Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2024, 19:00

General

  • Target

    635a54f6e734b823ec8e64b3bfbf26db.exe

  • Size

    208KB

  • MD5

    635a54f6e734b823ec8e64b3bfbf26db

  • SHA1

    e66f8daa93c55ab0ec664161772e450f14180ff6

  • SHA256

    22606d6d601e0fae177553f6b343c5b1605ea0cbff5da7dacb2289ccaaf1bebe

  • SHA512

    3db0f56a5d4bf8cd403db51173688e4bde5430ef09e430a0b50fe8699ba5f6a5360ffa881f5883f409884dc4e5ba0218f9b38c9b22dbad8bdf0b225f03712e8c

  • SSDEEP

    6144:lybCZmNOIxs3NBBxn5YtkbdTf7ZUPrnNz:lyTi9BR3RTf7WPd

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe
    "C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe
      "C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe
        "C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1652
    • C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe
      "C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\trambling several models (Tatjana).avi.exe

    Filesize

    1.4MB

    MD5

    64711f87dbf44eb7b032f5d898f24033

    SHA1

    4fe21e8b7945951e1e077a13c1a972f35d586832

    SHA256

    b81eb15f4be913d6b8541492275d4b1db94b43a7decdcd68f84e1e70117c5d2d

    SHA512

    d069293c135ca1a37fb210b93e0c2a6bc7cfb1e5d792d5767be58cc99a9d73162459acad79b2b333de3e3447495183d337f9064ca47558612f9e7827ad6c8810

  • memory/1116-0-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/1652-154-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/4976-155-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB