Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 19:22
Behavioral task
behavioral1
Sample
salikhack.exe
Resource
win7-20240508-en
General
-
Target
salikhack.exe
-
Size
6.8MB
-
MD5
92290d3c06e414319fb42fc0f7d981d0
-
SHA1
6396501c4acd9e06a44f75f136528535e8003dce
-
SHA256
3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43
-
SHA512
2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294
-
SSDEEP
196608:xclQtVzCfE9FQs1W/ojxuBxn86iiYY1BC:x5VOfE9FQUWQjxy8T5
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/files/0x0009000000023434-17.dat family_blackmoon behavioral2/memory/5088-24-0x0000000000400000-0x0000000000ADE000-memory.dmp family_blackmoon -
Poullight Stealer payload 3 IoCs
resource yara_rule behavioral2/files/0x000600000002327d-4.dat family_poullight behavioral2/memory/1532-11-0x00000240CBA30000-0x00000240CBA50000-memory.dmp family_poullight behavioral2/memory/5088-24-0x0000000000400000-0x0000000000ADE000-memory.dmp family_poullight -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation salikhack.exe -
Executes dropped EXE 3 IoCs
pid Process 1532 build.exe 3812 sakl.exe 3564 asx0.dll -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3564 asx0.dll 3564 asx0.dll 3564 asx0.dll 3564 asx0.dll 3564 asx0.dll 3564 asx0.dll 3564 asx0.dll -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 22360 3564 WerFault.exe 107 -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS asx0.dll Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer asx0.dll Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4920 msedge.exe 4920 msedge.exe 3768 msedge.exe 3768 msedge.exe 1532 build.exe 1532 build.exe 1532 build.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe 3812 sakl.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1532 build.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe 3768 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3812 sakl.exe 3812 sakl.exe 3564 asx0.dll 3564 asx0.dll -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5088 wrote to memory of 1532 5088 salikhack.exe 82 PID 5088 wrote to memory of 1532 5088 salikhack.exe 82 PID 5088 wrote to memory of 3812 5088 salikhack.exe 83 PID 5088 wrote to memory of 3812 5088 salikhack.exe 83 PID 5088 wrote to memory of 3812 5088 salikhack.exe 83 PID 3812 wrote to memory of 3768 3812 sakl.exe 84 PID 3812 wrote to memory of 3768 3812 sakl.exe 84 PID 3768 wrote to memory of 5092 3768 msedge.exe 85 PID 3768 wrote to memory of 5092 3768 msedge.exe 85 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4072 3768 msedge.exe 88 PID 3768 wrote to memory of 4920 3768 msedge.exe 89 PID 3768 wrote to memory of 4920 3768 msedge.exe 89 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90 PID 3768 wrote to memory of 2028 3768 msedge.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\salikhack.exe"C:\Users\Admin\AppData\Local\Temp\salikhack.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\sakl.exe"C:\Users\Admin\AppData\Local\Temp\sakl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdbe046f8,0x7ffcdbe04708,0x7ffcdbe047184⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5423715873019112830,5625490148529272764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:24⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5423715873019112830,5625490148529272764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5423715873019112830,5625490148529272764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:84⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5423715873019112830,5625490148529272764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:14⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5423715873019112830,5625490148529272764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:14⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5423715873019112830,5625490148529272764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:14⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5423715873019112830,5625490148529272764,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3088 /prefetch:24⤵PID:16416
-
-
-
C:\Users\Admin\AppData\Local\Temp\asx0.dll"C:\Users\Admin\AppData\Local\Temp\asx0.dll"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 7124⤵
- Program crash
PID:22360
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2296
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3564 -ip 35641⤵PID:22316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
Filesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD59058976997ebd2c589599444fdb0aee0
SHA129ec5e34fcf5367fb0ddf5dfd6c7a7b7feef5d5c
SHA2561e947f509cdc896a3e50c333d838faa7423d16d7f9db2e0601e718971c2e7ba9
SHA512b02c76755e6785d88ace35c178c8fdf7f09acb51c6858c9b01cba2eb20465c992a8e54bbba0f4fa2621b0416782b15d4f213ff7b09eef3f754e4b411e41457d0
-
Filesize
6KB
MD585dabb54e831ada30296324f60bbb3be
SHA140df8bff0ef112d05b52cb30cdab811467ef8b0e
SHA25638c75e724054dce9d7ac3025fd75fce1c9f2863769b97cb90bb3ea77ad2e02b9
SHA5126998a3f0d313ad0ecfdd0ea2fa643a0c8fc48fd6d3c5104bd3601041bbd77cb9dd7c80b09f7f142d75f588cd1f826f1e365857dd48edee62dea9cf22ec69e04b
-
Filesize
11KB
MD5e724c6d953cf556e7dfa1436a98ff584
SHA1882f122509e55f6e11fed525f1cde0049d04d8e7
SHA2565bb190f793b9416d48165fcd8755948bb0c7b26bb2465cfd5e464d3d39141265
SHA5124d1097cf591dad4e738dd892e9e718c087c31728a447519c2c66ddc69535a9082d58b42baa5bf74cf0820bc67dd63d750be9d57c358aefd0c51dce44a526a350
-
Filesize
5.9MB
MD58d7cfce5a4716b167952e569a04ad5dc
SHA1def4fa116d274403626ba33edc2604137689842f
SHA25687979231d7f6bc01754071903035f784ffcb0a246a926b1d0b1e10493241907e
SHA512d27123dacedca9933b484fcb432a411bb66ae5073fc6b3e2e178a5f554b69d84cf069bdddf35b83921670506bc2c0764e60310c6ca64adc89dd68e9fa90be26e
-
Filesize
100KB
MD5446afe801f9738ee2bfcb6791bdcf801
SHA1fc43f35cd105e8954d77d8f7a48234e2576fe98e
SHA256ba098b19bb32b3224c759d7853f4e0ebd5751f8cf5615bcdca3d52440fa07ccc
SHA512f7748de18d35523aab05879944c1bfdda9a78c0b49e9b82c96b78f2e9dc8902848706857771c29cd769288d6ab98fb4b2398a92c240eca09e8dd27f297ebe92b
-
Filesize
6.7MB
MD506dcffb60e21650a7853af9a88b9a04e
SHA10021f7ae05f12f54ba5edfb2fb0c957f12fb5f4f
SHA256f60632e252f6fae33c0f9b4cbff4a646d35d1504d1ed0c32cb03884bd900befe
SHA5122b9e599c5e6fd498d7120e5c17cf70f79b7d15c27f820305ea0a17b1612a6aee72a07d7a85a8ec35c8a9f9eeedc3e829cea6d6d7c9dcb86f58aa76137a4a17c6
-
Filesize
100KB
MD5d4993802b9cf3203200f899233c3e2fc
SHA1a632e8d796c8a0d1cf8cda55aa882b1a82b7318f
SHA256cff606c51ac13f4352de08f7838939c1e261bdc232a10bb94f6924d00cbd0dd6
SHA5121910cf846fe61ef744dc6bcf9062caaf6ab1856a64bd8aa6849cbddcdc8fa921f0cef16d0d9cc38842345f5873724b27764307076bd50bd46bb74f643cde03bd