Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
16/10/2022, 10:31
Static task
static1
General
-
Target
f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe
-
Size
5.8MB
-
MD5
ac35fd4cbfd05ce0747b0f0d280d162e
-
SHA1
45b401f686aefbcfc3e2a2d38ad52a3a3d999111
-
SHA256
f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec
-
SHA512
ae904993769c69b65fa214b164f1f06ca984e9dcd6dad589d82f2f6db3d5233a6877fa94c3db8409f2a570c324c87c173ed66df456a39b3b252d3740ebb7539d
-
SSDEEP
49152:qnV9xabFe6iRyhJ3jkqQVSfWVXqASv1x1dKO/5t7WGiocfGJDcjQcy20RHrzKgiR:qnV9xVSjL+EnHOMz5ysZA5+bf6c
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 10 IoCs
pid pid_target Process procid_target 5092 1736 WerFault.exe 65 4100 1736 WerFault.exe 65 3628 1736 WerFault.exe 65 4512 1736 WerFault.exe 65 3508 1736 WerFault.exe 65 2000 1736 WerFault.exe 65 4212 1736 WerFault.exe 65 4396 1736 WerFault.exe 65 3936 1736 WerFault.exe 65 96 1736 WerFault.exe 65 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2664 wmic.exe Token: SeSecurityPrivilege 2664 wmic.exe Token: SeTakeOwnershipPrivilege 2664 wmic.exe Token: SeLoadDriverPrivilege 2664 wmic.exe Token: SeSystemProfilePrivilege 2664 wmic.exe Token: SeSystemtimePrivilege 2664 wmic.exe Token: SeProfSingleProcessPrivilege 2664 wmic.exe Token: SeIncBasePriorityPrivilege 2664 wmic.exe Token: SeCreatePagefilePrivilege 2664 wmic.exe Token: SeBackupPrivilege 2664 wmic.exe Token: SeRestorePrivilege 2664 wmic.exe Token: SeShutdownPrivilege 2664 wmic.exe Token: SeDebugPrivilege 2664 wmic.exe Token: SeSystemEnvironmentPrivilege 2664 wmic.exe Token: SeRemoteShutdownPrivilege 2664 wmic.exe Token: SeUndockPrivilege 2664 wmic.exe Token: SeManageVolumePrivilege 2664 wmic.exe Token: 33 2664 wmic.exe Token: 34 2664 wmic.exe Token: 35 2664 wmic.exe Token: 36 2664 wmic.exe Token: SeIncreaseQuotaPrivilege 2664 wmic.exe Token: SeSecurityPrivilege 2664 wmic.exe Token: SeTakeOwnershipPrivilege 2664 wmic.exe Token: SeLoadDriverPrivilege 2664 wmic.exe Token: SeSystemProfilePrivilege 2664 wmic.exe Token: SeSystemtimePrivilege 2664 wmic.exe Token: SeProfSingleProcessPrivilege 2664 wmic.exe Token: SeIncBasePriorityPrivilege 2664 wmic.exe Token: SeCreatePagefilePrivilege 2664 wmic.exe Token: SeBackupPrivilege 2664 wmic.exe Token: SeRestorePrivilege 2664 wmic.exe Token: SeShutdownPrivilege 2664 wmic.exe Token: SeDebugPrivilege 2664 wmic.exe Token: SeSystemEnvironmentPrivilege 2664 wmic.exe Token: SeRemoteShutdownPrivilege 2664 wmic.exe Token: SeUndockPrivilege 2664 wmic.exe Token: SeManageVolumePrivilege 2664 wmic.exe Token: 33 2664 wmic.exe Token: 34 2664 wmic.exe Token: 35 2664 wmic.exe Token: 36 2664 wmic.exe Token: SeIncreaseQuotaPrivilege 3156 WMIC.exe Token: SeSecurityPrivilege 3156 WMIC.exe Token: SeTakeOwnershipPrivilege 3156 WMIC.exe Token: SeLoadDriverPrivilege 3156 WMIC.exe Token: SeSystemProfilePrivilege 3156 WMIC.exe Token: SeSystemtimePrivilege 3156 WMIC.exe Token: SeProfSingleProcessPrivilege 3156 WMIC.exe Token: SeIncBasePriorityPrivilege 3156 WMIC.exe Token: SeCreatePagefilePrivilege 3156 WMIC.exe Token: SeBackupPrivilege 3156 WMIC.exe Token: SeRestorePrivilege 3156 WMIC.exe Token: SeShutdownPrivilege 3156 WMIC.exe Token: SeDebugPrivilege 3156 WMIC.exe Token: SeSystemEnvironmentPrivilege 3156 WMIC.exe Token: SeRemoteShutdownPrivilege 3156 WMIC.exe Token: SeUndockPrivilege 3156 WMIC.exe Token: SeManageVolumePrivilege 3156 WMIC.exe Token: 33 3156 WMIC.exe Token: 34 3156 WMIC.exe Token: 35 3156 WMIC.exe Token: 36 3156 WMIC.exe Token: SeIncreaseQuotaPrivilege 3156 WMIC.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2664 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 73 PID 1736 wrote to memory of 2664 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 73 PID 1736 wrote to memory of 2664 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 73 PID 1736 wrote to memory of 4428 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 79 PID 1736 wrote to memory of 4428 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 79 PID 1736 wrote to memory of 4428 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 79 PID 4428 wrote to memory of 3156 4428 cmd.exe 81 PID 4428 wrote to memory of 3156 4428 cmd.exe 81 PID 4428 wrote to memory of 3156 4428 cmd.exe 81 PID 1736 wrote to memory of 4816 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 82 PID 1736 wrote to memory of 4816 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 82 PID 1736 wrote to memory of 4816 1736 f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe 82 PID 4816 wrote to memory of 696 4816 cmd.exe 84 PID 4816 wrote to memory of 696 4816 cmd.exe 84 PID 4816 wrote to memory of 696 4816 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe"C:\Users\Admin\AppData\Local\Temp\f1d662128e72fad0967b8f5b36675729ea2e8133e8d86cc50b1683475675e2ec.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 5442⤵
- Program crash
PID:5092
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 5602⤵
- Program crash
PID:4100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 5242⤵
- Program crash
PID:3628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 6042⤵
- Program crash
PID:4512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 7762⤵
- Program crash
PID:3508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 8722⤵
- Program crash
PID:2000
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 13202⤵
- Program crash
PID:4212
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 13362⤵
- Program crash
PID:4396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 12562⤵
- Program crash
PID:3936
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name3⤵PID:696
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 3122⤵
- Program crash
PID:96
-