Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1Slither x3...er.exe
windows7-x64
7Slither x3...er.exe
windows10-2004-x64
7Slither x3...47.dll
windows7-x64
3Slither x3...47.dll
windows10-2004-x64
3Slither x3...up.exe
windows7-x64
7Slither x3...up.exe
windows10-2004-x64
7Slither x3...eg.dll
windows7-x64
3Slither x3...eg.dll
windows10-2004-x64
3Slither x3...GL.dll
windows7-x64
1Slither x3...GL.dll
windows10-2004-x64
1Slither x3...v2.dll
windows7-x64
1Slither x3...v2.dll
windows10-2004-x64
1Slither x3...lob.js
windows7-x64
1Slither x3...lob.js
windows10-2004-x64
1Slither x3...de.dll
windows7-x64
1Slither x3...de.dll
windows10-2004-x64
10Slither x3...nw.dll
windows7-x64
3Slither x3...nw.dll
windows10-2004-x64
3Slither x3...nw.exe
windows7-x64
7Slither x3...nw.exe
windows10-2004-x64
7Slither x3...ent.js
windows7-x64
1Slither x3...ent.js
windows10-2004-x64
1Slither x3...ent.js
windows7-x64
1Slither x3...ent.js
windows10-2004-x64
1Slither x3...lf.dll
windows7-x64
1Slither x3...lf.dll
windows10-2004-x64
3Slither x3...ces.js
windows7-x64
1Slither x3...ces.js
windows10-2004-x64
1Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/02/2023, 19:44
Static task
static1
Behavioral task
behavioral1
Sample
Slither x32y 64/Slither.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Slither x32y 64/Slither.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
Slither x32y 64/d3dcompiler_47.dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Slither x32y 64/d3dcompiler_47.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
Slither x32y 64/dxwebsetup.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
Slither x32y 64/dxwebsetup.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Slither x32y 64/ffmpeg.dll
Resource
win7-20220901-en
Behavioral task
behavioral8
Sample
Slither x32y 64/ffmpeg.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
Slither x32y 64/libEGL.dll
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
Slither x32y 64/libEGL.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
Slither x32y 64/libGLESv2.dll
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
Slither x32y 64/libGLESv2.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
Slither x32y 64/natives_blob.js
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
Slither x32y 64/natives_blob.js
Resource
win10v2004-20220901-en
Behavioral task
behavioral15
Sample
Slither x32y 64/node.dll
Resource
win7-20220812-en
Behavioral task
behavioral16
Sample
Slither x32y 64/node.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral17
Sample
Slither x32y 64/nw.dll
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
Slither x32y 64/nw.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
Slither x32y 64/nw.exe
Resource
win7-20221111-en
Behavioral task
behavioral20
Sample
Slither x32y 64/nw.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
Slither x32y 64/nw_100_percent.js
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
Slither x32y 64/nw_100_percent.js
Resource
win10v2004-20221111-en
Behavioral task
behavioral23
Sample
Slither x32y 64/nw_200_percent.js
Resource
win7-20221111-en
Behavioral task
behavioral24
Sample
Slither x32y 64/nw_200_percent.js
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
Slither x32y 64/nw_elf.dll
Resource
win7-20220812-en
Behavioral task
behavioral26
Sample
Slither x32y 64/nw_elf.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral27
Sample
Slither x32y 64/resources.js
Resource
win7-20220901-en
Behavioral task
behavioral28
Sample
Slither x32y 64/resources.js
Resource
win10v2004-20220812-en
General
-
Target
Slither x32y 64/nw.exe
-
Size
1.2MB
-
MD5
1e0a6531ac049218b21117bae9f1c97c
-
SHA1
d84a9b8027b137798763a2719b10511200c803ed
-
SHA256
6ce31b657cd28cdd5bf665cf7dd45ccf235a8031d16134ec868f84875f9ef553
-
SHA512
e9f0d55b66e6f4bef41252e4853610d95c22c05868f8de86da9545b19020123934f606cf5000634333b505325b3a930e820bc631140c3d189f21b2b861818a65
-
SSDEEP
24576:QhbjXbCjgIv4An+9LPiG0WBliA/DlrmqyDjG5:2bXCj6AWPiY2A/DsO5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation nw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1692 nw.exe 1692 nw.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1692 nw.