Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
103s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/01/2024, 17:58
General
-
Target
GENERATOR 2.0/GENERATOR 2.0.exe
-
Size
50.7MB
-
MD5
9224655def30664e25eb075940a4c6bc
-
SHA1
05bb602202941413b7544883f2bf19ac2ed8b517
-
SHA256
c3b66ee7b2bb35e24c67bf0fa8825a045b715c0050ba4fc2507e7c8d885a99b4
-
SHA512
bfbbcf2a551ce0e982385c07d7bb15e747fc647b5bbf5591ff413b4b9f17ff11cb361bc8831c436ba8c33f91cf68c092da5e67470d7876fdafd04037188cd88e
-
SSDEEP
1572864:7XGMK4XR3bLSCU/+6yPlhvhoQtHlBzW+eHfmmWu24HOGPn:7gYRPSC++6y9Ji46dn24uG
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GENERATOR 2.0.exe GENERATOR 2.0.exe -
Loads dropped DLL 64 IoCs
pid Process 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe 952 GENERATOR 2.0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 api.ipify.org 2 api.ipify.org 4 api.ipify.org 12 api.ipify.org 17 api.ipify.org -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4028 tasklist.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 952 GENERATOR 2.0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4028 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 952 GENERATOR 2.0.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1192 wrote to memory of 952 1192 GENERATOR 2.0.exe 81 PID 1192 wrote to memory of 952 1192 GENERATOR 2.0.exe 81 PID 952 wrote to memory of 4736 952 GENERATOR 2.0.exe 83 PID 952 wrote to memory of 4736 952 GENERATOR 2.0.exe 83 PID 952 wrote to memory of 4076 952 GENERATOR 2.0.exe 85 PID 952 wrote to memory of 4076 952 GENERATOR 2.0.exe 85 PID 4076 wrote to memory of 4028 4076 cmd.exe 86 PID 4076 wrote to memory of 4028 4076 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe"C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe"C:\Users\Admin\AppData\Local\Temp\GENERATOR 2.0\GENERATOR 2.0.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
63KB
MD5806e47cb0146c81aeaa8bf3b55789801
SHA16ee2c47f892480846c98acea03915e744e24f217
SHA25655cbeaa0a6d5678b4ff611b5166829b1a07b84b97e72e35263216703d98332ef
SHA512a8090290c571cf94c0dc09c91156149c05d1883081cd5b0d69230b6ea8bc4052e518c00004b35964f5464c67e757e3993feeef980fa99ffb3e612b2384629ab3
-
Filesize
82KB
MD5afaa11704fda2ed686389080b6ffcb11
SHA19a9c83546c2e3b3ccf823e944d5fd07d22318a1b
SHA256ab34b804da5b8e814b2178754d095a4e8aead77eefd3668da188769392cdb5f4
SHA512de23bb50f1d416cf4716a5d25fe12f4b66e6226bb39e964d0de0fef1724d35b48c681809589c731d3061a97c62b4dc7b9b7dfe2978f196f2d82ccce286be8a2a
-
Filesize
121KB
MD578df76aa0ff8c17edc60376724d206cd
SHA19818bd514d3d0fc1749b2d5ef9e4d72d781b51dd
SHA256b75560db79ba6fb56c393a4886eedd72e60df1e2f7f870fe2e356d08155f367b
SHA5126189c1bd56db5b7a9806960bc27742d97d2794acebc32e0a5f634fe0ff863e1775dcf90224504d5e2920a1192a3c1511fb84d41d7a2b69c67d3bdfbab2f968fa
-
Filesize
155KB
MD52ae2464bfcc442083424bc05ed9be7d2
SHA1f64b100b59713e51d90d2e016b1fe573b6507b5d
SHA25664ba475a28781dca81180a1b8722a81893704f8d8fac0b022c846fdcf95b15b9
SHA5126c3acd3dcae733452ad68477417693af64a7d79558e8ec9f0581289903c2412e2f29195b90e396bfdcd765337a6dea9632e4b8d936ac39b1351cd593cb12ce27
-
Filesize
1.4MB
MD581cd6d012885629791a9e3d9320c444e
SHA153268184fdbddf8909c349ed3c6701abe8884c31
SHA256a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73
-
Filesize
1.5MB
MD58fc2c034d58573e79dc769b2a40b3999
SHA102fe1ed24b5b371865d6a46e2f70500bde2d0fb3
SHA25630241e03de6372c108c419430f2917e7cf3ff8708575ef64e325a89e01de1cd7
SHA5120264e086a2379e2dccf215d5dca9c29c5d0096166b83ec374eb5822b9e02d1b9e28eaa5b40a4c70bc84fec035c6fbe462f3d58786ae9ceb816206f64875f5d6b
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
771KB
MD5bfc834bb2310ddf01be9ad9cff7c2a41
SHA1fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c
SHA25641ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1
SHA5126af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3
-
Filesize
