Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
15/10/2022, 10:59
Static task
static1
General
-
Target
d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe
-
Size
5.8MB
-
MD5
889bd1a9dcd60031a788d796322d2070
-
SHA1
d00ff2bf3cf217be715b7639f99f5e8366ce82a6
-
SHA256
d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db
-
SHA512
ef6d6b19a8f19974739a0871a4128368913eb47529e84a790a1a27a93aa6876bf6a7c811fa9b0d8aeaf9f699b0656eb019f63b0eb67b86601772051c8b321356
-
SSDEEP
49152:qnV9xajFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcy20RHrzKgiR:qnV9xtSjL+EnHOMz5ysZA5+bf6c
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 10 IoCs
pid pid_target Process procid_target 4820 3836 WerFault.exe 65 60 3836 WerFault.exe 65 4832 3836 WerFault.exe 65 2440 3836 WerFault.exe 65 5104 3836 WerFault.exe 65 3384 3836 WerFault.exe 65 4020 3836 WerFault.exe 65 4840 3836 WerFault.exe 65 3928 3836 WerFault.exe 65 216 3836 WerFault.exe 65 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1432 wmic.exe Token: SeSecurityPrivilege 1432 wmic.exe Token: SeTakeOwnershipPrivilege 1432 wmic.exe Token: SeLoadDriverPrivilege 1432 wmic.exe Token: SeSystemProfilePrivilege 1432 wmic.exe Token: SeSystemtimePrivilege 1432 wmic.exe Token: SeProfSingleProcessPrivilege 1432 wmic.exe Token: SeIncBasePriorityPrivilege 1432 wmic.exe Token: SeCreatePagefilePrivilege 1432 wmic.exe Token: SeBackupPrivilege 1432 wmic.exe Token: SeRestorePrivilege 1432 wmic.exe Token: SeShutdownPrivilege 1432 wmic.exe Token: SeDebugPrivilege 1432 wmic.exe Token: SeSystemEnvironmentPrivilege 1432 wmic.exe Token: SeRemoteShutdownPrivilege 1432 wmic.exe Token: SeUndockPrivilege 1432 wmic.exe Token: SeManageVolumePrivilege 1432 wmic.exe Token: 33 1432 wmic.exe Token: 34 1432 wmic.exe Token: 35 1432 wmic.exe Token: 36 1432 wmic.exe Token: SeIncreaseQuotaPrivilege 1432 wmic.exe Token: SeSecurityPrivilege 1432 wmic.exe Token: SeTakeOwnershipPrivilege 1432 wmic.exe Token: SeLoadDriverPrivilege 1432 wmic.exe Token: SeSystemProfilePrivilege 1432 wmic.exe Token: SeSystemtimePrivilege 1432 wmic.exe Token: SeProfSingleProcessPrivilege 1432 wmic.exe Token: SeIncBasePriorityPrivilege 1432 wmic.exe Token: SeCreatePagefilePrivilege 1432 wmic.exe Token: SeBackupPrivilege 1432 wmic.exe Token: SeRestorePrivilege 1432 wmic.exe Token: SeShutdownPrivilege 1432 wmic.exe Token: SeDebugPrivilege 1432 wmic.exe Token: SeSystemEnvironmentPrivilege 1432 wmic.exe Token: SeRemoteShutdownPrivilege 1432 wmic.exe Token: SeUndockPrivilege 1432 wmic.exe Token: SeManageVolumePrivilege 1432 wmic.exe Token: 33 1432 wmic.exe Token: 34 1432 wmic.exe Token: 35 1432 wmic.exe Token: 36 1432 wmic.exe Token: SeIncreaseQuotaPrivilege 4344 WMIC.exe Token: SeSecurityPrivilege 4344 WMIC.exe Token: SeTakeOwnershipPrivilege 4344 WMIC.exe Token: SeLoadDriverPrivilege 4344 WMIC.exe Token: SeSystemProfilePrivilege 4344 WMIC.exe Token: SeSystemtimePrivilege 4344 WMIC.exe Token: SeProfSingleProcessPrivilege 4344 WMIC.exe Token: SeIncBasePriorityPrivilege 4344 WMIC.exe Token: SeCreatePagefilePrivilege 4344 WMIC.exe Token: SeBackupPrivilege 4344 WMIC.exe Token: SeRestorePrivilege 4344 WMIC.exe Token: SeShutdownPrivilege 4344 WMIC.exe Token: SeDebugPrivilege 4344 WMIC.exe Token: SeSystemEnvironmentPrivilege 4344 WMIC.exe Token: SeRemoteShutdownPrivilege 4344 WMIC.exe Token: SeUndockPrivilege 4344 WMIC.exe Token: SeManageVolumePrivilege 4344 WMIC.exe Token: 33 4344 WMIC.exe Token: 34 4344 WMIC.exe Token: 35 4344 WMIC.exe Token: 36 4344 WMIC.exe Token: SeIncreaseQuotaPrivilege 4344 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3836 wrote to memory of 1432 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 73 PID 3836 wrote to memory of 1432 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 73 PID 3836 wrote to memory of 1432 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 73 PID 3836 wrote to memory of 3808 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 79 PID 3836 wrote to memory of 3808 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 79 PID 3836 wrote to memory of 3808 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 79 PID 3808 wrote to memory of 4344 3808 cmd.exe 81 PID 3808 wrote to memory of 4344 3808 cmd.exe 81 PID 3808 wrote to memory of 4344 3808 cmd.exe 81 PID 3836 wrote to memory of 4488 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 82 PID 3836 wrote to memory of 4488 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 82 PID 3836 wrote to memory of 4488 3836 d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe 82 PID 4488 wrote to memory of 1784 4488 cmd.exe 84 PID 4488 wrote to memory of 1784 4488 cmd.exe 84 PID 4488 wrote to memory of 1784 4488 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe"C:\Users\Admin\AppData\Local\Temp\d946ef83772061704929d211f7e0750e7ffaaa1fbb1b0668c5cde234591ff8db.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 5442⤵
- Program crash
PID:4820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 5482⤵
- Program crash
PID:60
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 5802⤵
- Program crash
PID:4832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 6402⤵
- Program crash
PID:2440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 7482⤵
- Program crash
PID:5104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 9842⤵
- Program crash
PID:3384
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 13282⤵
- Program crash
PID:4020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 13922⤵
- Program crash
PID:4840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 13122⤵
- Program crash
PID:3928
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:1784
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 3122⤵
- Program crash
PID:216
-