Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Node-js.exe

windows7-x64

9

Node-js.exe

windows10-2004-x64

10

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

Node-js.exe

windows7-x64

10

Node-js.exe

windows10-2004-x64

10

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/...dex.js

windows7-x64

1

resources/...dex.js

windows10-2004-x64

1

resources/....2.bat

windows7-x64

7

resources/....2.bat

windows10-2004-x64

7

resources/elevate.exe

windows7-x64

1

resources/elevate.exe

windows10-2004-x64

1

swiftshade...GL.dll

windows7-x64

1

swiftshade...GL.dll

windows10-2004-x64

1

swiftshade...v2.dll

windows7-x64

1

swiftshade...v2.dll

windows10-2004-x64

1

vk_swiftshader.dll

windows7-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows7-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...7z.dll

windows7-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/04/2024, 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Node-js.exe

  • Size

    139.8MB

  • MD5

    582c50321ccfc6a1270050082dd95139

  • SHA1

    c91cfe125d0bcb1a9ba33831bdd7aa3ca2a9aaca

  • SHA256

    76dab2722dc81e8f27c8c5920f15925a1950811e178ee8d2d630b23234537a28

  • SHA512

    6327115c074b164cf8b7477679533db055ab18fcf1b3880cafaead70892047aa9f7e60c93fe123c409f5e5f220cb591ab4271ff1ae37272b8c919f308104d47c

  • SSDEEP

    786432:MSfg0tbLs2cRE3FsdxwBFyAaZZiljQWohhjbj6S46P845IPD:MSj5szmFcxwBFyAaZ4jMhhXcyC

Score
10/10
epsilonevasionpersistencespywarestealer

Malware Config

Signatures

  • Epsilon Stealer

    Information stealer.

    stealerepsilon
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Node-js.exe
    "C:\Users\Admin\AppData\Local\Temp\Node-js.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Loads dropped DLL
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic CsProduct Get UUID
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3452
    • C:\Users\Admin\AppData\Local\Temp\Node-js.exe
      "C:\Users\Admin\AppData\Local\Temp\Node-js.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Node-js" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1788,10831192671619328633,13297692189030570987,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:4872
      • C:\Users\Admin\AppData\Local\Temp\Node-js.exe
        "C:\Users\Admin\AppData\Local\Temp\Node-js.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Node-js" --mojo-platform-channel-handle=2072 --field-trial-handle=1788,10831192671619328633,13297692189030570987,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2936
      • C:\Users\Admin\AppData\Local\Temp\Node-js.exe
        "C:\Users\Admin\AppData\Local\Temp\Node-js.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Node-js" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2336 --field-trial-handle=1788,10831192671619328633,13297692189030570987,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        PID:2564
      • C:\Users\Admin\AppData\Local\Temp\Node-js.exe
        "C:\Users\Admin\AppData\Local\Temp\Node-js.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\Node-js" --mojo-platform-channel-handle=2924 --field-trial-handle=1788,10831192671619328633,13297692189030570987,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:2152
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
          2⤵
            PID:3564
            • C:\Windows\system32\taskkill.exe
              taskkill /IM chrome.exe /F
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1680
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
            2⤵
              PID:2748
              • C:\Windows\system32\reg.exe
                C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
                3⤵
                  PID:4868
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
                2⤵
                  PID:5104
                  • C:\Windows\system32\reg.exe
                    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
                    3⤵
                      PID:540
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                    2⤵
                      PID:2844
                      • C:\Windows\system32\tasklist.exe
                        tasklist
                        3⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3272
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
                      2⤵
                        PID:4356
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
                          3⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2192
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
                        2⤵
                          PID:4776
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic path win32_VideoController get name
                            3⤵
                            • Detects videocard installed
                            PID:1208
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
                          2⤵
                            PID:1480
                            • C:\Windows\system32\cmd.exe
                              cmd /c chcp 65001
                              3⤵
                                PID:3968
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  4⤵
                                    PID:5012
                                • C:\Windows\system32\netsh.exe
                                  netsh wlan show profiles
                                  3⤵
                                    PID:1532
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f"
                                  2⤵
                                    PID:1764
                                    • C:\Windows\system32\reg.exe
                                      C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsUpdater.exe /f
                                      3⤵
                                      • Adds Run key to start application
                                      PID:3196
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                    2⤵
                                      PID:4292
                                      • C:\Windows\system32\tasklist.exe
                                        tasklist
                                        3⤵
                                        • Enumerates processes with tasklist
                                        PID:2148
                                    • C:\Users\Admin\AppData\Local\Temp\Node-js.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Node-js.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Node-js" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4056 --field-trial-handle=1788,10831192671619328633,13297692189030570987,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1488
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2536
                                    • C:\Windows\system32\AUDIODG.EXE
                                      C:\Windows\system32\AUDIODG.EXE 0x468 0x324
                                      1⤵
                                        PID:4448

