Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
winPEASx64_ofs.exe
Resource
win7-20240221-en
General
-
Target
winPEASx64_ofs.exe
-
Size
2.1MB
-
MD5
b0536a4441b95468d2674589053e29f9
-
SHA1
f8ecd2ca72b5b01884902adc8766ea672a9c727c
-
SHA256
01ccc2ba607a0aa44e7bd6690dc5d93001ad70b03ad817142f7f9abb4c911abb
-
SHA512
f499ba9b7e777cebc8e4fe48de5cf8eb5c6a815c97dd2ba053790b68daeb67f5aa7be177ca15470ffbc06d29d034031fd0228865d26f4308252fb633478000bd
-
SSDEEP
24576:phS3u9fS4UlbZNd6CNUBZZP03pwkBCu2IH5aPUxqFiLP:pqmMBl8IH5aPU4iD
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winPEASx64_ofs.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: winPEASx64_ofs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winPEASx64_ofs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winPEASx64_ofs.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3980 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe 4936 winPEASx64_ofs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4936 winPEASx64_ofs.exe Token: SeDebugPrivilege 2396 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4936 wrote to memory of 3980 4936 winPEASx64_ofs.exe 100 PID 4936 wrote to memory of 3980 4936 winPEASx64_ofs.exe 100 PID 4936 wrote to memory of 2384 4936 winPEASx64_ofs.exe 114 PID 4936 wrote to memory of 2384 4936 winPEASx64_ofs.exe 114 PID 4936 wrote to memory of 2396 4936 winPEASx64_ofs.exe 116 PID 4936 wrote to memory of 2396 4936 winPEASx64_ofs.exe 116 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\winPEASx64_ofs.exe"C:\Users\Admin\AppData\Local\Temp\winPEASx64_ofs.exe"1⤵
- Checks whether UAC is enabled
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SYSTEM32\systeminfo.exe"systeminfo.exe"2⤵
- Gathers system information
PID:3980
-
-
C:\Windows\SYSTEM32\netsh.exe"netsh" wlan show profiles2⤵PID:2384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" # Check if appcmd.exe exists if (Test-Path ('C:\Windows\system32\inetsrv\appcmd.exe')) { # Create data table to house results $DataTable = New-Object System.Data.DataTable # Create and name columns in the data table $Null = $DataTable.Columns.Add('user') $Null = $DataTable.Columns.Add('pass') $Null = $DataTable.Columns.Add('type') $Null = $DataTable.Columns.Add('vdir') $Null = $DataTable.Columns.Add('apppool') # Get list of application pools Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list apppools /text:name' | ForEach-Object { # Get application pool name $PoolName = $_ # Get username $PoolUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.username' $PoolUser = Invoke-Expression $PoolUserCmd # Get password $PoolPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list apppool ' + $PoolName + ' /text:processmodel.password' $PoolPassword = Invoke-Expression $PoolPasswordCmd # Check if credentials exists if (($PoolPassword -ne '') -and ($PoolPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName) } } # Get list of virtual directories Invoke-Expression 'C:\Windows\system32\inetsrv\appcmd.exe list vdir /text:vdir.name' | ForEach-Object { # Get Virtual Directory Name $VdirName = $_ # Get username $VdirUserCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:userName' $VdirUser = Invoke-Expression $VdirUserCmd # Get password $VdirPasswordCmd = 'C:\Windows\system32\inetsrv\appcmd.exe list vdir ' + $VdirName + ' /text:password' $VdirPassword = Invoke-Expression $VdirPasswordCmd # Check if credentials exists if (($VdirPassword -ne '') -and ($VdirPassword -isnot [system.array])) { # Add credentials to database $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA') } } # Check if any passwords were found if( $DataTable.rows.Count -gt 0 ) { # Display results in list view that can feed into the pipeline #$DataTable | Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique $DataTable | Select-Object user,pass,type,vdir,apppool } else { # Status user Write-host 'No application pool or virtual directory passwords were found.' } }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2676 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵PID:1480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82