186KB
MD52cefa470e58a82a2441f5808baa2b0ee
SHA14e4a98e82ef6500a9e79e6c4b56c2b6a0a638e64
SHA2568add5f11f0a1ef27f34a1f3f407a3afedc892c8f04870db4f89c0a3abc1114a2
SHA5125840237b8d92c358f44db74492672694cc58bf0d609eaeb45c36825c5d586d652bd031b5fcafb6340ff9ea32a9238bba78256742493af8c7188877cd6ee6e5fa
-
Filesize
193KB
MD5bfe46323faea201f6d18d60723e06852
SHA1f93afeebb3ea1e6d1cc8ab3618c9d4c88eaa7475
SHA25635134cca2dcf7c2b7e592b677833322b6b72a6a88afcd3935afe5907a282e89e
SHA5127342c309c98b7ef0d8e7d02e6a31afbd765b077b9061a185b160842b24af3fb629d5757001ae647b8c660defd41b765bbb6175cca431d569ff9bd580fd8f7913
-
Filesize
65KB
MD5ff319d24153238249adea18d8a3e54a7
SHA10474faa64826a48821b7a82ad256525aa9c5315e
SHA256a462a21b5f0c05f0f7ec030c4fde032a13b34a8576d661a8e66f9ad23767e991
SHA5120e63fe4d5568cd2c54304183a29c7469f769816f517cd2d5b197049aa966c310cc13a7790560ef2edc36b9b6d99ff586698886f906e19645faeb89b0e65adfdd
-
Filesize
2.9MB
MD5c59c40d3665d5a2a51156137bbe13cb9
SHA1d639fa2525dba464328cd5aa26231e212e0a5ff4
SHA2564aea137d8efc05052cf49745f389bae5aa03e780c05b051b33407bea1426e2db
SHA5125a4ff93d881ec12a3069436a60dbc309c3350418ebe3fa365ce7709feeb72b81f52dbeaa34b93273bf7f3a8628b97c4a6b2c021b7472bc4fc921e05a9515e9a1
-
Filesize
2.1MB
MD5098357a23f798cf3ed20a6e2fc39ccbb
SHA12aac8fd594ea2d7e3d513bc2d0927e7c9051fcbf
SHA256c6623f0faeb83ec4c20fe7db89ce2a01aa0ec0e4b220a3bb389061880fb77a93
SHA512f69623c0d2cd158eaae4568776816fd3b259434eab55b1b3e0746c3b3fcfb5ecfda316b90ac173aff51d93f50a522a978dabe87933c7c4c7d08ecee12c413138
-
Filesize
29KB
MD50b55f18218f4c8f30105db9f179afb2c
SHA1f1914831cf0a1af678970824f1c4438cc05f5587
SHA256e7fe45baef9cee192c65fcfce1790ccb6f3f9b81e86df82c08f838e86275af02
SHA512428ee25e99f882af5ad0dedf1ccdbeb1b4022ac286af23b209947a910bf02ae18a761f3152990c84397649702d8208fed269aa3e3a3c65770e21ee1eec064cc1
-
Filesize
773KB
MD5df9c54ca498a688676f25eb161dbff6c
SHA1a9f965ec5d97d87da43c18eb32a69109012a2e15
SHA25608f55b49f65e08a4c3a599c8a5148b43be8eca8663e3afbd450085ed042139a9
SHA5126273f7142777b93055838a19900e267720493c2f07841880919df389b89c5fa0c370f0f77a5ac0f644912cf3f919e342816f1e9369fbd70fb8faea630933fd87
-
Filesize
386KB
MD508088c81dcc23e7b98009f3faba7e247
SHA1cbeedaafccbbb35b93a67d4d868ccd296e085f42
SHA2565dabdcacfb047695b8feb3f5c6e2454f74145c99ccc7624b81aaf59b8d61f10c
SHA51281543b3102fc75e8fd1368d84613c69d366fcbc4e0d16b811a08a63bb5ef3813ec86aa5a15fb7161af2e6203253c4b29be27a3408945157a502e5ef0ee949ec0
-
Filesize
12KB
MD56f4b58496501defa12f7b9157ad57b00
SHA15f4bcc137fa31f6a07561c2d2e49071f39b5020e
SHA2560c76cd2741c4d6bafe61ea83aa6a1e56439e6d319e537071506218d914933b22
SHA512cc07c2205f389ffbef3327efc39e3830ca09f48870006c45a3902ac006b492a22a36dc4b0d5592e0a37e034d1a89f907c2a9af2cd8bd8435a112c2dc576f2abc
-
Filesize
1KB
MD533640b05ccc550bd6825d1c00a2e5707
SHA15a630bd459997c46ca007c1650396fa95848cfcb
SHA256cf7c92f4d07399d991126be0e770572cc7af994bac452cbd0dee0ba13aa41f39
SHA512ef26e13b516a5dd57a4ed665ce5e9e2d73ab1cef256e46abf03231cce7b6b7627aa7bc5b24673e899e902e8cfee0f056cf5f9075f1c8f6a9f35ab508b8e6499e
-
Filesize
92KB
MD5c5dc6abbdfcb1aa3738eba3c759242aa
SHA19f25b8aaf5d48d4a03096491da8b9834965a0bef
SHA256fa6ddb5538d272d7e9cd5e9703350e8c145f3687bd68fd20ac748a6c15328ea5
SHA512c65a490d978ee43976256ab0eb76f51abf9be02eb0ab50f33745631d955448d148046467c764303c15cdce463be6a59cdc2b367c80923b54165f9c4f1a476f9f
-
Filesize
92KB
MD5eaab5a302979cfbe8c7b151eff8d554c
SHA104ef5481e52cca4a25e6a1396769753b4c598423
SHA2562b5d1088a7e5ec8b0c4cd98c8e7f3befb8ed0ba362af2e8a069b50b3b93114a7
SHA51293ee6ce32b795a9ceb697fc52aa816554a0ab060ff4a5ab7db82cc9d79ecc63791fa2f5a1e9aeb96da3b8682b45f03a5c6a282d5759eaa1f0b8f61b53a66c9e1
-
Filesize
29B
MD5155ea3c94a04ceab8bd7480f9205257d
SHA1b46bbbb64b3df5322dd81613e7fa14426816b1c1
SHA256445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b
SHA5123d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05