilege 1644 wmic.exe Token: SeUndockPrivilege 1644 wmic.exe Token: SeManageVolumePrivilege 1644 wmic.exe Token: 33 1644 wmic.exe Token: 34 1644 wmic.exe Token: 35 1644 wmic.exe Token: 36 1644 wmic.exe Token: SeIncreaseQuotaPrivilege 1644 wmic.exe Token: SeSecurityPrivilege 1644 wmic.exe Token: SeTakeOwnershipPrivilege 1644 wmic.exe Token: SeLoadDriverPrivilege 1644 wmic.exe Token: SeSystemProfilePrivilege 1644 wmic.exe Token: SeSystemtimePrivilege 1644 wmic.exe Token: SeProfSingleProcessPrivilege 1644 wmic.exe Token: SeIncBasePriorityPrivilege 1644 wmic.exe Token: SeCreatePagefilePrivilege 1644 wmic.exe Token: SeBackupPrivilege 1644 wmic.exe Token: SeRestorePrivilege 1644 wmic.exe Token: SeShutdownPrivilege 1644 wmic.exe Token: SeDebugPrivilege 1644 wmic.exe Token: SeSystemEnvironmentPrivilege 1644 wmic.exe Token: SeRemoteShutdownPrivilege 1644 wmic.exe Token: SeUndockPrivilege 1644 wmic.exe Token: SeManageVolumePrivilege 1644 wmic.exe Token: 33 1644 wmic.exe Token: 34 1644 wmic.exe Token: 35 1644 wmic.exe Token: 36 1644 wmic.exe Token: SeIncreaseQuotaPrivilege 3208 WMIC.exe Token: SeSecurityPrivilege 3208 WMIC.exe Token: SeTakeOwnershipPrivilege 3208 WMIC.exe Token: SeLoadDriverPrivilege 3208 WMIC.exe Token: SeSystemProfilePrivilege 3208 WMIC.exe Token: SeSystemtimePrivilege 3208 WMIC.exe Token: SeProfSingleProcessPrivilege 3208 WMIC.exe Token: SeIncBasePriorityPrivilege 3208 WMIC.exe Token: SeCreatePagefilePrivilege 3208 WMIC.exe Token: SeBackupPrivilege 3208 WMIC.exe Token: SeRestorePrivilege 3208 WMIC.exe Token: SeShutdownPrivilege 3208 WMIC.exe Token: SeDebugPrivilege 3208 WMIC.exe Token: SeSystemEnvironmentPrivilege 3208 WMIC.exe Token: SeRemoteShutdownPrivilege 3208 WMIC.exe Token: SeUndockPrivilege 3208 WMIC.exe Token: SeManageVolumePrivilege 3208 WMIC.exe Token: 33 3208 WMIC.exe Token: 34 3208 WMIC.exe Token: 35 3208 WMIC.exe Token: 36 3208 WMIC.exe Token: SeIncreaseQuotaPrivilege 3208 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 680 wrote to memory of 1644 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 94 PID 680 wrote to memory of 1644 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 94 PID 680 wrote to memory of 1644 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 94 PID 680 wrote to memory of 3516 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 101 PID 680 wrote to memory of 3516 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 101 PID 680 wrote to memory of 3516 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 101 PID 3516 wrote to memory of 3208 3516 cmd.exe 103 PID 3516 wrote to memory of 3208 3516 cmd.exe 103 PID 3516 wrote to memory of 3208 3516 cmd.exe 103 PID 680 wrote to memory of 3160 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 104 PID 680 wrote to memory of 3160 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 104 PID 680 wrote to memory of 3160 680 311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe 104 PID 3160 wrote to memory of 3464 3160 cmd.exe 106 PID 3160 wrote to memory of 3464 3160 cmd.exe 106 PID 3160 wrote to memory of 3464 3160 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe"C:\Users\Admin\AppData\Local\Temp\311c143bb078f4254a9071f718b1211a526e986dd029fbcbd18899e43283741f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 5362⤵
- Program crash
PID:1248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 5602⤵
- Program crash
PID:1456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 5402⤵
- Program crash
PID:3308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 6442⤵
- Program crash
PID:1868
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 7602⤵
- Program crash
PID:2420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 8442⤵
- Program crash
PID:1652
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 13042⤵
- Program crash
PID:228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 13602⤵
- Program crash
PID:1244
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:3464
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 1402⤵
- Program crash
PID:2932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 680 -ip 6801⤵PID:3232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 680 -ip 6801⤵PID:3440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 680 -ip 6801⤵PID:3448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 680 -ip 6801⤵PID:3408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 680 -ip 6801⤵PID:4820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 680 -ip 6801⤵PID:2360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 680 -ip 6801⤵PID:1356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 680 -ip 6801⤵PID:476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 680 -ip 6801⤵PID:4844