Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
4c267bfd760e90a203a744138d59ce5c.exe
Resource
win7-20231129-en
General
-
Target
4c267bfd760e90a203a744138d59ce5c.exe
-
Size
3.4MB
-
MD5
4c267bfd760e90a203a744138d59ce5c
-
SHA1
5d585e86b727b9d94e8458a298880f1f79815e3a
-
SHA256
1da32f2f8d0930fa4817a88b963c853345241501dc27ee1c4ff97778eccef8fb
-
SHA512
49d0f977d441ceca95366a33288b56baf41daf571b635d0908eb4a3a759a2bd91964eb2038bc0fe24708f4e7881d2cce19225f90c1a8a75db61f2f643d827172
-
SSDEEP
98304:HRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/4aEuC0:Hkj8NBFwxpNOuk2faEuC0
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 4c267bfd760e90a203a744138d59ce5c.exe -
Deletes itself 1 IoCs
pid Process 3272 NUBk39y5lI9902.exe -
Executes dropped EXE 1 IoCs
pid Process 3272 NUBk39y5lI9902.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1756 sc.exe 3480 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1456 4c267bfd760e90a203a744138d59ce5c.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe 3272 NUBk39y5lI9902.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1456 4c267bfd760e90a203a744138d59ce5c.exe Token: SeDebugPrivilege 3272 NUBk39y5lI9902.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1456 wrote to memory of 3272 1456 4c267bfd760e90a203a744138d59ce5c.exe 92 PID 1456 wrote to memory of 3272 1456 4c267bfd760e90a203a744138d59ce5c.exe 92 PID 3272 wrote to memory of 2332 3272 NUBk39y5lI9902.exe 96 PID 3272 wrote to memory of 2332 3272 NUBk39y5lI9902.exe 96 PID 2332 wrote to memory of 3480 2332 cmd.exe 95 PID 2332 wrote to memory of 3480 2332 cmd.exe 95 PID 2332 wrote to memory of 1756 2332 cmd.exe 94 PID 2332 wrote to memory of 1756 2332 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c267bfd760e90a203a744138d59ce5c.exe"C:\Users\Admin\AppData\Local\Temp\4c267bfd760e90a203a744138d59ce5c.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\NUBk39y5lI9902.exe"C:\Users\Admin\AppData\Local\Temp\NUBk39y5lI9902.exe" QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXDRjMjY3YmZkNzYwZTkwYTIwM2E3NDQxMzhkNTljZTVjLmV4ZQ==2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C sc stop "SysMain" & sc config "SysMain" start=disabled3⤵
- Suspicious use of WriteProcessMemory
PID:2332
-
-
-
C:\Windows\system32\sc.exesc config "SysMain" start=disabled1⤵
- Launches sc.exe
PID:1756
-
C:\Windows\system32\sc.exesc stop "SysMain"1⤵
- Launches sc.exe
PID:3480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD50a3fe8806e5fe06bf0df3d0ced7ddba1
SHA1d14f1426150f225d493d55b35ee1666451b17a28
SHA2561fd6d305a7c7dfae7556b1d63915854c2511e4a0dcd122beda392709f9fa427b
SHA512ea8dcd5a69d897a3d63680af11d58f0035c6b5afc68e544283bccb983ddc41a9a90be65e1d28de94f8b23eeaef196d359499e52544682c846c670cf028d76740
-
Filesize
138KB
MD53d48c67fc00cc8f888fbec451ae66abc
SHA1489b63be9e1e6398cac684df4bc6bcd4f480aa85
SHA2567547e27e7ba57b0a3734483c49cd3a05f1f7169a319ea3dd6ce0acfe707a58b2
SHA5125e1a96dba3c7fce93a41dba2237ecaafc863b47a8b47dda14719d741fc85bc871fbccc5083ebc4e09a9b53e662421bce462f3c41fa6460e3e0284edae457032d