Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    206s
  • max time network
    233s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 13:46

General

  • Target

    22db929365b57752f6181d4b23016241.exe

  • Size

    33KB

  • MD5

    22db929365b57752f6181d4b23016241

  • SHA1

    30efa866aea90cf92998826c113d08b4e9f66d2f

  • SHA256

    39fe6cf655f0881af0b3ba2a02e7b2803ca195788279f177696dbc6c1be77eb8

  • SHA512

    d1ae032f4c41668709cc0630c35e80325443155319d4a4c4044ab595d6cd729660f5c40c160d5cddd0892ac937af5a0351b059b4b5603a979de000f2e0b358c2

  • SSDEEP

    768:UnykwyDKF0Pw95DDaxq56pv4tZiR+T0vjFfbM:Unyk9ojmpp8a+T0Fb

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 11 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22db929365b57752f6181d4b23016241.exe
    "C:\Users\Admin\AppData\Local\Temp\22db929365b57752f6181d4b23016241.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\SysWOW64\net.exe
      net stop cryptsvc
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop cryptsvc
        3⤵
          PID:1520
      • C:\Windows\SysWOW64\sc.exe
        sc delete cryptsvc
        2⤵
        • Launches sc.exe
        PID:2292
      • C:\Windows\SysWOW64\sc.exe
        sc config cryptsvc start= disabled
        2⤵
        • Launches sc.exe
        PID:1472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1703764792.dat

      Filesize

      33KB

      MD5

      4b259bd0f139a6bb03a2a77ce1ae3981

      SHA1

      657503834c08ce18895fce88a312c38c496a4e58

      SHA256

      d154adb3e32f2c423ce6a96784eb41cbbcf245eade41ab4e9184d901c5e1684d

      SHA512

      b409c79ae9e3a657820385efcdd541057c05faeb4acb0936aeada93c29bf9ce08dd583357b1ed8b9e54d1306df887f6b46a9486312ca84a3a61b9c8896b63ca6

    • memory/4056-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/4056-5-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB