Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

d6e5bfea5d...a1.exe

windows7-x64

8

d6e5bfea5d...a1.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    125s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6e5bfea5def9f8900c869455d59141e374f8f035d363ff83bc8b51647d05ba1.exe

  • Size

    4.6MB

  • MD5

    d3c26ef7a6509a8059e4c05f1926b0a8

  • SHA1

    46cdd1d607cdff66990e78f6c90d9b41b517b3eb

  • SHA256

    d6e5bfea5def9f8900c869455d59141e374f8f035d363ff83bc8b51647d05ba1

  • SHA512

    d4608b61bf7ece3edee254e7850c0ed170da1a8261af0a04fc5474abf5ad83c248149ed99a52393bca6820cee4a1ec5bd92ec6a7e70a9a6facdfe7898085591e

  • SSDEEP

    98304:YoBQXwcATVTwymaBp1tf3MIGT1CB5ckO:YoNBTVTwymaPbGTYB9

Score
8/10
adwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 5 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6e5bfea5def9f8900c869455d59141e374f8f035d363ff83bc8b51647d05ba1.exe
    "C:\Users\Admin\AppData\Local\Temp\d6e5bfea5def9f8900c869455d59141e374f8f035d363ff83bc8b51647d05ba1.exe"
    1⤵
    • Loads dropped DLL
    • Drops Chrome extension
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:644
    • C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s "C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4872
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll"
        3⤵
        • Registers COM server for autorun
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:3976
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
    1⤵
      PID:4760
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
      1⤵
        PID:2664

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.dat
        Filesize

        3KB

        MD5

        114fb34862522d8733bbdf9b74f11976

        SHA1

        0f625c0571958b8c6a5201d78ea542e98635f0f1

        SHA256

        7afcf6e3f2e8e6e1770721f3766d5f4aefb4316d8d09012a080e788aa5419629

        SHA512

        7adf11ae8911ac779d00a7ded8ce5c54aff313e587da7fbd329d441cff3e05a794e025c484a4e1c3d56c3f71d0109c1ec1a15ac3c91698269c9fcd6b42179e8e

        Download Submit

      • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.dll
        Filesize

        751KB

        MD5

        68b0c82a53fdfe07ab206ee2078ec984

        SHA1

        dc0bc38f5219340b309e53841f562499bf517568

        SHA256

        6c37c9e2af50feb15f2cd2ac1e85a03c1cab2d997bea12da8beea59bc0099c21

        SHA512

        e194eed7704e793e36a0e8d130d672c5788b3d41adde92b5876ba32f52a1c8065952243666ca804736f567e5af316ac80d2f7d5612bc90f6a92b9269f6678330

        Download Submit

      • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.tlb
        Filesize

        3KB

        MD5

        a605ae2858a95cc2ce9bb1e9d9304674

        SHA1

        6d921d39e97d8fa34c010b4045e45ba776565ac9

        SHA256

        3074c890173c5cfefa194ea54ad1fd95801384893476628823481fe071576d45

        SHA512

        95335e817be4486e8e949ac701f4ffa22c579a3509d62278f05ce5b5e369bd3949ebf90e1ac8f3aa4ee59525e2c59a906666633c594d264fbbb76146216e7725

        Download Submit

      • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll
        Filesize

        889KB

        MD5

        042040d8e80233e425b5c9e39da669a3

        SHA1

        f4d544cc6f6979cdab77b0072642edb4824aac04

        SHA256

        d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

        SHA512

        d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

        Download Submit

      • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll
        Filesize

        889KB

        MD5

        042040d8e80233e425b5c9e39da669a3

        SHA1

        f4d544cc6f6979cdab77b0072642edb4824aac04

        SHA256

        d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

        SHA512

        d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

        Download Submit

      • C:\Program Files (x86)\PriceLess\NdhmMEpXijnIHc.x64.dll
        Filesize

        889KB

        MD5

        042040d8e80233e425b5c9e39da669a3

        SHA1

        f4d544cc6f6979cdab77b0072642edb4824aac04

        SHA256

        d5adc62ab4e22acf8f91d165bde2e398cec14e4424542e355bd07e54f6b2aed2

        SHA512

        d127946ea1b7d08f184646a44ef6f8f59daa70c46b6e54638fa15b9c8a4dfcf62ed384c7961447070fbfb3875cecffc85c963752e0ac8b5cba430826a0b7bac5

        Download Submit

      • memory/644-132-0x00000000030D0000-0x000000000319A000-memory.dmp

        Filesize

        808KB

        Download