Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
108s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2023, 10:19
Static task
static1
Behavioral task
behavioral1
Sample
6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe
Resource
win7-20230220-en
General
-
Target
6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe
-
Size
1.5MB
-
MD5
88849192c25320c6b32cd1b782e13439
-
SHA1
8ffb695f155c66e5b54259b18907fbce95bd4487
-
SHA256
6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8
-
SHA512
a0be04be2b0dcbc474779246ab2f85b1cfeebd0d36e3c6e0b027c7c0365982a35d798be94172c0b2a9b1fee37d12728b81b82d914aebd897b14dcfb28172331a
-
SSDEEP
24576:nzZ46hi1NjKXHxHJjH+W/POx7E8CRums06rhEjg/Hr/xItLJPxRbab0G:nhhzRpjeW/mx7E8hlJ//L6tLvFaIG
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 4964 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe 4964 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe 4964 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\amhnncbbkibilmldeinlbknlmlifkamg\3.4.0.1_0\manifest.json 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\CFCA\CryptoKitHost.Xencio\amhnncbbkibilmldeinlbknlmlifkamg.zip 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe File created C:\Program Files (x86)\CFCA\CryptoKitHost.Xencio\amhnncbbkibilmldeinlbknlmlifkamg.json 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe File opened for modification C:\Program Files (x86)\CFCA\CryptoKitHost.Xencio\amhnncbbkibilmldeinlbknlmlifkamg.zip 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe File opened for modification C:\Program Files (x86)\CFCA\CryptoKitHost.Xencio\amhnncbbkibilmldeinlbknlmlifkamg.json 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe File created C:\Program Files (x86)\CFCA\CryptoKitHost.Xencio\CryptoKitHost.Xencio.x86.exe 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe File created C:\Program Files (x86)\CFCA\CryptoKitHost.Xencio\com.cfca.CryptoKitHost.Xencio-win.json 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4964 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe 4964 6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe"C:\Users\Admin\AppData\Local\Temp\6d70ca9a416eacdd1be285db56f53d103e93d249ad82d8c50adcfc5efc7085c8.exe"1⤵
- Loads dropped DLL
- Drops Chrome extension
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5b9086dfa9511196d59814b0fb377b09a
SHA1ec723cd037ec98fc933b3b67a54afb7dd9f8172c
SHA256a804304dbbeecb815a9b8b90f071fe50ccec50502eb367f86bfc575db1102e85
SHA5128d847d5096db55ee4744b1091c1cf481069f14e5b3fe4a73e42fff2639b4d520a49341fe1b61f69406b05e5c2d06ff6fc35f1ad73c39844fc3c80b01470411df
-
Filesize
1.5MB
MD5b9086dfa9511196d59814b0fb377b09a
SHA1ec723cd037ec98fc933b3b67a54afb7dd9f8172c
SHA256a804304dbbeecb815a9b8b90f071fe50ccec50502eb367f86bfc575db1102e85
SHA5128d847d5096db55ee4744b1091c1cf481069f14e5b3fe4a73e42fff2639b4d520a49341fe1b61f69406b05e5c2d06ff6fc35f1ad73c39844fc3c80b01470411df
-
Filesize
11KB
MD5959ea64598b9a3e494c00e8fa793be7e
SHA140f284a3b92c2f04b1038def79579d4b3d066ee0
SHA25603cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA5125e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64
-
Filesize
66KB
MD5919e51f9624146563ef6ee90c21f14f3
SHA1fa492bb48a47dce845c1d392943372a2ea80c4c4
SHA256e5e100d598b38ec69d74310003648188500dcd82dd26ff3c5c29dd8d47148005
SHA5121a48bdaef10cbe497782ae694a0174768268326ad9f234fe3fef4eece6ddf811099b90288527c5ff0e6dc0d35d1967931d570b574a80f8d3c5b107845ef83dbc
-
Filesize
66KB
MD5919e51f9624146563ef6ee90c21f14f3
SHA1fa492bb48a47dce845c1d392943372a2ea80c4c4
SHA256e5e100d598b38ec69d74310003648188500dcd82dd26ff3c5c29dd8d47148005
SHA5121a48bdaef10cbe497782ae694a0174768268326ad9f234fe3fef4eece6ddf811099b90288527c5ff0e6dc0d35d1967931d570b574a80f8d3c5b107845ef83dbc