Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 12:33
Static task
static1
General
-
Target
57670e593096256bace1389baa04c0df363f579fce821ff0753d05f065572b32.exe
-
Size
291KB
-
MD5
263b12572c3cbd3f3246e83830b483ea
-
SHA1
0b41345bf0979f5c48a0106435b217baf7169a13
-
SHA256
57670e593096256bace1389baa04c0df363f579fce821ff0753d05f065572b32
-
SHA512
f5a87bdf013c8ff8d11e72dceb987faefd465411625339246c3db3bccd11e2a30f425319b3b95567ae528ab429604c7cfc02a722b76eee152c271a56f0920902
-
SSDEEP
3072:l/i4ZL0n61v3bFLi3tuUawvWwO/UVD/gd+6FoddKRqybq39i3vb:lhLs61D83tuovWwOyrgdxF2y2M
Malware Config
Extracted
stealc
http://bernardofata.icu
-
url_path
/40d570f44e84a454.php
Signatures
-
Downloads MZ/PE file
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 57670e593096256bace1389baa04c0df363f579fce821ff0753d05f065572b32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 57670e593096256bace1389baa04c0df363f579fce821ff0753d05f065572b32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4176 57670e593096256bace1389baa04c0df363f579fce821ff0753d05f065572b32.exe 4176 57670e593096256bace1389baa04c0df363f579fce821ff0753d05f065572b32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57670e593096256bace1389baa04c0df363f579fce821ff0753d05f065572b32.exe"C:\Users\Admin\AppData\Local\Temp\57670e593096256bace1389baa04c0df363f579fce821ff0753d05f065572b32.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4176