Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
17/12/2022, 05:50
General
-
Target
file.exe
-
Size
214KB
-
MD5
3d4cd52e8e5441316bfc75506538db5f
-
SHA1
71621526e085564e39870ff859bf36cca966d6bc
-
SHA256
fdaa4f46ebd14a3ed7656f8b22ff2cd2bdfe32f26c35c9ae5d78f5275f06bc6d
-
SHA512
22baff1e9893b6260238e4e0599ab62e8874e1dd0a6af5b23375955f2558759bece435424c9edeae84f7b9373a167aa9916f8cda481ca9e855d26a8a98957f25
-
SSDEEP
3072:ALMBjmLc5PqBaTRDrZ+ZFh3u0xOEVV0eggLszei+Ya40zwUzQRKF+:cMoLc5PdMZFXEEQegggzxW40M2b
Malware Config
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 50 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CE32.exeC:\Users\Admin\AppData\Local\Temp\CE32.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 12963⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 11642⤵
- Program crash
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0f364f50,0x7ffd0f364f60,0x7ffd0f364f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,5758957730612275364,12528078793716422612,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1608 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,5758957730612275364,12528078793716422612,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1828 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,5758957730612275364,12528078793716422612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,5758957730612275364,12528078793716422612,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:82⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 884 -s 36082⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\EBAE.exeC:\Users\Admin\AppData\Local\Temp\EBAE.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 2722⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3756 -ip 37561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3736 -ip 37361⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 476 -p 884 -ip 8841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3948 -ip 39481⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD57bca245090dace95e87bb3d9b230c4d7
SHA183e13902c00fd1a621dcd96a36c8862ff0b61606
SHA256ba21117d135d43225c06751e0b8ac91522b765442984d097cedcd7386ab81dac
SHA512f306d838e4380c516aed968aaea87524d4ccf6bad9a17d85a3f8f8fa6d90042b8b2d8e67d3aff4bda63ee5759a6369a7d5aca3aaa97e0d5c5f8149c79ecb2abc
-
Filesize
5.6MB
MD57bca245090dace95e87bb3d9b230c4d7
SHA183e13902c00fd1a621dcd96a36c8862ff0b61606
SHA256ba21117d135d43225c06751e0b8ac91522b765442984d097cedcd7386ab81dac
SHA512f306d838e4380c516aed968aaea87524d4ccf6bad9a17d85a3f8f8fa6d90042b8b2d8e67d3aff4bda63ee5759a6369a7d5aca3aaa97e0d5c5f8149c79ecb2abc
-
Filesize
1.4MB
MD51ea8aaf997bbebac62ec8031d9304100
SHA1e8b7a1aeae449fc28310c8244bc6940d94adabb6
SHA256bf52f8def7e804055268e9f17bd8fc91edea479e7d719f9335035bfc71ef21bd
SHA51204217d1f733e56ce32aa96758941ebd6171242f7ff3f7ed8694247aae61a9b6d1b2fa1d0477612acda5a60a32f47af690dce7fdc4c388d337ddf5fce12335b96
-
Filesize
1.4MB
MD51ea8aaf997bbebac62ec8031d9304100
SHA1e8b7a1aeae449fc28310c8244bc6940d94adabb6
SHA256bf52f8def7e804055268e9f17bd8fc91edea479e7d719f9335035bfc71ef21bd
SHA51204217d1f733e56ce32aa96758941ebd6171242f7ff3f7ed8694247aae61a9b6d1b2fa1d0477612acda5a60a32f47af690dce7fdc4c388d337ddf5fce12335b96
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
328KB
-
Filesize
68KB
-
Filesize
328KB
-
Filesize
36KB
-
Filesize
1.2MB
-
Filesize
6.0MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
1.2MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
7.1MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
7.1MB
-
Filesize
5.4MB
-
Filesize
5.7MB
-
Filesize
5.7MB