Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

b0d1f5ebfb...1a.exe

windows7-x64

7

b0d1f5ebfb...1a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2024, 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe

  • Size

    1.8MB

  • MD5

    34446803caeef0fddd97afd72ce1f7d3

  • SHA1

    b2a287c2b93389277c6167df74f85df6a4089f45

  • SHA256

    b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a

  • SHA512

    62407b80fe9373802079208bb7b93a92c87ee414b4f670121a04677ec4d4c7458abafcc85127da46fc318a96d75bbec574e413c26787527db5a639ae3bd044bb

  • SSDEEP

    49152:rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAbaB0zj0yjoB2:rvbjVkjjCAzJ/B2Yyjl

Score
7/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 20 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe
    "C:\Users\Admin\AppData\Local\Temp\b0d1f5ebfbec8ca0c74920c77f44183e69d98ead60b312033ea9f8846cd6621a.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:980
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    PID:1120
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3800
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4636
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:5032
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4060
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:2004
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:564
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:1128
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:2460
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:624
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:5104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      2.1MB

      MD5

      89e7b2f6f79c37cf115446df04d281ad

      SHA1

      2f4f00021d6a0337e30a4e4a8cbfc3d300d61316

      SHA256

      b3782eb900b745e4eacbf5006e0a84577e0a69a951c68f54abd6694de06f221e

      SHA512

      d088ddcabe38ae041c7f27513993a16f5c5d6d473646a309d3de7be943df4e3ecb5f4b1a1205d376acd9943c4bde0b8171164676ecf2073ccc598a40d1d8d43e

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      1.4MB

      MD5

      acd3078caf1d18ea2ceb17187f2c946e

      SHA1

      7fc8796e16b54feaa518407f71044395bfa76d43

      SHA256

      f090f181452238450a1ab4e4d82323cb84cf561ed180260e02d2d0051c9913a3

      SHA512

      2559edd344b91389cf11eef6a9a8b6a88a61391c898ef671f8e82b127b120a8efd6653d1bd5c91e03bcefd1b576e2b2991528b6e7555c0a00b6726f6f899ec65

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
      Filesize

      1.4MB

      MD5

      15ea627d80745851746dfa0895b73756

      SHA1

      a8e50d8c345048f966c06dbff00427d5c2975fda

      SHA256

      981f5754fe86b8378a79833bdf79ae4be84a48dc04829d1722a5fd351ec9310f

      SHA512

      b01831294e6c10bfdbb38d48b447ec84d9f131bf3e0040eae3b3cd489e172c5ab8edd67a543da239b30a7361f859b9ed2f54ac3502f4dd4dfd24a7433898e11e

      Download Submit

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      Filesize

      2.1MB

      MD5

      33065149e905c45ff5c29859d5c21ac1

      SHA1

      de8134c392a6ba8c66ef6c9cbf6061187a81d9f2

      SHA256

      cf3d3ad2bd3b0640fe1341e9a37d2d25a0b219e7673ed85fb7cbd8004cf7ce69

      SHA512

      2291691f8f317c970625dd06b4bb269e1399d7f4b5add6d69b2bb5a79c671f54090ca607a9e292137c5f72dcfed107887953d2b06861907e43dbdd4b577c1dbe

      Download Submit

    • C:\Windows\SysWOW64\perfhost.exe
      Filesize

      1.2MB

      MD5

      ecfc4091d611d417daf4ef723563c808

      SHA1

      75be7b344a5ad79fe898389655f55feadfad5479

      SHA256

      79d8d8455e14ba620b70be052489cddbbaf1b507ce37690e1eb481b0b73c66b5

      SHA512

      4a978178b8fc10c1638a5b68c4e0730d08188bc52ffe71e4edf043775e5b2352b64f5e9f7a41f1490a74631e041b68de122f09c16eb4df3859aa9f9e9c7fb37b

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      1.3MB

      MD5

      869b485b0f905d276a85e07d7e421b49

      SHA1

      a14a79c9285fcac42240c84d899aaa18882ad801

      SHA256

      9082b4ae4663941c92035af164a7227f2a0d8301c6107897fd1a6af850edaab5

      SHA512

      3977ee756556b94b831d1779a2491254cb7c6844e0775ef806c02579006db0d65431e5d4c91180c55d0b267e4658da2d1d21f25c7ad5bb18cc3c9ba584607655

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.2MB

      MD5

      c31ca6016d2b730128c274aa93af87d5

      SHA1

      8d7c61b59510f3509a3b96c58f00a9dea98943a0

      SHA256

      5063b1e6520cdd57d79044c34e711429070ec315e350f0e0a8c3a539c8214237

      SHA512

      647e4b85c0930660c1187ab4a4f76b3642629b77361450dc3eeedb21d53c6a3ec8a831e5b38a32a930c3957389bd5d8dfe77ec8fb6262b9e5815f421998570ee

      Download Submit

    • C:\Windows\System32\Locator.exe
      Filesize

      735KB

      MD5

      57aeec6b3fbcddce00c3239ae53a0d69

      SHA1

      aa08ace881f14926f53f3f1608bb6266aaafe5ba

      SHA256

      9800e18beb3c599ae7345e156850084ba68c48614966ef9b495bee31195e1691

      SHA512

      657313b9bdf31dde8a0752bff1bdefd22785be3bf8a8b68fac948e0b8d1848c6fb9848ead5f59b087190ba118a898a83774c6a7d8dc0b6f9fd128a925fa3e124

      Download Submit

    • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
      Filesize

      384KB

      MD5

      ab5fa4d07347a8f7fc92b13f430852e5

      SHA1

      3575dbd79a168964ffc4b2e4df68762ede1f0351

      SHA256

      96091a56cd80bc6dadcbda44c14e4bb0fc738256b2f425965ce57559bac9eaa2

      SHA512

      0b0392c44ce86c78f3844beb4dd3423f4ee7d3bc419b0f4a9f14936fd2d2fccab2bf948360998c2c417b9d4544a3868ff4d1e05fb23c3bca9393d4676bdc3296

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      1.3MB

      MD5

      2c00af46a16420036e311ba467c9aad1

      SHA1

      202b5d7ffb2a079ee05b46f74287c48ef9e81919

      SHA256

      9965605903444887208614cf13257ed2e92eb0ba23a32495977c12175e5c0f34

      SHA512

      bc7b93b2fea849edb1f36a54cff74c6aa49c1b5344274eeaeb5aa9457987b65dc71eaaeada7f96067848e62208082652d50762853afac7284709b8ca7aebb912

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      512KB

      MD5

      f96d65a22b8ee84c483697768572f2ac

      SHA1

      3f5e36bd2c0e09b84e3d5a50678027033ccbd6ba

      SHA256

      96ded6d5b9164056579a179fa92293c3fe31c00b1dd53eeb567c7448541192e2

      SHA512

      e5e060387dc674e3757b1a6b145e2ee3b99c38d815923a5f130d8367b9c8e53d2287e5a79727437ecae01e98e9d972f9c67dc3887528d8c5fb3aa5e3a591e961

      Download Submit

    • C:\Windows\system32\AppVClient.exe
      Filesize

      1.3MB

      MD5

      132485b113de28c4c93ad6f4cdb163e1

      SHA1

      59d3e57357128b3c413c7141312715b3adf278a0

      SHA256

      56c5363181ab6aaf8f58d9d0a483e5bf6ce554b67159a850d722f69c4c48e306

      SHA512

      24d54915870483567161e630e410e553feee831784a2194a73817473c3ee714d3e495c0d07039853a4a4113ff21a3916c51d8270573492f1740b6a164ac676e9

      Download Submit

    • C:\Windows\system32\msiexec.exe
      Filesize

      1.2MB

      MD5

      a451b95852e848167750cb774141e673

      SHA1

      3bf41337dc389efa89a01f3f3b6e3719e8cb0186

      SHA256

      0e5ef9798bc872a633dcf24431d9ff854fe59ca3123d6e6f53a2baf90aae3e4e

      SHA512

      5ec0d2d7274531a50a0f675f20c6e3b2058ede02f04d5a3559e5bdd9e5678767b28a61f56702261cd0929028430ca3577ff5aedc36e9e0573cadbee762f0260d

      Download Submit

    • memory/564-140-0x0000000140000000-0x000000014015A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/564-366-0x0000000140000000-0x000000014015A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/624-416-0x0000000000400000-0x0000000000538000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/624-417-0x0000000000820000-0x0000000000887000-memory.dmp

      Filesize

      412KB

      Download

    • memory/980-120-0x0000000000400000-0x00000000005D4000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/980-242-0x0000000000400000-0x00000000005D4000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/980-0-0x0000000000400000-0x00000000005D4000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/980-7-0x0000000000740000-0x00000000007A7000-memory.dmp

      Filesize

      412KB

      Download

    • memory/980-6-0x0000000000740000-0x00000000007A7000-memory.dmp

      Filesize

      412KB

      Download

    • memory/980-1-0x0000000000740000-0x00000000007A7000-memory.dmp

      Filesize

      412KB

      Download

    • memory/1120-139-0x0000000140000000-0x000000014014B000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1120-12-0x0000000140000000-0x000000014014B000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1128-367-0x0000000140000000-0x0000000140170000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1128-155-0x00000000004F0000-0x0000000000550000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1128-147-0x0000000140000000-0x0000000140170000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1128-145-0x00000000004F0000-0x0000000000550000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2000-98-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2000-96-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2004-137-0x0000000140000000-0x000000014016B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2004-134-0x0000000000D10000-0x0000000000D70000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2004-131-0x0000000000D10000-0x0000000000D70000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2004-124-0x0000000000D10000-0x0000000000D70000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2004-125-0x0000000140000000-0x000000014016B000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2460-370-0x0000000140000000-0x000000014014C000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2460-230-0x0000000140000000-0x000000014014C000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2460-232-0x0000000000BC0000-0x0000000000C20000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2460-244-0x0000000000BC0000-0x0000000000C20000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3800-53-0x0000000000680000-0x00000000006E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3800-91-0x0000000000680000-0x00000000006E0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3800-52-0x0000000140000000-0x000000014014A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3800-144-0x0000000140000000-0x000000014014A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4060-113-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4060-340-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/4060-112-0x00000000001A0000-0x0000000000200000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4060-119-0x00000000001A0000-0x0000000000200000-memory.dmp

      Filesize

      384KB

      Download

    • memory/5032-100-0x0000000000910000-0x0000000000970000-memory.dmp

      Filesize

      384KB

      Download

    • memory/5032-101-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/5032-247-0x0000000140000000-0x0000000140237000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/5032-108-0x0000000000910000-0x0000000000970000-memory.dmp

      Filesize

      384KB

      Download

    • memory/5104-426-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

      Download