Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 10:18
Static task
static1
Behavioral task
behavioral1
Sample
16a6955696ef375f1efb1d371cd9928c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
16a6955696ef375f1efb1d371cd9928c.exe
Resource
win10v2004-20231215-en
General
-
Target
16a6955696ef375f1efb1d371cd9928c.exe
-
Size
691KB
-
MD5
16a6955696ef375f1efb1d371cd9928c
-
SHA1
bade58018b48d16198e2c2a2d3f2ac18f68104ea
-
SHA256
6d5aa16e97689af6d6464aee85edd7160a929a2f0c351b43104eacd0adf1c042
-
SHA512
53f0bd822576faac72b974bebd6c181784801e72207f00a36a9ec129951b4623c23d855db11446fc1c8f84f16c2e51319c3442df85b118e482982d16ea018101
-
SSDEEP
12288:/K3D4lady90jqe0pOSRhSKmXPi5C6oG5F0bLAUEEwPVot1W96P/qtqNA2:OVdyHjRYB/iww0HfEE/tg8GqN9
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2464 AIDA64~2.EXE 2352 AIDA64~2.EXE 4420 Keygen.exe -
Loads dropped DLL 4 IoCs
pid Process 2464 AIDA64~2.EXE 2464 AIDA64~2.EXE 2464 AIDA64~2.EXE 2464 AIDA64~2.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4420-37-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-38-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-39-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-40-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-41-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-42-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-43-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-44-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-45-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-46-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-47-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-48-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-49-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-50-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-51-0x0000000000400000-0x000000000044F000-memory.dmp upx behavioral2/memory/4420-52-0x0000000000400000-0x000000000044F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 16a6955696ef375f1efb1d371cd9928c.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2464 set thread context of 2352 2464 AIDA64~2.EXE 27 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4060 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4060 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4624 wrote to memory of 2464 4624 16a6955696ef375f1efb1d371cd9928c.exe 17 PID 4624 wrote to memory of 2464 4624 16a6955696ef375f1efb1d371cd9928c.exe 17 PID 4624 wrote to memory of 2464 4624 16a6955696ef375f1efb1d371cd9928c.exe 17 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 2464 wrote to memory of 2352 2464 AIDA64~2.EXE 27 PID 4624 wrote to memory of 4420 4624 16a6955696ef375f1efb1d371cd9928c.exe 26 PID 4624 wrote to memory of 4420 4624 16a6955696ef375f1efb1d371cd9928c.exe 26 PID 4624 wrote to memory of 4420 4624 16a6955696ef375f1efb1d371cd9928c.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a6955696ef375f1efb1d371cd9928c.exe"C:\Users\Admin\AppData\Local\Temp\16a6955696ef375f1efb1d371cd9928c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AIDA64~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AIDA64~2.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Roaming\AIDA64~2.EXEC:\Users\Admin\AppData\Roaming\AIDA64~2.EXE3⤵
- Executes dropped EXE
PID:2352
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Keygen.exe2⤵
- Executes dropped EXE
PID:4420
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x394 0x3141⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD50bbc14ae915fe43877d5b2d121a1af28
SHA1b1cd8ecc199dc16593a19d491fa51e2dfce5300b
SHA2561b84fab9537431cc8387640506793432d0b5be89f4fc8adfa3d7be575e5a3436
SHA51284fb2d862a76b99e72fbd79cd728a99daf8d2c53bdc8bbd696bcbdad6c577e9d7f11903e58ec08b7d64b9f5e212fe38104be8d55c3c723ae8f14bd9c8c179cb0