Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

c6efed7bd3...e0.exe

windows7-x64

9

c6efed7bd3...e0.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    136s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/02/2024, 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6efed7bd3f653226121cc6221e67b29f5ab268e0d8465a29da2c12b818631e0.exe

  • Size

    862KB

  • MD5

    451242c66de4ba164892f8c02444c2a6

  • SHA1

    b9b54d42a516208a2b003615b127d420433f3f57

  • SHA256

    c6efed7bd3f653226121cc6221e67b29f5ab268e0d8465a29da2c12b818631e0

  • SHA512

    0fdfea2fc2b11622cab8fd9459c5a317113cb9ce8bd18a1c8be9eb02db0fa54f18776b3a113d7a6c5971dc87e54490b48a3f783be125d14811d79d1c51f4e069

  • SSDEEP

    12288:A6F8gPUVpBqFnkB5ZGUJUz6m3+hrWjPNq1tp1s8ef/tnlb0PAnSrhgY2fxRiQbox:A6FYBqNkZVW+EW

Score
9/10
collectiondiscoveryspywarestealer

Malware Config

Signatures

  • Detects executables packed with ConfuserEx Mod 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6efed7bd3f653226121cc6221e67b29f5ab268e0d8465a29da2c12b818631e0.exe
    "C:\Users\Admin\AppData\Local\Temp\c6efed7bd3f653226121cc6221e67b29f5ab268e0d8465a29da2c12b818631e0.exe"
    1⤵
    • Loads dropped DLL
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:3888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 2768
      2⤵
      • Program crash
      PID:2808
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3888 -ip 3888
    1⤵
      PID:4996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\jobA4IpaEfDd1bSlF\PwxACMj4ABJWWeb Data
      Filesize

      92KB

      MD5

      c00f3970108a8af891b5768c37ef0b63

      SHA1

      cf5e378a5236a9a015fa5617a303f9a5a296e645

      SHA256

      d1edb25dac788ec78d570f905d9c81651b4229228272b3ebc64d20b3ca8c6d43

      SHA512

      7542d99357fab4e243caad174e1f1eb172c334ede37af2e32f49bb30fece84599eb28bea005eccd920d5903a85dbe4bf56a55f8d87f29eaab6187a72d15be93b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jobA4IpaEfDd1bSlF\njoCQRmEpWlDWeb Data
      Filesize

      116KB

      MD5

      f70aa3fa04f0536280f872ad17973c3d

      SHA1

      50a7b889329a92de1b272d0ecf5fce87395d3123

      SHA256

      8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

      SHA512

      30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jobA4IpaEfDd1bSlF\sqlite3.dll
      Filesize

      791KB

      MD5

      0fe0a178f711b623a8897e4b0bb040d1

      SHA1

      01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6

      SHA256

      0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d

      SHA512

      6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

      Download Submit

    • memory/3888-0-0x0000000000990000-0x0000000000A6E000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3888-1-0x0000000074870000-0x0000000075020000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3888-2-0x0000000007770000-0x00000000077E6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3888-3-0x0000000007860000-0x0000000007870000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3888-9-0x0000000007D70000-0x0000000007DD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3888-10-0x00000000088D0000-0x00000000088EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3888-11-0x0000000008DA0000-0x00000000090F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3888-68-0x0000000005940000-0x00000000059D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3888-76-0x0000000074870000-0x0000000075020000-memory.dmp

      Filesize

      7.7MB

      Download