Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    183s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2022, 03:00

General

  • Target

    79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe

  • Size

    4.8MB

  • MD5

    b9c9b6a1121071dcc3afac7cef10b987

  • SHA1

    7ec4123c506a76eeaf1904a71263953906687cbf

  • SHA256

    79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f

  • SHA512

    ccad975fb3fe467ec16e2951ffada02860817a2b8d2518d9037c590aa533a6d417253fcf2f69d96e82cf28f396b1e8edcc72e7393ddf4f28034b4a1a12cc4fda

  • SSDEEP

    98304:7EK7yYAUDJ4sPgxSAZ5EGh+cDsddihc6TXkBL:txpPHA3DtsdP6TXkB

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe
    "C:\Users\Admin\AppData\Local\Temp\79e6588567217b9a6083c2a47ce4d1ae55d142bae82c18ee16b3014b462c904f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Users\Admin\AppData\Local\Temp\do.exe
      "C:\Users\Admin\AppData\Local\Temp\do.exe" ++++++++++eeyuckl.bat+++++setup.exe+++++run.exe
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeyuckl.bat" "
        3⤵
        • Drops file in Drivers directory
        • Suspicious use of WriteProcessMemory
        PID:3460
        • C:\Windows\SysWOW64\chcp.com
          chcp 866
          4⤵
            PID:388
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im "praetorian.exe"
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v init /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\do.exe\" eeyuckl.bat" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4460
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v init /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\do.exe\" eeyuckl.bat" /f
            4⤵
            • Adds Run key to start application
            PID:4928
        • C:\Users\Admin\AppData\Local\Temp\setup.exe
          "C:\Users\Admin\AppData\Local\Temp\setup.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:4628
        • C:\Users\Admin\AppData\Local\Temp\run.exe
          "C:\Users\Admin\AppData\Local\Temp\run.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Modifies Internet Explorer start page
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Users\Admin\AppData\Local\Temp\934U6B47k0\csrss.exe
            "C:\Users\Admin\AppData\Local\Temp\934U6B47k0\csrss.exe" open
            4⤵
            • Executes dropped EXE
            • Modifies Internet Explorer start page
            PID:4920
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 8 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\run.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1948
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 8
              5⤵
              • Runs ping.exe
              PID:4880

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

      Filesize

      25B

      MD5

      0bff3c03b40234362688e92c14e23ecf

      SHA1

      ee591f8bc5f5b1140a1374cfb35e203e10e8264d

      SHA256

      e1804ee6387dd6adf7301c911634806052012a4696a3e7d221c8a873c7b7a937

      SHA512

      f188eca19ac1b32dda55fe736fe780cf7f052dc1738c13fd0125b2395e16a050518cddb9513884fd8a3045ddeef9408aa8b83826aa13c148ac7328e24bd15899

    • C:\Users\Admin\AppData\Local\Temp\934U6B47k0\csrss.exe

      Filesize

      285KB

      MD5

      8657aef0460f31f44db864b3f3a8522c

      SHA1

      ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

      SHA256

      919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

      SHA512

      69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

    • C:\Users\Admin\AppData\Local\Temp\934U6B47k0\csrss.exe

      Filesize

      285KB

      MD5

      8657aef0460f31f44db864b3f3a8522c

      SHA1

      ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

      SHA256

      919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

      SHA512

      69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

    • C:\Users\Admin\AppData\Local\Temp\do.exe

      Filesize

      24KB

      MD5

      eb1de12a58da0bf15b8273b06f8eca48

      SHA1

      22964d6d42fe3ae5a96acd40b413db3b99f529b5

      SHA256

      0fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031

      SHA512

      10d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49

    • C:\Users\Admin\AppData\Local\Temp\do.exe

      Filesize

      24KB

      MD5

      eb1de12a58da0bf15b8273b06f8eca48

      SHA1

      22964d6d42fe3ae5a96acd40b413db3b99f529b5

      SHA256

      0fd16b475d18dff3dbf2da6af9350562c3a8bef50cc903c49f92eed3c6cf0031

      SHA512

      10d258d85f7780a5b0822cea20b5c79d2ec48a6f5ed67f5b3f0e3abaf661996b461def94a27956d1f6cf26ad0025ddb4aaf784dcfd267d9779f08c2e90216b49

