Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

b63018530a...59.exe

windows7-x64

8

b63018530a...59.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe

  • Size

    7.1MB

  • MD5

    73f93de9122c1cb5ab2114a48ac89aa5

  • SHA1

    7c7e89120c223757cd56444dd59038ce7d51cc1d

  • SHA256

    b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159

  • SHA512

    dd98dcc58f123b43bc3fd9ff08e1e721780de32f99ace9bacbe1cdd7d1fcd6ef0d271cd2c4fd6c3d23455a95d171af1cfa40c6946ebccb40a89fa56630106f52

  • SSDEEP

    12288:eOdKn0MN4QLAgiEQRSWeFhYaUBm4tlTcVt1NAXo0ntZt7r457iY3ziFitiEj8mJM:uLt8sz8w8AneH9dkKEYju8z2Lx5v

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe
    "C:\Users\Admin\AppData\Local\Temp\b63018530ae196c69a61d921d085fc2f99b1f5519ef71016722cc2cd3e083159.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MihJq.exe.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MihJq.exe.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzyaI.exe.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzyaI.exe.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Users\Admin\AppData\Roaming\Atom Emulator.exe
          "C:\Users\Admin\AppData\Roaming\Atom Emulator.exe"
          4⤵
          • Executes dropped EXE
          PID:4332
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 836
            5⤵
            • Program crash
            PID:1408
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4332 -ip 4332
    1⤵
      PID:1092

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Atom Emulator.exe
      Filesize

      637KB

      MD5

      107bf383b07a008456b2d085b51df2c8

      SHA1

      e1f1447d8950fead479107b3c2978d9bcec983f8

      SHA256

      95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

      SHA512

      6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Atom Emulator.exe
      Filesize

      637KB

      MD5

      107bf383b07a008456b2d085b51df2c8

      SHA1

      e1f1447d8950fead479107b3c2978d9bcec983f8

      SHA256

      95b38d035612054ca7cd6ddececf23636ce245bf28175b20aff9203bff600c95

      SHA512

      6acfca84a74e0daf756edea58383095cd8441e0eb7045a3dafac1369a7fe643729cc1138a12685b17a457715226817bc2aef4d4f496b01685dc79770e844c7cd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MihJq.exe.exe
      Filesize

      2.6MB

      MD5

      001292623404de06887a7013b6616003

      SHA1

      f10585236c54c9cec593e9060760ef033c5115cb

      SHA256

      438e247e83964178b593601115baa1097fddbee48d01c8e1baa918d67dd5542f

      SHA512

      1b9bc2114a1201def741a7e0a0259d061c9bcb4f7b2c45811f30aeac2a9771ff5ae6b38a1de733aa83dc2fd7c0ba5ba6388dae6e2568892fbefe922e4deda8d9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MihJq.exe.exe
      Filesize

      2.6MB

      MD5

      001292623404de06887a7013b6616003

      SHA1

      f10585236c54c9cec593e9060760ef033c5115cb

      SHA256

      438e247e83964178b593601115baa1097fddbee48d01c8e1baa918d67dd5542f

      SHA512

      1b9bc2114a1201def741a7e0a0259d061c9bcb4f7b2c45811f30aeac2a9771ff5ae6b38a1de733aa83dc2fd7c0ba5ba6388dae6e2568892fbefe922e4deda8d9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzyaI.exe.exe
      Filesize

      1000KB

      MD5

      d528837382ba279d7defbeaaf35a46d5

      SHA1

      1fcab0afd56c2219b90b3bc218001d60a7e37c7d

      SHA256

      a05108f66d4b01a1f00448ff5e730e644cedf226a142d86fdf497234a18b0337

      SHA512

      f3c575f48cc5c7eb6cc349e1a74bf6969ff51c31db48e55723e20d59587ad60fc4085fe8a66d50fa08b27c8f2f3dddf9b473c94eff30e86fd6fb23975efb881b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dzyaI.exe.exe
      Filesize

      1000KB

      MD5

      d528837382ba279d7defbeaaf35a46d5

      SHA1

      1fcab0afd56c2219b90b3bc218001d60a7e37c7d

      SHA256

      a05108f66d4b01a1f00448ff5e730e644cedf226a142d86fdf497234a18b0337

      SHA512

      f3c575f48cc5c7eb6cc349e1a74bf6969ff51c31db48e55723e20d59587ad60fc4085fe8a66d50fa08b27c8f2f3dddf9b473c94eff30e86fd6fb23975efb881b

      Download Submit

    • memory/1716-132-0x00007FFFCD420000-0x00007FFFCDE56000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/4332-143-0x0000000000270000-0x0000000000314000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4488-136-0x00007FFFCD420000-0x00007FFFCDE56000-memory.dmp

      Filesize

      10.2MB

      Download