Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2023, 03:31
Static task
static1
General
-
Target
234683db8d7e87066baa0610a3ba6751e09bd4a5cdb585007d5672610cc2485e.exe
-
Size
395KB
-
MD5
8a99a69aab606f768af29ed38f4a9ff7
-
SHA1
ae25503060f9de186a79a3a3b5731c6d80e0a87d
-
SHA256
234683db8d7e87066baa0610a3ba6751e09bd4a5cdb585007d5672610cc2485e
-
SHA512
41e030dbe68df6d6d00b232d9856d4a337c97d74a832f51193d8aa85fda92fddd55a67acd5688f40787c558c29c3d02b7c1ae821cc31ebdca00acf9b1669cf56
-
SSDEEP
6144:A1TLPMmwwRni0heo2E292Qm0hbhmqMoISfD8M:ANzVwwRnSo2E29gc8qM6
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 112 5012 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 5012 234683db8d7e87066baa0610a3ba6751e09bd4a5cdb585007d5672610cc2485e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5012 234683db8d7e87066baa0610a3ba6751e09bd4a5cdb585007d5672610cc2485e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\234683db8d7e87066baa0610a3ba6751e09bd4a5cdb585007d5672610cc2485e.exe"C:\Users\Admin\AppData\Local\Temp\234683db8d7e87066baa0610a3ba6751e09bd4a5cdb585007d5672610cc2485e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 12242⤵
- Program crash
PID:112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5012 -ip 50121⤵PID:260