Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
295s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
10/12/2023, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
Resource
win7-20231020-en
General
-
Target
920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe
-
Size
2.3MB
-
MD5
9277e82030f3f80d2acb91ca8a2e21bb
-
SHA1
ea7e13d61fec22537017c241236a418bac2030e1
-
SHA256
920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791
-
SHA512
6333271a3e1ee84d0d0038c189c326832dabb4f1a4d1e3f8b63b367ff3ee3409d5b386da47ac40a3e6606a0ed69d1d06dccbc32308dc13da243e79e9d360b701
-
SSDEEP
49152:7L2s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hs8:7pzX71oDCRAZUviAHImDqia7hs8
Malware Config
Extracted
stealc
http://77.91.76.36
-
url_path
/3886d2276f6914c4.php
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3528 Broom.exe 2952 nsr2EEE.tmp.exe -
Loads dropped DLL 6 IoCs
pid Process 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 2952 nsr2EEE.tmp.exe 2952 nsr2EEE.tmp.exe 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsr2EEE.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsr2EEE.tmp.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3208 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2952 nsr2EEE.tmp.exe 2952 nsr2EEE.tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3528 Broom.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3848 wrote to memory of 3528 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 71 PID 3848 wrote to memory of 3528 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 71 PID 3848 wrote to memory of 3528 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 71 PID 3848 wrote to memory of 2952 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 72 PID 3848 wrote to memory of 2952 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 72 PID 3848 wrote to memory of 2952 3848 920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe 72 PID 2952 wrote to memory of 64 2952 nsr2EEE.tmp.exe 75 PID 2952 wrote to memory of 64 2952 nsr2EEE.tmp.exe 75 PID 2952 wrote to memory of 64 2952 nsr2EEE.tmp.exe 75 PID 64 wrote to memory of 3208 64 cmd.exe 74 PID 64 wrote to memory of 3208 64 cmd.exe 74 PID 64 wrote to memory of 3208 64 cmd.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe"C:\Users\Admin\AppData\Local\Temp\920518d1d39ab709e1cd880b133377840aaceb7e25540a548b8134cf4182a791.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3528
-
-
C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exeC:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsr2EEE.tmp.exe" & del "C:\ProgramData\*.dll"" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:64
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 51⤵
- Delays execution with timeout.exe
PID:3208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
301KB
MD531d94817d53eb8e6cf696b62708d2ac3
SHA1221c6d910b6a37b201e675d4e8109ac3c717189f
SHA256b31b07e67bfa6ea31aaeeb458f020d5f99a38b3db975dcb6219768c565f4067c
SHA512def2ba5aa97b8d68cd2b22e2eb405b6b4f459c6ebd3afb0d3dbf4647a6d0b0c20ecbbc46211a161c56dc0fd9e3051e5f5de36e65a26db89caa8ae9ded073ae51
-
Filesize
5.3MB
MD500e93456aa5bcf9f60f84b0c0760a212
SHA16096890893116e75bd46fea0b8c3921ceb33f57d
SHA256ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca
-
Filesize
334KB
MD5580930ca34bb39e081064bab11f16a97
SHA175afd6b341a833ebec15116da3672b203f81d067
SHA256aaa8d75cc5a3aadf9d4d3c2c9f45217c85db2804bb9ec7a718319ad80311baf9
SHA5122d0e4935a7ccacedb6a4a95077d3658aca1913da001cbb55d3756f3e581d5e2164d136241f86d91828099d8b3c882a68fee34478e041831c1ec9d9d5e1eb75ed
-
Filesize
368KB
MD57e55d6f45330c77e48672a138c0c813a
SHA15313c2776bd31d2859d032ff0b8ad4d4b3563409
SHA25626ae134b4dd0f458eaa20fdfe0a722e34584eef7a620881f03d5d19046242452
SHA512ae5e185b54dad23c25a0749390f8da675d9ec752b8292bc8b131c03fbaf57ef2bae27da3d80f727309de48bc72a4faec8bf0e2150c3df48ff5cfdb985f0e8b84
-
Filesize
297KB
MD5c5f2b221c9c74068eadf9e315981059d
SHA19414d3b2bbf48bc3ed589c06647e456892d1ce5c
SHA256a9a491d5acc79a6b1b718d3325341d711ac86e3edbf3f08c9f5ee52b56673c8b
SHA51209b619f2b719099cb3bdace79c2d9ab648c2d884203d753c9120ca91b6360068c2f6f756bfa6d65502bb9b3e03d1ee068fb2df0d8ec16a6cfc1c7d8dbe3f5ace
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d