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\080f9cc7-bd59-4897-b23a-df5a8a8fb8af.tmp.node
                                        Filesize

                                        2.7MB

                                        MD5

                                        08b28072c6d59fdf06a808182efed01f

                                        SHA1

                                        35253af00af3308a64cff1eda104fd7227abb2f4

                                        SHA256

                                        7c999c84852b1f46a48f75b130fea445280d7032a56359dffecf36730366abc5

                                        SHA512

                                        f2592ade5053b674dbe4191c7001748a801dca3b19e97e19b440a3e944011c87926b0ef21c87e98b48e038889a32e01c1d74949124be3144834e2f06d9781198

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\270b3797-697f-4cfd-969a-447e971a6df5.tmp.node
                                        Filesize

                                        652KB

                                        MD5

                                        3036020ed84037bf5997af5feea43683

                                        SHA1

                                        3fe1b7909a00009266d56c15243f5d0b858ad28b

                                        SHA256

                                        7292b9dadebc0483bc34cb19e079e9e7cbd4341dd4f0faaa6838493e7a37349a

                                        SHA512

                                        653cf85a2f51a4ae6fc2373bd547f4c095fd8725c819e0a2736fcf6944d7d2aef1989e63155a80ada89f078ea0cba49552acc90662fe45cefb0748f89a7c4515

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\938c6ffb-7c2d-4290-bbac-e18ed1d0c166.tmp.node
                                        Filesize

                                        163KB

                                        MD5

                                        b0e113443ddc1ee234acbf0eb0e6f8a0

                                        SHA1

                                        84cc562b82570ec05df6dbbfc8f29fbb16ec68c7

                                        SHA256

                                        8d6f5cab1d6a99ac49772080c6f383f33a9bb983e0f8d02d0f3de4b2bdd26215

                                        SHA512

                                        306e89ec66fdf8b0de19d5bcda01f69809d83f464a9c21fda4b470e81ad3b722aa6cb6086fb4c2af59504fe4332c1f9efff27168598cc00be0f28fed45dde8ee

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt
                                        Filesize

                                        240B

                                        MD5

                                        810ae82f863a5ffae14d3b3944252a4e

                                        SHA1

                                        5393e27113753191436b14f0cafa8acabcfe6b2a

                                        SHA256

                                        453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c

                                        SHA512

                                        2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt
                                        Filesize

                                        231B

                                        MD5

                                        dec2be4f1ec3592cea668aa279e7cc9b

                                        SHA1

                                        327cf8ab0c895e10674e00ea7f437784bb11d718

                                        SHA256

                                        753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

                                        SHA512

                                        81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
                                        Filesize

                                        2B

                                        MD5

                                        f3b25701fe362ec84616a93a45ce9998

                                        SHA1

                                        d62636d8caec13f04e28442a0a6fa1afeb024bbb

                                        SHA256

                                        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                                        SHA512

                                        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Node-js\Network\Network Persistent State
                                        Filesize

                                        393B

                                        MD5

                                        6b9a836680dbfac0f79e49fbc1f9f3de

                                        SHA1

                                        3feeac7acac35d2dd7ca4478470a12ce49d8ecf8

                                        SHA256

                                        8bb720aadb9abc8292b85eb8ec833e53be8179a1d3b36c3f61797a7286e48c7e

                                        SHA512

                                        5a35bae056eea911338c72d41e5509626e9fd3571212b9d0a7148a2a58dfdd81e722df5946a0072ea42a92acaf63186f20d2ccbe0aad52f6b2f5aa7ddc7ce104

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\Node-js\Network\Network Persistent State~RFe589cb8.TMP
                                        Filesize

                                        59B

                                        MD5

                                        2800881c775077e1c4b6e06bf4676de4

                                        SHA1

                                        2873631068c8b3b9495638c865915be822442c8b

                                        SHA256

                                        226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                                        SHA512

                                        e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                                        Download Submit

                                      • memory/1488-143-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-144-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-145-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-150-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-149-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-151-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-153-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-152-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-155-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/1488-154-0x000001EC34BA0000-0x000001EC34BA1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4872-10-0x00007FFFCD690000-0x00007FFFCD691000-memory.dmp

                                        Filesize

                                        4KB

                                        Download