Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
206s -
max time network
233s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 13:46
Behavioral task
behavioral1
Sample
22db929365b57752f6181d4b23016241.exe
Resource
win7-20231129-en
General
-
Target
22db929365b57752f6181d4b23016241.exe
-
Size
33KB
-
MD5
22db929365b57752f6181d4b23016241
-
SHA1
30efa866aea90cf92998826c113d08b4e9f66d2f
-
SHA256
39fe6cf655f0881af0b3ba2a02e7b2803ca195788279f177696dbc6c1be77eb8
-
SHA512
d1ae032f4c41668709cc0630c35e80325443155319d4a4c4044ab595d6cd729660f5c40c160d5cddd0892ac937af5a0351b059b4b5603a979de000f2e0b358c2
-
SSDEEP
768:UnykwyDKF0Pw95DDaxq56pv4tZiR+T0vjFfbM:Unyk9ojmpp8a+T0Fb
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4056-0-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4056-5-0x0000000000400000-0x0000000000416000-memory.dmp upx -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yuksuser.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\yumsimg32.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\msimg32.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\dllcache\msimg32.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\gggapp23.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\yuksuser.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\ksuser.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\dllcache\ksuser.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\yumidimap.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\midimap.dll 22db929365b57752f6181d4b23016241.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2292 sc.exe 1472 sc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4056 22db929365b57752f6181d4b23016241.exe 4056 22db929365b57752f6181d4b23016241.exe 4056 22db929365b57752f6181d4b23016241.exe 4056 22db929365b57752f6181d4b23016241.exe 4056 22db929365b57752f6181d4b23016241.exe 4056 22db929365b57752f6181d4b23016241.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4056 22db929365b57752f6181d4b23016241.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4056 wrote to memory of 3612 4056 22db929365b57752f6181d4b23016241.exe 90 PID 4056 wrote to memory of 3612 4056 22db929365b57752f6181d4b23016241.exe 90 PID 4056 wrote to memory of 3612 4056 22db929365b57752f6181d4b23016241.exe 90 PID 4056 wrote to memory of 1472 4056 22db929365b57752f6181d4b23016241.exe 92 PID 4056 wrote to memory of 1472 4056 22db929365b57752f6181d4b23016241.exe 92 PID 4056 wrote to memory of 1472 4056 22db929365b57752f6181d4b23016241.exe 92 PID 4056 wrote to memory of 2292 4056 22db929365b57752f6181d4b23016241.exe 91 PID 4056 wrote to memory of 2292 4056 22db929365b57752f6181d4b23016241.exe 91 PID 4056 wrote to memory of 2292 4056 22db929365b57752f6181d4b23016241.exe 91 PID 3612 wrote to memory of 1520 3612 net.exe 97 PID 3612 wrote to memory of 1520 3612 net.exe 97 PID 3612 wrote to memory of 1520 3612 net.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\22db929365b57752f6181d4b23016241.exe"C:\Users\Admin\AppData\Local\Temp\22db929365b57752f6181d4b23016241.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\net.exenet stop cryptsvc2⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cryptsvc3⤵PID:1520
-
-
-
C:\Windows\SysWOW64\sc.exesc delete cryptsvc2⤵
- Launches sc.exe
PID:2292
-
-
C:\Windows\SysWOW64\sc.exesc config cryptsvc start= disabled2⤵
- Launches sc.exe
PID:1472
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD54b259bd0f139a6bb03a2a77ce1ae3981
SHA1657503834c08ce18895fce88a312c38c496a4e58
SHA256d154adb3e32f2c423ce6a96784eb41cbbcf245eade41ab4e9184d901c5e1684d
SHA512b409c79ae9e3a657820385efcdd541057c05faeb4acb0936aeada93c29bf9ce08dd583357b1ed8b9e54d1306df887f6b46a9486312ca84a3a61b9c8896b63ca6