Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2022, 17:52
Static task
static1
General
-
Target
1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe
-
Size
4.7MB
-
MD5
d0e8bcab53a6560a47ec7023e81678aa
-
SHA1
761567e513b36270d64cbc7857321f1993b967dc
-
SHA256
1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe
-
SHA512
425d95a71ad1e8614635a444f8d0aa0db52faebc526cac756513277fb28e35d89bdd2664023e7ac2590a7c5213dba2d00bc05fa83ef0a5d07694f0f12bf79f7e
-
SSDEEP
98304:06BpKO+6PbFmS3VjVEOeTtJaAbLECnrZXJT7:06bFmS3VjVEOeTtJHbdnrz7
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 9 IoCs
pid pid_target Process procid_target 1484 2140 WerFault.exe 81 4984 2140 WerFault.exe 81 3480 2140 WerFault.exe 81 3628 2140 WerFault.exe 81 1312 2140 WerFault.exe 81 4244 2140 WerFault.exe 81 1404 2140 WerFault.exe 81 3780 2140 WerFault.exe 81 2536 2140 WerFault.exe 81 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2956 wmic.exe Token: SeSecurityPrivilege 2956 wmic.exe Token: SeTakeOwnershipPrivilege 2956 wmic.exe Token: SeLoadDriverPrivilege 2956 wmic.exe Token: SeSystemProfilePrivilege 2956 wmic.exe Token: SeSystemtimePrivilege 2956 wmic.exe Token: SeProfSingleProcessPrivilege 2956 wmic.exe Token: SeIncBasePriorityPrivilege 2956 wmic.exe Token: SeCreatePagefilePrivilege 2956 wmic.exe Token: SeBackupPrivilege 2956 wmic.exe Token: SeRestorePrivilege 2956 wmic.exe Token: SeShutdownPrivilege 2956 wmic.exe Token: SeDebugPrivilege 2956 wmic.exe Token: SeSystemEnvironmentPrivilege 2956 wmic.exe Token: SeRemoteShutdownPrivilege 2956 wmic.exe Token: SeUndockPrivilege 2956 wmic.exe Token: SeManageVolumePrivilege 2956 wmic.exe Token: 33 2956 wmic.exe Token: 34 2956 wmic.exe Token: 35 2956 wmic.exe Token: 36 2956 wmic.exe Token: SeIncreaseQuotaPrivilege 2956 wmic.exe Token: SeSecurityPrivilege 2956 wmic.exe Token: SeTakeOwnershipPrivilege 2956 wmic.exe Token: SeLoadDriverPrivilege 2956 wmic.exe Token: SeSystemProfilePrivilege 2956 wmic.exe Token: SeSystemtimePrivilege 2956 wmic.exe Token: SeProfSingleProcessPrivilege 2956 wmic.exe Token: SeIncBasePriorityPrivilege 2956 wmic.exe Token: SeCreatePagefilePrivilege 2956 wmic.exe Token: SeBackupPrivilege 2956 wmic.exe Token: SeRestorePrivilege 2956 wmic.exe Token: SeShutdownPrivilege 2956 wmic.exe Token: SeDebugPrivilege 2956 wmic.exe Token: SeSystemEnvironmentPrivilege 2956 wmic.exe Token: SeRemoteShutdownPrivilege 2956 wmic.exe Token: SeUndockPrivilege 2956 wmic.exe Token: SeManageVolumePrivilege 2956 wmic.exe Token: 33 2956 wmic.exe Token: 34 2956 wmic.exe Token: 35 2956 wmic.exe Token: 36 2956 wmic.exe Token: SeIncreaseQuotaPrivilege 3496 WMIC.exe Token: SeSecurityPrivilege 3496 WMIC.exe Token: SeTakeOwnershipPrivilege 3496 WMIC.exe Token: SeLoadDriverPrivilege 3496 WMIC.exe Token: SeSystemProfilePrivilege 3496 WMIC.exe Token: SeSystemtimePrivilege 3496 WMIC.exe Token: SeProfSingleProcessPrivilege 3496 WMIC.exe Token: SeIncBasePriorityPrivilege 3496 WMIC.exe Token: SeCreatePagefilePrivilege 3496 WMIC.exe Token: SeBackupPrivilege 3496 WMIC.exe Token: SeRestorePrivilege 3496 WMIC.exe Token: SeShutdownPrivilege 3496 WMIC.exe Token: SeDebugPrivilege 3496 WMIC.exe Token: SeSystemEnvironmentPrivilege 3496 WMIC.exe Token: SeRemoteShutdownPrivilege 3496 WMIC.exe Token: SeUndockPrivilege 3496 WMIC.exe Token: SeManageVolumePrivilege 3496 WMIC.exe Token: 33 3496 WMIC.exe Token: 34 3496 WMIC.exe Token: 35 3496 WMIC.exe Token: 36 3496 WMIC.exe Token: SeIncreaseQuotaPrivilege 3496 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2956 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 95 PID 2140 wrote to memory of 2956 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 95 PID 2140 wrote to memory of 2956 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 95 PID 2140 wrote to memory of 3828 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 101 PID 2140 wrote to memory of 3828 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 101 PID 2140 wrote to memory of 3828 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 101 PID 3828 wrote to memory of 3496 3828 cmd.exe 103 PID 3828 wrote to memory of 3496 3828 cmd.exe 103 PID 3828 wrote to memory of 3496 3828 cmd.exe 103 PID 2140 wrote to memory of 212 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 104 PID 2140 wrote to memory of 212 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 104 PID 2140 wrote to memory of 212 2140 1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe 104 PID 212 wrote to memory of 3956 212 cmd.exe 106 PID 212 wrote to memory of 3956 212 cmd.exe 106 PID 212 wrote to memory of 3956 212 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe"C:\Users\Admin\AppData\Local\Temp\1c8942c24ee91360149cb82f2173a9d9620a348fda245fe3eb0204df897b26fe.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 5442⤵
- Program crash
PID:1484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 5522⤵
- Program crash
PID:4984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 5562⤵
- Program crash
PID:3480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 6442⤵
- Program crash
PID:3628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 7602⤵
- Program crash
PID:1312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 7922⤵
- Program crash
PID:4244
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 12962⤵
- Program crash
PID:1404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 13522⤵
- Program crash
PID:3780
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:3956
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1402⤵
- Program crash
PID:2536
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2140 -ip 21401⤵PID:4628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2140 -ip 21401⤵PID:5072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2140 -ip 21401⤵PID:5028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2140 -ip 21401⤵PID:4932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2140 -ip 21401⤵PID:2236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2140 -ip 21401⤵PID:4188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2140 -ip 21401⤵PID:420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2140 -ip 21401⤵PID:1588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2140 -ip 21401⤵PID:4220