Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 17:42
Static task
static1
Behavioral task
behavioral1
Sample
64.exe
Resource
win7-20240221-en
General
-
Target
64.exe
-
Size
401KB
-
MD5
3e682955546fe3b6b1296a509ff80f65
-
SHA1
da050e533305cd03b0235af1cbccfd3ff611d4c3
-
SHA256
96dd5b0abe337b23d4caa746a29c196af3508fa103d16a1f180e13730cdb773b
-
SHA512
dcb1dc90e85179e39dfcc773f9f790e230d9b563cb50dedac1f2e5d0106797bd8fd2b8c9a14b68134eb0b5b7aff66de1b6f6c46a69f9d98542070fa168d87436
-
SSDEEP
6144:cDGeTb5E+Z7EAXrvPRIxK0zBL/TIDC2dL3RltnfoBglM7zMUdsvk3zhAt76zkiz4:cDGelZ7FXrPy4ix+LBltsgK7zXIqbkT
Malware Config
Signatures
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4808-0-0x0000017F14B60000-0x0000017F14BCA000-memory.dmp WebBrowserPassView behavioral2/files/0x000d000000023af1-5.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/memory/4808-0-0x0000017F14B60000-0x0000017F14BCA000-memory.dmp Nirsoft behavioral2/files/0x000d000000023af1-5.dat Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 64.exe -
Executes dropped EXE 1 IoCs
pid Process 4464 WebBrowserPassView.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4464 WebBrowserPassView.exe 4464 WebBrowserPassView.exe 4464 WebBrowserPassView.exe 4464 WebBrowserPassView.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4808 wrote to memory of 4464 4808 64.exe 83 PID 4808 wrote to memory of 4464 4808 64.exe 83 PID 4808 wrote to memory of 4464 4808 64.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\64.exe"C:\Users\Admin\AppData\Local\Temp\64.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Public\WebBrowserPassView.exe"C:\Users\Public\WebBrowserPassView.exe" /stext C:\Users\Public\WebBrowserPassView.txt2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD58b2597e2844a621b45f2616952b074b2
SHA1c93b6da0726154b989674219e2c0238559d73f62
SHA256119a6e9c8246102cd4cc8c6926d9c9ef66646079ff361dd73cf43e869081f0c6
SHA512552f7675b39cbf74dc3b5b1571cec5b6c6b3e2b8ef287126f5b48d6d5940b12680149f835fd53e04286aece3dc8dc7c51e76d17b48150d0d4ddf4e3f0d6cabd2
-
Filesize
4KB
MD5e255c36d21183acb0a1a38b1344443f0
SHA19fd09dd85a76f8211e9ba81929a1f10d3c499917
SHA25600459ae0cad2abd0641bc5e9fb35d08bccec2d498173adc35810ae820eb55b47
SHA5120e1319f62957c7b3bf1d6573bf24a0bb1cbaf8a0665de6584483885f8c340545cacf36800436892073979a02f3739526569b8c01f862ca9a4b3940c31ad51d4a