Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 07:00
Static task
static1
Behavioral task
behavioral1
Sample
d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe
Resource
win7-20220812-en
General
-
Target
d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe
-
Size
189KB
-
MD5
ea41b988a9ce1327d07dde97af8c4cd5
-
SHA1
d65d0c677bd76ab7003834c37403567956445546
-
SHA256
d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091
-
SHA512
4c8a825af316c55c0710bdd1e5959e6a8044a96392b53ca97be6a72f06d6f052f5741aabfd274f1e72af956d282eedb695714664fb435011b84fd6c4197a81df
-
SSDEEP
3072:3rSeyrweibTVX+3pL3WoN2XFxAg1I2VFUua86U/EKcLA0k2DOx39C4PBA:Oesw3f1cR3F237IqaK/Erk0FDmtvP
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/5044-134-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3088-137-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral2/memory/3352-141-0x0000000000400000-0x0000000000455000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5044 wrote to memory of 3088 5044 d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe 82 PID 5044 wrote to memory of 3088 5044 d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe 82 PID 5044 wrote to memory of 3088 5044 d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe 82 PID 5044 wrote to memory of 3352 5044 d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe 83 PID 5044 wrote to memory of 3352 5044 d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe 83 PID 5044 wrote to memory of 3352 5044 d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe"C:\Users\Admin\AppData\Local\Temp\d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exeC:\Users\Admin\AppData\Local\Temp\d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe startC:\Program Files (x86)\LP\FFBA\391.exe%C:\Program Files (x86)\LP\FFBA2⤵PID:3088
-
-
C:\Users\Admin\AppData\Local\Temp\d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exeC:\Users\Admin\AppData\Local\Temp\d762dad3f1cafd39f09ae5de077b04279188cee0b5cebc3117749b2a318a5091.exe startC:\Users\Admin\AppData\Roaming\AFC72\1CAFF.exe%C:\Users\Admin\AppData\Roaming\AFC722⤵PID:3352
-