Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
08/01/2024, 18:28
General
-
Target
4c267bfd760e90a203a744138d59ce5c.exe
-
Size
3.4MB
-
MD5
4c267bfd760e90a203a744138d59ce5c
-
SHA1
5d585e86b727b9d94e8458a298880f1f79815e3a
-
SHA256
1da32f2f8d0930fa4817a88b963c853345241501dc27ee1c4ff97778eccef8fb
-
SHA512
49d0f977d441ceca95366a33288b56baf41daf571b635d0908eb4a3a759a2bd91964eb2038bc0fe24708f4e7881d2cce19225f90c1a8a75db61f2f643d827172
-
SSDEEP
98304:HRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/4aEuC0:Hkj8NBFwxpNOuk2faEuC0
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c267bfd760e90a203a744138d59ce5c.exe"C:\Users\Admin\AppData\Local\Temp\4c267bfd760e90a203a744138d59ce5c.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NUBk39y5lI9902.exe"C:\Users\Admin\AppData\Local\Temp\NUBk39y5lI9902.exe" QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXDRjMjY3YmZkNzYwZTkwYTIwM2E3NDQxMzhkNTljZTVjLmV4ZQ==2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C sc stop "SysMain" & sc config "SysMain" start=disabled3⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\system32\sc.exesc config "SysMain" start=disabled1⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop "SysMain"1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD50a3fe8806e5fe06bf0df3d0ced7ddba1
SHA1d14f1426150f225d493d55b35ee1666451b17a28
SHA2561fd6d305a7c7dfae7556b1d63915854c2511e4a0dcd122beda392709f9fa427b
SHA512ea8dcd5a69d897a3d63680af11d58f0035c6b5afc68e544283bccb983ddc41a9a90be65e1d28de94f8b23eeaef196d359499e52544682c846c670cf028d76740
-
Filesize
138KB
MD53d48c67fc00cc8f888fbec451ae66abc
SHA1489b63be9e1e6398cac684df4bc6bcd4f480aa85
SHA2567547e27e7ba57b0a3734483c49cd3a05f1f7169a319ea3dd6ce0acfe707a58b2
SHA5125e1a96dba3c7fce93a41dba2237ecaafc863b47a8b47dda14719d741fc85bc871fbccc5083ebc4e09a9b53e662421bce462f3c41fa6460e3e0284edae457032d
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
4.2MB
-
Filesize
16KB
-
Filesize
3.1MB
-
Filesize
624KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
744KB
-
Filesize
200KB
-
Filesize
10.8MB
-
Filesize
192KB
-
Filesize
2.9MB
-
Filesize
16KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
456KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
64KB
-
Filesize
3.1MB
-
Filesize
64KB
-
Filesize
64KB