Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    160s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 03:56

General

  • Target

    e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe

  • Size

    253KB

  • MD5

    e9e341b607fa2bd09f3f4cf244e244a7

  • SHA1

    c84d8bb906ed35c068e4692cdb65f1ee31bcb06d

  • SHA256

    e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e

  • SHA512

    77a47b314dd197c4ed6628e4c9229c0700f90adcae86a2095c1be5fd078beaa1d5ad8f045807be704ee536b1fd7ba29236c18d22c280fd5142eb568fd88a6931

  • SSDEEP

    3072:H4F9A0dgTGu8PepQEwwKDJz39z2uurBIDjAHLx4G8EFNmsIkR8zBy5isktTA1VTe:E5dgTt8mpH0D4KuQMe

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe
    "C:\Users\Admin\AppData\Local\Temp\e10761fe70448a202ffa8645c6f96b6ae4a158d8f59c757648d4a3bf402ce60e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Users\Admin\YIMEIwAw\MeEcwsoc.exe
      "C:\Users\Admin\YIMEIwAw\MeEcwsoc.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:4712
    • C:\ProgramData\OyoMwIMA\pkMwQEgo.exe
      "C:\ProgramData\OyoMwIMA\pkMwQEgo.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:3788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
        C:\Users\Admin\AppData\Local\Temp\chocolatey.exe
        3⤵
        • Executes dropped EXE
        PID:1360
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies registry key
      PID:112
    • C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      2⤵
      • Modifies registry key
      PID:2952
    • C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:1128
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

      Filesize

      566KB

      MD5

      dfe726748c3f15df520bb75f921b3785

      SHA1

      80795c475110647e1893886ec55e97b80c46a7a5

      SHA256

      0a7a53222b04310619e5cea08430e97159ba62e4c1398770d16a53e6d8cdc686

      SHA512

      225ce26445976c2aec2a974fb21af53490bc6e049f14ddf7f7511d96f55ed74fa333820dfed6313d26e96116ba940e3be30bfbbab41b43745270fd3caf4f7caf

    • C:\ProgramData\OyoMwIMA\pkMwQEgo.exe

      Filesize

      110KB

      MD5

      1cfb444cdbc06e1d1055c285ad712e64

      SHA1

      b3781272483ead17da41bca27b582e89cd49c24a

      SHA256

      41040a2c4ad0990f758a2086b70f637027f7eefe7da2574dce636eb2a14ff32f

      SHA512

      292dd0de15b4f9211afe6bbcc743b0c72a195cc9d6b35361f2cfd698c738cb9ce01d55ca6f01ee5213f092d19a5cb121f878f05d09b6cda55bc74f37f7e804b6

    • C:\Users\Admin\AppData\Local\Temp\chocolatey.exe

      Filesize

      140KB

      MD5

      d6bc92571edfc2863fff72b240e571a1

      SHA1

      b4227284cde5d9c00c42a043c1c16766b4c6460c

      SHA256

      422cfcc02baaff218e47cc6463efc5eaafb33ad4d0a920db3432de1f8963c4f8

      SHA512

      31cdfef64c809d1c1da3fc5dca2aec2fb03b911f3d2e3d010328606479d414363795d6386cc9426f3d494aeb14fb2b75889cdbbddbbeb8f0d8b09020e8404d1d

    • C:\Users\Admin\AppData\Local\Temp\nUYQ.exe

      Filesize

      5.2MB

      MD5

      94cfc8986f725de3612596b1261a12d4

      SHA1

      9f3bf0c9f7e0cc4abfe0af79ce422cbdaf7d5415

      SHA256

      eb80144be36282f14d8ec9d6a7f1ffb964c13a7a9d75c379914fc31111c250d2

      SHA512

      0f35f23518e333018ba2238a424c152d32c60f239388d293875a2e2f359f5cad0b76f9eb743aadd3c91a9a7e4a26a4cf14a044e66ce3960f32b1189166a7e1e6

    • C:\Users\Admin\YIMEIwAw\MeEcwsoc.exe

      Filesize

      108KB

      MD5

      9aa050cda847c8e9c62be62d07f0c6c2

      SHA1

      a9796bcbcc48b307f2b3eff7824add0f249fed05

      SHA256

      38ff6ed40d19bf26476d5efa4027e5b35d6652ef9ce03f653cfc1d0dbc383ba3

      SHA512

      fe77b79355840e7e488a8549e27b62c2fd9a235b642f14ce4cdec90cdaa84433c1fc551519ecbcd5004407854979384222ee2bfb50d132dfbd78a529fbeef773

    • memory/1132-0-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1132-17-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/1360-21-0x0000000000890000-0x00000000008B8000-memory.dmp

      Filesize

      160KB

    • memory/3788-14-0x0000000000400000-0x000000000041D000-memory.dmp

      Filesize

      116KB

    • memory/4712-6-0x0000000000400000-0x000000000041C000-memory.dmp

      Filesize

      112KB