Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

ab70e546b8...0b.exe

windows7-x64

8

ab70e546b8...0b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    133s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab70e546b889a419370ec1b128a278f89b610cff27360b2405dc900128e8ae0b.exe

  • Size

    736KB

  • MD5

    84a20e79c3b5c5de1a34e153dad359fe

  • SHA1

    56aedb1d58fabe505891fb93c351bd35de4c8644

  • SHA256

    ab70e546b889a419370ec1b128a278f89b610cff27360b2405dc900128e8ae0b

  • SHA512

    de7de2cd9bcf19dfac6072be03b69ebb9627d2aa61e9e63412a9333d0addd5363fd4b525575111429cc9a5b39ad9a3399d94708c8f74d48562d0b19d6452a865

  • SSDEEP

    6144:ijTwjof6xvJQrQMoahlJeHrs4aIEVkONMDjNbAN2MpOXR0y0XU2xTA7Da0O85wID:f4iWQMDHeHrnQNpS0ykKyIEAcIZJ

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 61 IoCs
  • Drops file in Program Files directory 58 IoCs
  • Drops file in Windows directory 4 IoCs
  • Program crash 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab70e546b889a419370ec1b128a278f89b610cff27360b2405dc900128e8ae0b.exe
    "C:\Users\Admin\AppData\Local\Temp\ab70e546b889a419370ec1b128a278f89b610cff27360b2405dc900128e8ae0b.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1948
  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:3152
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3152 -s 572
      2⤵
      • Program crash
      PID:2704
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:4880
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4880 -s 492
      2⤵
      • Program crash
      PID:4520
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4900
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:1352
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1352 -s 284
      2⤵
      • Program crash
      PID:2484
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:4360
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4360 -s 352
      2⤵
      • Program crash
      PID:4284
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 452 -p 3152 -ip 3152
    1⤵
      PID:3304
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 488 -p 4880 -ip 4880
      1⤵
        PID:4124
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 360 -p 1352 -ip 1352
        1⤵
          PID:2228
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 468 -p 4360 -ip 4360
          1⤵
            PID:4332
          • C:\Windows\servicing\TrustedInstaller.exe
            C:\Windows\servicing\TrustedInstaller.exe
            1⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            PID:4396

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
            Filesize

            2.0MB

            MD5

            cecc1664eb999a6f7d2a6d60b03cce48

            SHA1

            399eb3f8d4c94ca06f6caac9bcbd8785e7b41e10

            SHA256

            8e4057a347f1c5ca0d962aec4f947232fa0872d89b247023c8e5ace8024aad67

            SHA512

            5c2153235afece54ceb38de9dfe8fdc20df93915c407e9f608f069060c0ab483ede175dbdf4aacbb065afca49ae099370aa17b352da51edc405f8c7a8bfa82d7

            Download Submit

          • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
            Filesize

            730KB

            MD5

            3ee8978ceb0db30e0f7ce8ce59be906c

            SHA1

            636c253032fca9314f3c43c28fd382fdefb1d441

            SHA256

            959cbd43c5525bea813f029d0456b391a1f2d22651f2f30f5712ab60604a23fc

            SHA512

            f6d1f5f1e2aa1dcfc38376ab94bbd6ce04729da5286957e43f228cc730f8c74a74efd7106a6857cf385a86a80e18e75bc8a5c4eb8fe29aa9c80dfa4dd4444254

            Download Submit

          • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
            Filesize

            740KB

            MD5

            38351be72c9085103ac3810b1b2013f9

            SHA1

            0da3e466b7ae0032c5b9aaecd4707489e5acfc92

            SHA256

            2d1245c5fa338546ca4d871c346e4f13bea6b8e6860b1c8dcb7bd9a63a97fac7

            SHA512

            82d4d4571836e06225fc620867f90ba6a7c9b20136ed946d85adcfd6013cea17cc156f5980d13807b2037102c8c65bb2f057a97b5bae6384e9cc12376a65d2c0

            Download Submit

          • C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
            Filesize

            1.9MB

            MD5

            8aca0cce020f8be3edd9e420b5031cb5

            SHA1

            ad6f193d5fbff82148f3ea33bf69598b4711060b

            SHA256

            abeacdd08f6ddc7e0cd39ea7c6cd85a8f20a7732b3704ca3071a9549e61c152a

            SHA512

            4295c72c95f6190fb5b1048967db0c74c22cbd2e5267b38eef1ffeb0927dbd90c9ebf16218d361111a4e668e4d689cfcdb31f656c036efe9378e0167cdc9dd75

            Download Submit

          • C:\Windows\System32\OpenSSH\ssh-agent.exe
            Filesize

            874KB

            MD5

            2a11fe287abfe7e35d8ec745957695ab

            SHA1

            32ddbbe52f18e87e10a3e2ee8104462941b9b29e

            SHA256

            089a7c676862187692183102f71fef3c847e64adae0be99b5b21260e2320b330

            SHA512

            21ed42d7110798e5f42eac67b767641ecfba6d09d32e73611363b5ecedc11147b922cda24284220055cde796e3d25162631b8e7c397fb62a34d106beea6eeb17

            Download Submit

          • C:\Windows\System32\OpenSSH\ssh-agent.exe
            Filesize

            874KB

            MD5

            2a11fe287abfe7e35d8ec745957695ab

            SHA1

            32ddbbe52f18e87e10a3e2ee8104462941b9b29e

            SHA256

            089a7c676862187692183102f71fef3c847e64adae0be99b5b21260e2320b330

            SHA512

            21ed42d7110798e5f42eac67b767641ecfba6d09d32e73611363b5ecedc11147b922cda24284220055cde796e3d25162631b8e7c397fb62a34d106beea6eeb17

            Download Submit

          • C:\Windows\servicing\TrustedInstaller.exe
            Filesize

            193KB

            MD5

            805418acd5280e97074bdadca4d95195

            SHA1

            a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

            SHA256

            73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

            SHA512

            630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

            Download Submit

          • memory/1352-147-0x0000000140000000-0x0000000140209000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1352-143-0x0000000140000000-0x0000000140209000-memory.dmp

            Filesize

            2.0MB

            Download

          • memory/1948-133-0x0000000001000000-0x00000000011E4000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1948-132-0x0000000001000000-0x00000000011E4000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/1948-150-0x0000000001000000-0x00000000011E4000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/3152-136-0x0000000140000000-0x0000000140348000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3152-145-0x0000000140000000-0x0000000140348000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4360-144-0x0000000140000000-0x000000014023C000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/4360-148-0x0000000140000000-0x000000014023C000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/4880-146-0x0000000140000000-0x0000000140365000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4880-137-0x0000000140000000-0x0000000140365000-memory.dmp

            Filesize

            3.4MB

            Download

          • memory/4900-139-0x0000000140000000-0x0000000140209000-memory.dmp

            Filesize

            2.0MB

            Download