Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 11:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
stealerchecker.exe
Resource
win7-20240215-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
stealerchecker.exe
Resource
win10v2004-20240221-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
stealerchecker.exe
-
Size
68KB
-
MD5
29ad87193b4efc50d31fe9077dc814ca
-
SHA1
d946c00a35279a6414867f218785faf986e294ea
-
SHA256
8274f1591c7dfe5a492d2d5691e0a73a2ce4ff11cc6931551c7911d1e73a3a8d
-
SHA512
50840ed705bd7b6f1911fd74c8a23f0ef528103b7a83bc92cb7eea688d48f54390e0e1aded2ede3ec6fcae084492259ababd3de22afee6a89ac7e907a87573d1
-
SSDEEP
1536:UkKPK681qM5GckK6vk5i2laAmMlghXx+xUtYc9gi:JkvemMlghXx+xUtYc9gi
Score
3/10
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4256 1252 WerFault.exe 83 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4448 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 5088 taskmgr.exe Token: SeSystemProfilePrivilege 5088 taskmgr.exe Token: SeCreateGlobalPrivilege 5088 taskmgr.exe Token: 33 5088 taskmgr.exe Token: SeIncBasePriorityPrivilege 5088 taskmgr.exe Token: SeDebugPrivilege 4448 taskmgr.exe Token: SeSystemProfilePrivilege 4448 taskmgr.exe Token: SeCreateGlobalPrivilege 4448 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 5088 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe 4448 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stealerchecker.exe"C:\Users\Admin\AppData\Local\Temp\stealerchecker.exe"1⤵PID:1252
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 8042⤵
- Program crash
PID:4256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1252 -ip 12521⤵PID:1548
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5088
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93