Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

cc8b7476b4...6f.exe

windows7-x64

9

cc8b7476b4...6f.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2024, 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe

  • Size

    1.1MB

  • MD5

    6a5a8c18485a6aeff8bb93be025db1cd

  • SHA1

    103bea545e9d9256aa4fd52b567ab3f05271e4aa

  • SHA256

    cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f

  • SHA512

    0da147bba5fe0838444b1a031c666942c48584b1627613c83a158df39bfe59ba60d19204396e1b7d6b37e14f537ade145f421f39d65d055b41189162c0e71284

  • SSDEEP

    12288:9n8yN0Mr8VZOSzt9tzZxpwXK4Qzh+jMlWCEh/iZyzBLZiSjJ5KH2awbx3QLKwM:FPuVZOSzXFZxpwiz0wy/9BTq+x3QLs

Score
9/10
discoverypersistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 27 IoCs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
    "C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:264
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3568
      • C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
        "C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe"
        3⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Users\Public\Microsoft Build\Isass.exe
          "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
            "C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe"
            5⤵
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1996
            • C:\Users\Public\Microsoft Build\Isass.exe
              "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4020
              • C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
                "C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1076
                • C:\Windows\Temp\{ED5B1B8C-F376-4B94-979D-3BE2B49477CA}\.cr\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
                  "C:\Windows\Temp\{ED5B1B8C-F376-4B94-979D-3BE2B49477CA}\.cr\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:4452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
    Filesize

    957KB

    MD5

    7ffbf842f0b03a0a8208b272137f4542

    SHA1

    db01f4a78f5dbad9781942769b5b4e00c462c228

    SHA256

    5ed8ab8eb161acc9a7d6b5faa07279e106d1868c74aff6e53def4306722855ad

    SHA512

    8d1e44e942c6e877c01f53ee1ccf7569987bc91fa3cd1d133e0d4673124f83fd903e682d9f3d3b79cf40f132bf5fc2a205d8985dbd0eb41865ce7004c47872cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cc8b7476b414acfce4a6a10437473098e7cf272e27fc1723786e631bf6d2d86f.exe
    Filesize

    632KB

    MD5

    c27046bd35c5717084bb40c7305b941a

    SHA1

    51510a7753dd2a1236b34b495db21ef18a74c25c

    SHA256

    e0bc82c13bcd1ade084a0421dab88e23e9cc5499323449e585e7dd2116951bd3

    SHA512

    df9dc98043ea5b86c671e769a75e569366223c5a291f5eed22f68af9783a0aa295d8bb0ee0b510767cce7961f2e501124d9fe656044766644e18682f21446214

    Download Submit

  • C:\Users\Public\Microsoft Build\Isass.exe
    Filesize

    450KB

    MD5

    6769f78e265852c88a6850c91391d414

    SHA1

    bfa7647c3c4589cc3693677a51eb9157b73e36c1

    SHA256

    de50d943bbf9e955a3965f742e3eeb236e5302e6ab125a597bda84b4c458b1e9

    SHA512

    ce25d325f8bf85e016996d26ad4cfde523bb4a3d75610e17385b887cc30d5d728e9e1e1bbe17901593f9ca6a2dfb805ea6ad66e8df885b691b441e80969add57

    Download Submit

  • C:\Windows\Temp\{F4ADF11E-4C41-45F3-99C2-3E4D105BDD4C}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • C:\Windows\Temp\{F4ADF11E-4C41-45F3-99C2-3E4D105BDD4C}\.ba\wixstdba.dll
    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

    Download Submit

  • memory/264-88-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-103-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-136-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-124-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-123-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-115-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-111-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-104-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-97-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-8-0x0000000001A60000-0x0000000001A61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/264-78-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-81-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-82-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-83-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-7-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-87-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/264-96-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/1996-18-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/2640-16-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/3568-9-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/3568-10-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/4020-30-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/4384-4-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/4384-6-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/4612-11-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download

  • memory/4612-14-0x0000000000400000-0x00000000016A8000-memory.dmp

    Filesize

    18.7MB

    Download