Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 00:21

General

  • Target

    f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe

  • Size

    334KB

  • MD5

    00bc38fbf289a811cb24613ff60bab42

  • SHA1

    0d561c6ac510b23de55bff15d76c94a8bebbbfdf

  • SHA256

    f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b

  • SHA512

    bbbb98b21c6db03ed972d9276cc03b2ffbec80e79e37c64d7d362e0dc1c68ab29ee9fcbe7079111874056f63357905b1d7fa78faf7902efa1cfb31244c680ed8

  • SSDEEP

    6144:4Ien0hLNtfHHm/TNznY+zV0p5rARYP0NA1mwoomzg3CgmCwxU0V6:4Ien8XsTNDzVqgYPAwooNSgmvCO

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe
    "C:\Users\Admin\AppData\Local\Temp\f42025f3717afc5f21441be0442c967be5c7295588032ed57671aa397ed9082b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2876
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1972
      2⤵
      • Program crash
      PID:5092
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2876 -ip 2876
    1⤵
      PID:1136

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2876-132-0x00000000005E2000-0x0000000000610000-memory.dmp

      Filesize

      184KB

    • memory/2876-133-0x00000000020E0000-0x000000000212B000-memory.dmp

      Filesize

      300KB

    • memory/2876-134-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB

    • memory/2876-135-0x0000000004C90000-0x0000000005234000-memory.dmp

      Filesize

      5.6MB

    • memory/2876-136-0x0000000005240000-0x0000000005858000-memory.dmp

      Filesize

      6.1MB

    • memory/2876-137-0x0000000004B30000-0x0000000004C3A000-memory.dmp

      Filesize

      1.0MB

    • memory/2876-138-0x0000000005860000-0x0000000005872000-memory.dmp

      Filesize

      72KB

    • memory/2876-139-0x0000000005880000-0x00000000058BC000-memory.dmp

      Filesize

      240KB

    • memory/2876-140-0x0000000005B60000-0x0000000005BF2000-memory.dmp

      Filesize

      584KB

    • memory/2876-141-0x0000000005C00000-0x0000000005C66000-memory.dmp

      Filesize

      408KB

    • memory/2876-142-0x00000000005E2000-0x0000000000610000-memory.dmp

      Filesize

      184KB

    • memory/2876-143-0x00000000062F0000-0x0000000006366000-memory.dmp

      Filesize

      472KB

    • memory/2876-144-0x0000000006380000-0x00000000063D0000-memory.dmp

      Filesize

      320KB

    • memory/2876-145-0x0000000006530000-0x00000000066F2000-memory.dmp

      Filesize

      1.8MB

    • memory/2876-146-0x0000000006700000-0x0000000006C2C000-memory.dmp

      Filesize

      5.2MB

    • memory/2876-147-0x0000000000400000-0x000000000047D000-memory.dmp

      Filesize

      500KB