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1956 1692 nw.exe 28 PID 1692 wrote to memory of 1956 1692 nw.exe 28 PID 1692 wrote to memory of 1956 1692 nw.exe 28 PID 1692 wrote to memory of 1956 1692 nw.exe 28 PID 1692 wrote to memory of 1008 1692 nw.exe 29 PID 1692 wrote to memory of 1008 1692 nw.exe 29 PID 1692 wrote to memory of 1008 1692 nw.exe 29 PID 1692 wrote to memory of 1008 1692 nw.exe 29 PID 1692 wrote to memory of 1684 1692 nw.exe 30 PID 1692 wrote to memory of 1684 1692 nw.exe 30 PID 1692 wrote to memory of 1684 1692 nw.exe 30 PID 1692 wrote to memory of 1684 1692 nw.exe 30 PID 1692 wrote to memory of 1340 1692 nw.exe 32 PID 1692 wrote to memory of 1340 1692 nw.exe 32 PID 1692 wrote to memory of 1340 1692 nw.exe 32 PID 1692 wrote to memory of 1340 1692 nw.exe 32 PID 1692 wrote to memory of 1688 1692 nw.exe 34 PID 1692 wrote to memory of 1688 1692 nw.exe 34 PID 1692 wrote to memory of 1688 1692 nw.exe 34 PID 1692 wrote to memory of 1688 1692 nw.exe 34 PID 1692 wrote to memory of 528 1692 nw.exe 35 PID 1692 wrote to memory of 528 1692 nw.exe 35 PID 1692 wrote to memory of 528 1692 nw.exe 35 PID 1692 wrote to memory of 528 1692 nw.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=crashpad-handler /prefetch:7 --no-rate-limit --database=C:\Users\Admin\AppData\Local\Crashpad --annotation=channel= --annotation=plat=Win32 --annotation=prod=nwjs --annotation=ver=-devel --handshake-handle=0xb82⤵PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=gpu-process --channel="1692.0.317959510\70652472" --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --disable-breakpad --supports-dual-gpus=false --gpu-driver-bug-workarounds=3,11,25,54 --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:22⤵PID:1008
-
-
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1692.1.1653881189\1474360314" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:82⤵PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=renderer --no-sandbox --enable-features=AutomaticTabDiscarding<AutomaticTabDiscarding --lang=en-US --force-fieldtrials=AsyncSetAsDefault/Enabled/AutofillClassifier/Enabled/AutofillFieldMetadata/Enabled/AutofillProfileOrderByFrecency/EnabledLimitTo3/*AutomaticTabDiscarding/Enabled_Once/*BrowserBlacklist/Enabled/CaptivePortalInterstitial/Enabled/ChildAccountDetection/Disabled/ChromeDashboard/Enabled/ChromotingQUIC/Enabled/*DataReductionProxyConfigService/Enabled/EnableGoogleCachedCopyTextExperiment/Button/EnableSessionCrashedBubbleUI/Enabled/*ExtensionActionRedesign/Enabled/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/IconNTP/Default/InstanceID/Enabled/IntelligentSessionRestore/Enabled/MaterialDesignDownloads/Enabled/*NetworkQualityEstimator/Enabled/*NewProfileManagement/Enabled/PasswordBranding/SmartLockBrandingSavePromptOnly/PasswordGeneration/Disabled/*QUIC/Enabled/RefreshTokenDeviceId/Enabled/ReportCertificateErrors/ShowAndPossiblySend/SRTPromptFieldTrial/On/SafeBrowsingReportPhishingErrorLink/Enabled/SafeBrowsingUnverifiedDownloads/DisableByParameterExe/SafeBrowsingUpdateFrequency/UpdateTime15m/SdchPersistence/Enabled/*SettingsEnforcement/enforce_always_with_extensions_and_dse/SpdyEnableDependencies/Enable/StrictSecureCookies/Enabled/SyncHttpContentCompression/Enabled/TabSyncByRecency/Enabled/*TriggeredResetFieldTrial/On/UseDelayAgnosticAEC/DefaultEnabled/VarationsServiceControl/Interval_30min/WebFontsIntervention/Enabled/WebRTC-LocalIPPermissionCheck/Enabled/WebRTC-PeerConnectionDTLS1.2/Enabled/ --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" --nwjs --extension-process --enable-webrtc-hw-h264-encoding --disable-client-side-phishing-detection --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --channel="1692.2.651161324\1868431757" /prefetch:12⤵PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1692.3.767393763\430711649" --lang=en-US --no-sandbox --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:82⤵PID:1688
-
-
C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe"C:\Users\Admin\AppData\Local\Temp\Slither x32y 64\nw.exe" --type=utility --channel="1692.4.909113253\1697046899" --lang=en-US --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Slither.io\User Data" /prefetch:82⤵PID:528
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD584bb710132bbb463b77a9124f75ab96f
SHA191d52b1715f1412085e1399ea1cb84102e4fde32
SHA256e7aae5db89eb481122673d13c7db75044a423c98ca3e9dc75c1b2e5d64a48b8b
SHA51298d16db768fbe48402c61eba4c7a7eefbd75d73f5656abf500dfe40c14c03a6bcb269e131eaf2fdd8695778f1ae7fe9ac59a24876bb2d17cd60786ca7f805045
-
Filesize
346B
MD563fc5357f5a7e052f351c0d900245aa2
SHA102f8cd9f1ea98dd102e0438b2decb81c8d22ca5c
SHA2563961ccb8241584987dd4054c2c8cf767e7de804380405f7bedcc5935108a1d8d
SHA512386032cba5ed62436398fc7bdd9d27c96f7401a24728f4e4697b6107e01de2f6bdae1a8d283906600707711bf438a957ce8565a7af799e30df2f4355fbf300a0
-
Filesize
426B
MD51badcabd65a271d11ce246013cca8be3
SHA17a4393bb7019fd4535891f75ce735ab50de34fe4
SHA256beb8f73805345855d71088335b04dd3dde6d9a7eae9706dc380d2b091633373e
SHA512d6241b0235cade9ba5af61e8468ec385f8978f921397bacf8e0f3a92ed336fd3ab461ed5f9f84325651866f819baa5923a718346f4c30f724b4e4c9979f5ed36