Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

43c5742b0f...8f.exe

windows7-x64

8

43c5742b0f...8f.exe

windows10-2004-x64

Analysis

  • max time kernel
    67s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2022, 10:09

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe

  • Size

    790KB

  • MD5

    5578387f06f400080bde5edffb916326

  • SHA1

    e7314811b374b84b703fbd13bfed773c2f122c48

  • SHA256

    43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f

  • SHA512

    3694a0a8315e854f9bea7fc4f2641087f8a84981b1b68e3088fa63ebec76c85e2df67d634af97796315b87c108a3f898ea73dba1116bf45f8d6403fd9c24a7fe

  • SSDEEP

    3072:aSsvihLlTQz9z71iURo2SJJmY6uFNcgifDbmeTXwVdBR:rsqhJMxzJiU5SeLmNSbmebW1

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds policy Run key to start application 2 TTPs 7 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Sets file execution options in registry 2 TTPs 8 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\e8et0FK4OUCAwhkzPw44K9JepFfSA0fSoyaGhue.bat
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\e8et0FK4OUCAwhkzPw44K9JepFfSA0fSoyaGhue.bat" 2
        2⤵
        • Executes dropped EXE
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4624
    • C:\Users\Admin\AppData\Local\Temp\43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe
      "C:\Users\Admin\AppData\Local\Temp\43c5742b0ffae5bcde3bbbaa22d050b4b480761f2c0ece900c7e3f8799d3758f.exe"
      1⤵
      • Adds policy Run key to start application
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2232
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa39cc855 /state1:0x41c64e6d
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4704
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /Shutdown
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\e8et0FK4OUCAwhkzPw44K9JepFfSA0fSoyaGhue.bat
        "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\e8et0FK4OUCAwhkzPw44K9JepFfSA0fSoyaGhue.bat" 1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Sets file execution options in registry
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5108

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.XboxGameCallableUI_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy\2YhVPWYr1HhzEIKM1q6mdDLj8BT.bat
      Filesize

      2.4MB

      MD5

      df6062920cc74522baf760381435d80f

      SHA1

      b6165c1544b0e779ab7defdbf1d46604b40a6b8e

      SHA256

      631d1013aa9e036f686cb57fe79383a803ef5d9320c3a847361f258ddb667d39

      SHA512

      3934703fd6c61bab30fb448ea5a662fca51f0060881419bf52339f3e44d33133060464e255d0efc95f752b79713d71eb2410ecc48ecb6ee7a333be87550ce5b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Floc\FsoIAPVfgsxRe4W4Lj5mFSc4O3u3sHoioEd5DXo7MQa58rx.exe
      Filesize

      1.3MB

      MD5

      a9ea8afd1ebc262ec650432c6da3fb0c

      SHA1

      c041b84ed9ee5ffcaae03d0b08db9332e7df9993

      SHA256

      287bc0fc2103ede4019ae50b6800e84893f8d12058dd3900fefd6098f0a7d01f

      SHA512

      b53821f4f76efb021da51489a890c79007127583eace351bdd6564a50004104fdfdaea51dcc24221a6661b56e2e782a35df32573abc2abde5137a1b23788c8f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\eu\2qAy0qk9Hj4eQs.cmd
      Filesize

      1.5MB

      MD5

      d51a94b553005fa222d664ba2d6e973a

      SHA1

      9b4bdc0a2b9fc2d6bf4bd7286ec26d84ba0d4172

      SHA256

      ef5aa7a28bd3f288cfafaf4a68f837fc8151943c24f2aa26a58bb2c4fae3370b

      SHA512

      93667be86edafac683fa1220bb1b7caf64d5d8a4e75b2d5c259457d89481252460191354ef791b96dbd30299603ea17027c9791df55dd18a0cc537b387ed2aba

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\fa\BCD1lWlCyacOCqqqCO5kvHwDd6Oq0FttHOh96PYhiL57m66TUubZjoUog5EI910YRtyg.exe
      Filesize

      1.5MB

      MD5

      1d767faec694e64087a6c9ded11b4d2a

      SHA1

      191a0379307f440ffdd0e7a8d59c0f5894a1f877

      SHA256

      74e047adf98486bd36d80e4481808d866fbc611281eb34291565b7772633b5e9

      SHA512

      074f72c77022fc8f85b3623c87463e3273b7d54f81c9be490ac35ce7047d8da7bcbf2531b08ca82ebca19a2279cd83f87c6e002ee022a6823bc7087d353cfa3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\input\uz-Latn-UZ\fxppm4PllNFpCrMdhnCpGeEP2t6bRVT3tDzh.exe
      Filesize

      1016KB

      MD5

      80cd73c5080765896de12dfff8998472

      SHA1

      ea380f03271d2dd9d8f3cc1a81cab010f677ca4b

      SHA256

      b5fff2e1fa608b48857765d58de000c58d27d64a1f126ed9016041d9a5625809

      SHA512

      5b46d516e2fcc28d7499ca5743831d9d5462cd62cd50e92a279b8d9242337591139bef2c6badd471666a4f2a670b60339ed6c8210c5c87f81ae8af779c82e253

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\e8et0FK4OUCAwhkzPw44K9JepFfSA0fSoyaGhue.bat
      Filesize

