Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/04/2024, 18:09
Static task
static1
Behavioral task
behavioral1
Sample
032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe
Resource
win10v2004-20240426-en
General
-
Target
032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe
-
Size
455KB
-
MD5
9eca82d1ff4bee0b79fb73fd9e333a93
-
SHA1
cdeb36f8dbbf6bc4ef1fba4e33e4d39a7d5e8fdb
-
SHA256
032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672
-
SHA512
c70160b2ed7ac3dae0830536de5f2cbf8c3d36b402654d6a7cebcb64a9a49d47023ad0f83ee88057ec845571addfa46839773554e31d06986e26c58db5c893e2
-
SSDEEP
12288:KLxNI8KjYJK+N5VS+9HTA8gbqk8PP/OsmeMVKsvEfg0+H:KVNYjYJK+d+mk6/Opnv30S
Malware Config
Signatures
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 5 IoCs
resource yara_rule behavioral2/memory/4592-1-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/5292-35-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/4992-49-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/4516-74-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore behavioral2/memory/4784-61-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
Detects executables containing base64 encoded User Agent 5 IoCs
resource yara_rule behavioral2/memory/4592-1-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/5292-35-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/4992-49-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/4516-74-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent behavioral2/memory/4784-61-0x0000000063080000-0x00000000631EC000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Encoded_UserAgent -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation com3.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ShareIt Service.exe SearchHelper.exe -
Executes dropped EXE 4 IoCs
pid Process 5644 SearchHelper.exe 5292 com3.exe 4784 SearchHelper.exe 4516 com3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Intel GPU = "F:\\Program Files\\Intel GPU\\GfxUI.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Search Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Search\\SearchHelper.exe" com3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2820 reg.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 5644 SearchHelper.exe 5644 SearchHelper.exe 5292 com3.exe 5292 com3.exe 4992 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 4992 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 4784 SearchHelper.exe 4784 SearchHelper.exe 4516 com3.exe 4516 com3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5644 SearchHelper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5644 SearchHelper.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4592 wrote to memory of 5644 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 85 PID 4592 wrote to memory of 5644 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 85 PID 4592 wrote to memory of 5644 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 85 PID 4592 wrote to memory of 5292 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 86 PID 4592 wrote to memory of 5292 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 86 PID 4592 wrote to memory of 5292 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 86 PID 4592 wrote to memory of 4992 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 87 PID 4592 wrote to memory of 4992 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 87 PID 4592 wrote to memory of 4992 4592 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 87 PID 4992 wrote to memory of 4784 4992 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 88 PID 4992 wrote to memory of 4784 4992 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 88 PID 4992 wrote to memory of 4784 4992 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 88 PID 4992 wrote to memory of 4516 4992 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 89 PID 4992 wrote to memory of 4516 4992 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 89 PID 4992 wrote to memory of 4516 4992 032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe 89 PID 5292 wrote to memory of 2820 5292 com3.exe 93 PID 5292 wrote to memory of 2820 5292 com3.exe 93 PID 5292 wrote to memory of 2820 5292 com3.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe"C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5644
-
-
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5292 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v "Intel GPU" /d "F:\Program Files\Intel GPU\GfxUI.exe"3⤵
- Adds Run key to start application
- Modifies registry key
PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe"C:\Users\Admin\AppData\Local\Temp\032d4c4b1bdbe8436a608cacb2e2d6bbc88828b7d4d1408f363ac0a70055d672.exe" silent pause2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Search\SearchHelper.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"\\.\C:\Users\Admin\AppData\Local\Temp\WER9mso.dir00\com3.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
458KB
MD5cbfd4a1ca918e7fc1e3fb55d24a649fc
SHA169ffc59d100318416731ca273d8885dc8fa7b8c5
SHA256edc4062b110016cbfd3bed0099d45bbf4331591155359192fa72fee87583b290
SHA512051c7087b664f879cde29cc0ea6aea4370c7635364ffa9ec8327892b64dd59e0e3d5192846d0d7913ddecbf64e02a1b64769e150eb404fa4409dd397d0d4e330
-
Filesize
458KB
MD5f4b40f4cd9b25058082ab755a4293505
SHA14586efdf234760f9e7def3d9752f98f4040d36ad
SHA25681f5e211ddf349d534f0641e086335e3dd9bd7fbcf2e5cef723c0bc9fcf5b475
SHA5120630aa442e5daaf046d13be8a0052551cc9cd4ca00039ed2df172c35bd413b2da374ecf98ece3824168da33d3b2e095e65116cb96b1a2bc94a2d8a6b311eac20
-
Filesize
10B
MD539421abbe92259c8aa00d698b30b708d
SHA1be4a2015eef137bf2809d2dd3b60d7bc7923812a
SHA256670a7aa90d3da948a70f1bbce1d205acb50916501bbee232dd40d2366d6205a1
SHA512d3b309dfff45393f2337db304a402ad04394bc8e03b8d3d542a131b2698b7770854eec8ed0fde42abdc722e47870e9e3d50957fa18c20d8d0b63f16db93af338