Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    90s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2022, 00:10

General

  • Target

    f2d300d8fb1ef1812db6c63ce75f419e4092742a123bb0ffb7e6c257d53a6b49.exe

  • Size

    390KB

  • MD5

    2ef5b41a3b40b87a252ad568fe74bb53

  • SHA1

    57a38efa35497026fa81dec9d0a6e56dd3118fdc

  • SHA256

    f2d300d8fb1ef1812db6c63ce75f419e4092742a123bb0ffb7e6c257d53a6b49

  • SHA512

    9dfc0614f3ad919cf279da8f45218b4dee8c17c96089ef36a312f498906b64272f3769127c3540af79ac2349dd5431ff66d370eeb33f006d644694bb8fe4e728

  • SSDEEP

    6144:ZhvVlLB7RJ2IBsISG7WwEDQrYSZ5QRhv48aqHLrwtc7ITsq:ZhvfN7RgIeIr7W4YEQHQ8aq/l7

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2d300d8fb1ef1812db6c63ce75f419e4092742a123bb0ffb7e6c257d53a6b49.exe
    "C:\Users\Admin\AppData\Local\Temp\f2d300d8fb1ef1812db6c63ce75f419e4092742a123bb0ffb7e6c257d53a6b49.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3752
    • C:\Windows\system32\rundll32.exe
      "C:\Users\Admin\AppData\Roaming\nsis_unse56c931.dll",PrintUIEntry |5CQkOhiAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAOVkHwBs8|AtBUwAS|4fADkAVQBCAFi|AEQAUgB6GQB67wBKAGstAllIg||sKOgEAgAASP+DxCjDzMzMTP+JRCQYSIlUJL8QSIlMJAhZAUj|i0QkMEiJBCT2fQE4SGsACEjHRNskEC0B6w59ARBI14PAAYsBEH0BQEjtOZIAcyWbA4sMJP9IA8hIi8FIi|VMpwFUdwAD0UiLf8qKCYgI68FiBb9lSIsEJWDz8DP|yUiLUBhIO9H|dDZIg8IgSIv|Akg7wnQqZoP|eEgYdRpMi0D|UGZBgzhrdAfuDRFLdQgNEHgQLv90BUiLAOvVSOuLSPkAwWYAQFNV|1ZXQVRBVUFW+0FXWQFmgTlNWv9Ni|hMi|JIi+|ZD4X8NQFjSTz|QYE8CVBFAAD3D4Xq8|BBi4QJ|Yjz8IXASI08AfcPhNZmEYO8CYzuLQEPhMfz8ESLZ|8gRItfHIt3JP9Ei08YTAPhTP8D2UgD8TPJRd+FyQ+EpPPwTYv|xEGLEEUz0kj|A9OKAoTAdB1|QcHKDQ++wPYA7wFEA9C7EXXsQf+B+qr8DXx0Dv+DwQFJg8AEQf87yXNp68aLwf8PtwxORYssi39MA+t0WDPtphDfdFFBixS9ANMz|8mKAkyLwusP28HJxBEDyOEQAUH7igDREO0zwDP2z0E7DLbcEKIAg8b|AYP4CHLu6wr|SIvLQf|VSYnvBPeDxeAQxAQ7728Ycq9iAUFfQf9eQV1BXF9eXX1bLxdIgexgAWAA|4vp6Gb+||9I34XAD4SZcSBMjfqrAYsnEMgz|+ib|nkgjV8ETI1FQv8z0ovL|1QkaH58IEyL4A+EbHEgvUWkEDPAi9ONIEiviXwkIKIgcHwgSJ+L8A+ETHEgoiBQ|0iNVghEjUdA70iNjCSBEUiL2HfofP16II1WSNogtRDeIczz8Ohn6yBEn4sGjVcIPSCiIFhexiGJhCSAgxLd8|B7iw7WIFiJjCRtEewDMI0g6DHrIEyLXXc6i6wpMkiLnBYy|0yJZCQ4RI1n32xJO+xIhiAwTLuJXIABhCTcgxGG6Y7jId8g8KwTSIvTt+jn|AEwipxzMkj7jYRzMkGA8yFJ34vMRDAYoAKD6d8BdfOBvHMyIVL|ZXh1SouEJPTuHjGUJPjz8APCSP876HI1QTvUdv8wRI1JQEkr1KdBuACUAKIgQMYi+Od0F0S0ML4xSI1TfWyNIE0rxOhsgDD3SIvOoiB4SIX|53QUTIwwFzFIjUzvJEC6A|Pw|9dIM4HEcCFdJAAA
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • outlook_office_path
      • outlook_win_path
      PID:4456
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4456 -s 532
        3⤵
        • Program crash
        PID:1536
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 680
      2⤵
      • Program crash
      PID:4188
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3752 -ip 3752
    1⤵
      PID:1812
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 468 -p 4456 -ip 4456
      1⤵
        PID:1360

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\nsis_unse56c931.dll

        Filesize

        58KB

        MD5

        664e46926466a2d4c9b87540f4853c39

        SHA1

        b172d1c2bde331770b0a944fcf6a9e2d75ded66b

        SHA256

        92a7c3296a561fb39798f821173e69d1feff44ff3a84caa4c6bb890945e79488

        SHA512

        1490ee65220c71a9f445df4b0f34d0c7bd3ece2e58253cfa3194d34e813843e0f71ea7bce0f0ae562a620334fdf3589262ca2f3209414936aa28a365db64ff03

      • C:\Users\Admin\AppData\Roaming\nsis_unse56c931.dll

        Filesize

        58KB

        MD5

        664e46926466a2d4c9b87540f4853c39

        SHA1

        b172d1c2bde331770b0a944fcf6a9e2d75ded66b

        SHA256

        92a7c3296a561fb39798f821173e69d1feff44ff3a84caa4c6bb890945e79488

        SHA512

        1490ee65220c71a9f445df4b0f34d0c7bd3ece2e58253cfa3194d34e813843e0f71ea7bce0f0ae562a620334fdf3589262ca2f3209414936aa28a365db64ff03

      • memory/3752-135-0x0000000000400000-0x0000000002C50000-memory.dmp

        Filesize

        40.3MB

      • memory/3752-133-0x0000000002CB0000-0x0000000002CE0000-memory.dmp

        Filesize

        192KB

      • memory/3752-134-0x0000000002F30000-0x0000000002F4A000-memory.dmp

        Filesize

        104KB

      • memory/3752-132-0x0000000002CF2000-0x0000000002D17000-memory.dmp

        Filesize

        148KB

      • memory/3752-139-0x0000000002F50000-0x0000000002F6D000-memory.dmp

        Filesize

        116KB

      • memory/3752-140-0x0000000004DB0000-0x0000000005DB0000-memory.dmp

        Filesize

        16.0MB

      • memory/3752-143-0x0000000000400000-0x0000000002C50000-memory.dmp

        Filesize

        40.3MB

      • memory/4456-141-0x0000019FA8780000-0x0000019FA8787000-memory.dmp

        Filesize

        28KB

      • memory/4456-142-0x00007FF40D5B0000-0x00007FF40D6AA000-memory.dmp

        Filesize

        1000KB

      • memory/4456-144-0x00007FF40D5B0000-0x00007FF40D6AA000-memory.dmp

        Filesize

        1000KB

      • memory/4456-145-0x00007FF40D5B0000-0x00007FF40D6AA000-memory.dmp

        Filesize

        1000KB

      • memory/4456-146-0x0000000010000000-0x0000000010013000-memory.dmp

        Filesize

        76KB