      1.3MB

      MD5

      9bb71e55e14d3337ea79f460d48b4bf6

      SHA1

      e50d37e3c1e6209970c8a8e2eb17ec5a028d2182

      SHA256

      5c363dcd9674017767a78e19ff0bdfdc257636c3aed4892498a7d07dd4293954

      SHA512

      8543d9a2caeea83cb1bb214787d9b8f60799a750ffddc2bcd729182682589dcc057d6d51e131b75dbe73c34abd49fdcf32a522e11ca7097bb02bca51564f1aca

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\e8et0FK4OUCAwhkzPw44K9JepFfSA0fSoyaGhue.bat
      Filesize

      1.3MB

      MD5

      9bb71e55e14d3337ea79f460d48b4bf6

      SHA1

      e50d37e3c1e6209970c8a8e2eb17ec5a028d2182

      SHA256

      5c363dcd9674017767a78e19ff0bdfdc257636c3aed4892498a7d07dd4293954

      SHA512

      8543d9a2caeea83cb1bb214787d9b8f60799a750ffddc2bcd729182682589dcc057d6d51e131b75dbe73c34abd49fdcf32a522e11ca7097bb02bca51564f1aca

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AC\e8et0FK4OUCAwhkzPw44K9JepFfSA0fSoyaGhue.bat
      Filesize

      1.3MB

      MD5

      9bb71e55e14d3337ea79f460d48b4bf6

      SHA1

      e50d37e3c1e6209970c8a8e2eb17ec5a028d2182

      SHA256

      5c363dcd9674017767a78e19ff0bdfdc257636c3aed4892498a7d07dd4293954

      SHA512

      8543d9a2caeea83cb1bb214787d9b8f60799a750ffddc2bcd729182682589dcc057d6d51e131b75dbe73c34abd49fdcf32a522e11ca7097bb02bca51564f1aca

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\EsMxtPhvlK8wxA7OEG7vYi1yLKvvJAO8L6MOcbqN0RvIQe.exe
      Filesize

      1.5MB

      MD5

      d5e8c6d9cdfdbda174a1c0f6f22ef5ee

      SHA1

      a295651df0495c4af16b012ca462d808e2390180

      SHA256

      6d15005fda1d5bbc58772999987b261a03682640f10032543410e7347e58526b

      SHA512

      91a450a1180cb7eb6e0162b7dcdab72c278b6208c6e1d1d417c3dea69469a92fd0214bac2612cbb5753e255c99ada75d21a883f7a2458486be644f1769bd0606

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\7HO3fCZKGJrE.exe
      Filesize

      1.1MB

      MD5

      54f04fba73e226287b0b129083213bc4

      SHA1

      7cb0034bafba2cec93dc893a4d5cc267820545b9

      SHA256

      b52fc8e7c18f01d581c2f48f1fa85c3ed71e43af8e1427380757ad5fe47cb92a

      SHA512

      cd485c36e3ecf3bb5701ac241d0f8a8972a42968982b194ae7ca5ff8307ceaf51159542e637fbb52c58173466e27333fa76bb31d374d797eb7da2c6df2229601

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\B0ESNM48\21rbZbnyGxvWmwNMNTgP0oYFbOQ5KGSdJ4gPRscWYRpRx3gDn.exe
      Filesize

      1.3MB

      MD5

      f60f6a8361bd3353159d33dbffa87427

      SHA1

      19683d8667ae46b15fb162aa6e75b4d11f029b83

      SHA256

      6c417600086223c47353dfcd00f3b8803ce02706dc359346288c0bd964b29be1

      SHA512

      32a3d08d958c1e33152caef3bf5711cb19ed5d1d2eeb6e1ae6471cb90043546dd967f1c4671faf2d4bfb3fe639e51a5655e6bceead8cb91243003999029749fc

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AppData\e6TB0gPCjLRmDT9DNUK7iV7Oajkkj.exe
      Filesize

      1.3MB

      MD5

      080b5c80e52caee8025c87be53711489

      SHA1

      4694f9caefe59c79a784fdb6cddb9de6ac167e37

      SHA256

      2353657ad0a5295720b569fcfc40291ac80a1551dd4f52a21a8e2af6b62f5f0e

      SHA512

      30c34776feea31797639dbd328d09522c818c56920c545740c55799f1600bf049b86178322acdd80263c214d373217587b7257a2374a93e10d5b5065d70eb2c5

      Download Submit

    • C:\Users\Default\AppData\Roaming\Microsoft\Windows\2qNmdtzh4i0j8aZIWjCRrrrcKqyJ.exe
      Filesize

      791KB

      MD5

      4f03f7a98beb4eb42e4b6f7ab8aaa793

      SHA1

      8c27843b26680826620fafedcd0b213e99e5ba94

      SHA256

      4c1bf6cc985fa3924139a4c87956f6754cba44514c21a44a94fd52b77aea1804

      SHA512

      899aeb81b4af9ee3dbda22fdae360951c7436b807d769c303bd35a16d94f645c32bbcff169178e8f3490283bc2399e0889d94f83a9c4a9389a602479dffce9c8

      Download Submit

    • memory/2232-132-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2232-133-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4624-152-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5108-149-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5108-146-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5108-137-0x0000000000400000-0x000000000042D000-memory.dmp

      Filesize

      180KB

      Download