    • C:\Users\Admin\AppData\Local\Temp\eeyuckl.bat

      Filesize

      4KB

      MD5

      c977033d1f8799fcd235db0d6bb39696

      SHA1

      76b87cd7564bea1efbbcb4df130db21ec410232b

      SHA256

      a6edb44c3f59bbc53678bf7f3f7ad10155773967edd619f59cf63902aeb71a6d

      SHA512

      c7fd7addea3899d19cb6e5857d5a741758bbc80795e670026ef8f66eecc5a64a47f5cceec88e6dbd8dbaa037ad1bbecd3b185e362f9c9af353a520d9ac2dbc3a

    • C:\Users\Admin\AppData\Local\Temp\run.exe

      Filesize

      285KB

      MD5

      8657aef0460f31f44db864b3f3a8522c

      SHA1

      ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

      SHA256

      919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

      SHA512

      69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

    • C:\Users\Admin\AppData\Local\Temp\run.exe

      Filesize

      285KB

      MD5

      8657aef0460f31f44db864b3f3a8522c

      SHA1

      ed01bf1493bd186ac1fcd60ee4fd81c41182a78f

      SHA256

      919f11537ac5099ba000faca5cca90cf211a6e677cc1cf5a61a9e3de5b4e7183

      SHA512

      69c295c6b91be4a9aa6d25a0ad8bfd962a8e81c988067ea1fef642ce0c1cd6c76849d15fe31622cb1f8a835471c468b47115acc37d28a407c35c18413da2cc22

    • C:\Users\Admin\AppData\Local\Temp\setup.exe

      Filesize

      5.0MB

      MD5

      df06d6da9e8b53be359b89e568b53a10

      SHA1

      e133bd9638bf02b239e760efd09778fa8951f486

      SHA256

      3fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e

      SHA512

      799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79

    • C:\Users\Admin\AppData\Local\Temp\setup.exe

      Filesize

      5.0MB

      MD5

      df06d6da9e8b53be359b89e568b53a10

      SHA1

      e133bd9638bf02b239e760efd09778fa8951f486

      SHA256

      3fe3ec648ed40c3a54cec81ef8f43d83043ebb2fb05d0d612cace86f2e35793e

      SHA512

      799df79d12af224705dcf0d8a3f1cfc7a944b297ac04e84a6eb756a0a15b50a5bc294bd6141fc7f07d394cf69a906ff2adf16c0b625f1e1c89a51f9cbee28e79

    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vybwayxr.default-release\prefs.js

      Filesize

      6KB

      MD5

      70151a714506c0707193d324d08fc2ae

      SHA1

      f80661daa5eed647d91941caaaebde7d6f3f4385

      SHA256

      542514be4d81a61876b9f1b141d83c9692d2d446f3099a287883f27dd71f6ea2

      SHA512

      994a72ae8b5779f0e2ca9369a0b3ac2113c35be7681c3c2cfc6a99819f9db4d9978324d50179337ff93722ee992fc6c41f92b82117c40c92444033ecc876c2cf

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      461B

      MD5

      a836c22d773f81ff0542ea35a75800a6

      SHA1

      9bb459e08914ca093d848af5286cc819f5814c03

      SHA256

      c9f99aaee65c9be36addbf99fc9c61eeba6e7c3ef2c822bf9ac38973801d05c3

      SHA512

      ef781c7deea8f37937fee78873631456fcb09c6a55103a8063223398d9cedf8147087a0d4819c610257407ddc4027cacf80f2a6d15072b690c56cb4f8c25d24a

    • memory/4628-156-0x0000000000400000-0x000000000087F000-memory.dmp

      Filesize

      4.5MB

    • memory/4628-158-0x0000000000400000-0x000000000087F000-memory.dmp

      Filesize

      4.5MB