Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 01:05
Behavioral task
behavioral1
Sample
1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
Resource
win7-20231129-en
General
-
Target
1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
-
Size
2.2MB
-
MD5
422ad9c53a86f687b230fde951fb5856
-
SHA1
17eb89de5f5a21b3e83497e74145613209bc3a86
-
SHA256
1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5
-
SHA512
d0cfae682aab7a15703b051bc879721d41276b8a22e9f69d9d2a0a40bdfea38cb1634340d3f93e2ce0f8f229798290820b7262e346ab88cf578a34489471c1e6
-
SSDEEP
49152:Tgxqu3RcnLHx7FHNwA5VRp/KQiGH+7W7WFDus/3BcSJir2Vn:EQLVFthRhiY7Cus/3F4qV
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 4 IoCs
resource yara_rule behavioral2/memory/3428-0-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp UPX behavioral2/memory/3428-1-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp UPX behavioral2/memory/3428-68-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp UPX behavioral2/memory/3428-71-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3428-0-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp upx behavioral2/memory/3428-1-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp upx behavioral2/memory/3428-68-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp upx behavioral2/memory/3428-71-0x00007FF62C1D0000-0x00007FF62C718000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Kills process with taskkill 1 IoCs
pid Process 3112 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 60 powershell.exe 60 powershell.exe 60 powershell.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 60 powershell.exe Token: SeDebugPrivilege 3112 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3428 wrote to memory of 60 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 110 PID 3428 wrote to memory of 60 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 110 PID 3428 wrote to memory of 456 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 112 PID 3428 wrote to memory of 456 3428 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 112 PID 456 wrote to memory of 3112 456 cmd.exe 114 PID 456 wrote to memory of 3112 456 cmd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe"C:\Users\Admin\AppData\Local\Temp\1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C "taskkill /pid 1896 /f"2⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\system32\taskkill.exetaskkill /pid 1896 /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2316 --field-trial-handle=2292,i,2927097380497635931,2014459809064723663,262144 --variations-seed-version /prefetch:31⤵PID:4616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2292,i,2927097380497635931,2014459809064723663,262144 --variations-seed-version /prefetch:81⤵PID:1956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
5.9MB
MD575fced5a2c15aa4acf31d4dcf8682189
SHA1930aaa348822194258695f1e6ba65fbfc07fb6bb
SHA256c46ea746ffde4d624e80a563a936e36c3b42a198ffc889d9054bbe0b670af7b0
SHA512d88e407f9b13d1b6fe14b43fdcaa08802ee12fd9a59154ca7d0c12ce6d3f12233ac8b2063c25aa8746511f8084621a73adca9aca10c6a71a98d44ef386143aaf
-
Filesize
574B
MD5b68c02bc5b4a67f36ba2cb9ce9e35efc
SHA177379c29711337ec1f8de4167be7c8dd2d6ed194
SHA2564a70f1ff21072e311ade35481f7b60bf18118b299ca10fa9252cf1af9a73d1ed
SHA512738b2bc1cdeb116bdad389c88466b8c5e84d9cbd3bb411d0a3a38f6b66f63eddcde6c1bc68e93f534f360d24484f7d34f2c6d99b87c9d38b20bea07c7febf120
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82