Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 20:07
Behavioral task
behavioral1
Sample
salikhack.exe
Resource
win7-20240221-en
General
-
Target
salikhack.exe
-
Size
6.8MB
-
MD5
92290d3c06e414319fb42fc0f7d981d0
-
SHA1
6396501c4acd9e06a44f75f136528535e8003dce
-
SHA256
3d10fcb6f54d01863d35000decd99bc4234266b668263035c55597e09c885f43
-
SHA512
2d59d0121b48e442ba2d2af2639afe928664238ef51e819a634c7c71aebfbaf87f3e8a033285111046d2f50c9a286b611143aac5c227a000ec5d4be65e5bc294
-
SSDEEP
196608:xclQtVzCfE9FQs1W/ojxuBxn86iiYY1BC:x5VOfE9FQUWQjxy8T5
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023400-17.dat family_blackmoon behavioral2/memory/848-23-0x0000000000400000-0x0000000000ADE000-memory.dmp family_blackmoon -
Poullight Stealer payload 3 IoCs
resource yara_rule behavioral2/files/0x0008000000022f51-4.dat family_poullight behavioral2/memory/3720-12-0x000001F4E16A0000-0x000001F4E16C0000-memory.dmp family_poullight behavioral2/memory/848-23-0x0000000000400000-0x0000000000ADE000-memory.dmp family_poullight -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation salikhack.exe -
Executes dropped EXE 3 IoCs
pid Process 3720 build.exe 1712 sakl.exe 4540 asx0.dll -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4540 asx0.dll 4540 asx0.dll 4540 asx0.dll 4540 asx0.dll 4540 asx0.dll 4540 asx0.dll 4540 asx0.dll -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 30388 4540 WerFault.exe 109 -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS asx0.dll Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer asx0.dll Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4828 msedge.exe 4828 msedge.exe 1484 msedge.exe 1484 msedge.exe 3720 build.exe 3720 build.exe 3720 build.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe 1712 sakl.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3720 build.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe 1484 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1712 sakl.exe 1712 sakl.exe 4540 asx0.dll 4540 asx0.dll -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 848 wrote to memory of 3720 848 salikhack.exe 83 PID 848 wrote to memory of 3720 848 salikhack.exe 83 PID 848 wrote to memory of 1712 848 salikhack.exe 84 PID 848 wrote to memory of 1712 848 salikhack.exe 84 PID 848 wrote to memory of 1712 848 salikhack.exe 84 PID 1712 wrote to memory of 1484 1712 sakl.exe 85 PID 1712 wrote to memory of 1484 1712 sakl.exe 85 PID 1484 wrote to memory of 4708 1484 msedge.exe 86 PID 1484 wrote to memory of 4708 1484 msedge.exe 86 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 620 1484 msedge.exe 87 PID 1484 wrote to memory of 4828 1484 msedge.exe 88 PID 1484 wrote to memory of 4828 1484 msedge.exe 88 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89 PID 1484 wrote to memory of 4692 1484 msedge.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\salikhack.exe"C:\Users\Admin\AppData\Local\Temp\salikhack.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720
-
-
C:\Users\Admin\AppData\Local\Temp\sakl.exe"C:\Users\Admin\AppData\Local\Temp\sakl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeb6946f8,0x7fffeb694708,0x7fffeb6947184⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:24⤵PID:620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:84⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:14⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:14⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:14⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,15522386932294707478,1886841645446707208,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:24⤵PID:20140
-
-
-
C:\Users\Admin\AppData\Local\Temp\asx0.dll"C:\Users\Admin\AppData\Local\Temp\asx0.dll"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 7044⤵
- Program crash
PID:30388
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:952
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4540 -ip 45401⤵PID:30372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
6KB
MD51f844065ea3fbf9fb74a04a49f5374ed
SHA183ff83cd8d082e5ff12547d1a44d0e16d4e79998
SHA2566a05f711d6d9ef6359bac69e9e70b239af366446cb909b135132992fadff9b90
SHA512bb86383dd92a3f7f2da026b64677b3f257cf3c4494475593ffb0ef1bde9bf41e4918f56951ffb77efdfb3649488771db47fedc24c80609b0c03eac5aceac1332
-
Filesize
5KB
MD5c15c03419cb5895a6c842e99a443594e
SHA14f90fefbe0015b8e8771c10d0b03fefed85c33c2
SHA2562803b16941549cbb545dc68b89d05d5a70ecf518742418d3de8c32070738e318
SHA5123179e7593323d817da70d4c2dc442918b11512a8f62d17fc4174c2bf007d5a3082cdeb7746471306077438511fa59344839a00855e2afe99d90abc6051c4e82b
-
Filesize
11KB
MD5119457bb2472ce13e6fe6951cb272982
SHA1a22d33bad59146c17374aa6198db8b32f77028c4
SHA25622af5f7ad0ab53922fef6615330875709fba3262f4ec436439af8b82e2508055
SHA512d7376578784280da4d3b740418f5ba4dfa39585aff05e1f62b0d5bf6cf23ac840e724bdfda8ac85fa9adb3875e685a6c003887dc05a6567f71b7c47fa4766e99
-
Filesize
100KB
MD5bfbf67a3ad4b5c0f7804f85d1f449a80
SHA1110780a35d61de23b5fcb7b9e75a3ed07deb7838
SHA2562a38ab429847061aa3c614982e801e2e7139977a227466ce5ee61fa382a2bc2e
SHA51277bd3011b5d0074af16b93a5ab1967379a0a032bbf43c1e7b6ef205aeb27454e079c94e419bea6f7d730dc84b632e44250203a508fcdcd864ada9888381f4fdd
-
Filesize
5.9MB
MD58d7cfce5a4716b167952e569a04ad5dc
SHA1def4fa116d274403626ba33edc2604137689842f
SHA25687979231d7f6bc01754071903035f784ffcb0a246a926b1d0b1e10493241907e
SHA512d27123dacedca9933b484fcb432a411bb66ae5073fc6b3e2e178a5f554b69d84cf069bdddf35b83921670506bc2c0764e60310c6ca64adc89dd68e9fa90be26e
-
Filesize
100KB
MD5446afe801f9738ee2bfcb6791bdcf801
SHA1fc43f35cd105e8954d77d8f7a48234e2576fe98e
SHA256ba098b19bb32b3224c759d7853f4e0ebd5751f8cf5615bcdca3d52440fa07ccc
SHA512f7748de18d35523aab05879944c1bfdda9a78c0b49e9b82c96b78f2e9dc8902848706857771c29cd769288d6ab98fb4b2398a92c240eca09e8dd27f297ebe92b
-
Filesize
6.7MB
MD506dcffb60e21650a7853af9a88b9a04e
SHA10021f7ae05f12f54ba5edfb2fb0c957f12fb5f4f
SHA256f60632e252f6fae33c0f9b4cbff4a646d35d1504d1ed0c32cb03884bd900befe
SHA5122b9e599c5e6fd498d7120e5c17cf70f79b7d15c27f820305ea0a17b1612a6aee72a07d7a85a8ec35c8a9f9eeedc3e829cea6d6d7c9dcb86f58aa76137a4a17c6