Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    155s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/10/2022, 04:35

General

  • Target

    73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe

  • Size

    110KB

  • MD5

    877996da419cb48838d9769b24f6016c

  • SHA1

    1bd1a5ef7668b1a26eaa0c96c3ad7140428b9597

  • SHA256

    73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46

  • SHA512

    d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3

  • SSDEEP

    3072:dUdvtJxKyKWGK3WtrHu6asw3rWe2LLcp/:dUdpzG2SrHxal3Ser

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 11 IoCs
  • Modifies registry class 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe
    "C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\AppData\Roaming\Sunjava\SunJava.exe
      C:\Users\Admin\AppData\Roaming\Sunjava\SunJava.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Windows\SysWOW64\makecab.exe
        makecab "C:\Users\Admin\AppData\Roaming\signons.sqlite" "C:\Users\Admin\AppData\Roaming\sig.cab"
        3⤵
          PID:1244
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "dir C:\ /a"
          3⤵
            PID:4204
          • C:\Windows\SysWOW64\regedit.exe
            regedit /e "C:\Users\Admin\AppData\Local\Temp\XZIOFAVD___Admin__Screen__10-21-07IE.reg" "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\"
            3⤵
            • Runs .reg file with regedit
            PID:3868
        • C:\Windows\SysWOW64\explorer.exe
          explorer C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg
          2⤵
            PID:3708
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4596
          • C:\Windows\system32\mspaint.exe
            "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg" /ForceBootstrapPaint3D
            2⤵
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:4408
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
          1⤵
          • Drops file in System32 directory
          PID:4288
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4336

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46.jpg

          Filesize

          1.2MB

          MD5

          04ee3f40f19c1d1ff3a105d9d9b3a425

          SHA1

          a2d69f21f7a349c9297f955d65cc0a7270ac2ea4

          SHA256

          206de912b6a81a54aaf5376e7e45ec9de5db68860596e41796757cf91b909c80

          SHA512

          fe4650d5221e5799f1365dc2a5f9664002da569f86ca51d9076b720eb602440de386ba6ce18d1824a85870ea3b80a490618890ce3f1b966fed16c7f8fe9bc980

        • C:\Users\Admin\AppData\Roaming\SunJava\SunJava.exe

          Filesize

          110KB

          MD5

          877996da419cb48838d9769b24f6016c

          SHA1

          1bd1a5ef7668b1a26eaa0c96c3ad7140428b9597

          SHA256

          73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46

          SHA512

          d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3

        • C:\Users\Admin\AppData\Roaming\Sunjava\SunJava.exe

          Filesize

          110KB

          MD5

          877996da419cb48838d9769b24f6016c

          SHA1

          1bd1a5ef7668b1a26eaa0c96c3ad7140428b9597

          SHA256

          73bf5be5536bd29c3724da5c6424fcee62eea420edb29762d0a99125f7511e46

          SHA512

          d4752f4e250f7ffae3fcd77e6cfadcd5b5360f1e02618cb285b6d73fef8c580911b211fd09b33b0da5141d3d1c8f3d7923163b68955679cebfacbdb521b838d3

        • C:\Users\Admin\AppData\Roaming\sig.cab

          Filesize

          75B

          MD5

          301a095ccbd67a5b228517e1eeab8a68

          SHA1

          7c2d91b8a59398957325153a4d1dfd5dcebe81a0

          SHA256

          e54beebd083043c6a7a1a0a8029b50f3cded2a2833123d457a948204a959248a

          SHA512

          f36a3073b1d6df2a941408138b6793bc27d0b75d1fc02afea3d274532828d6882ccf64909de3fd4a47f5e3198d6ade5a1aa7f2e05367a5ddca6d889f2724a675

        • memory/1852-144-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1852-150-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4248-132-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4248-147-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4248-136-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/4288-152-0x00000281EED70000-0x00000281EED80000-memory.dmp

          Filesize

          64KB

        • memory/4288-153-0x00000281EEDB0000-0x00000281EEDC0000-memory.dmp

          Filesize

          64KB