Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
137s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/06/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
Authenticator.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Authenticator.exe
Resource
win10v2004-20240508-en
General
-
Target
Authenticator.exe
-
Size
3.5MB
-
MD5
7c0c6044c5a9a14feb436705b0eb29d2
-
SHA1
029d9abe075599e013aa1e76d33b78470aab9c5b
-
SHA256
597ca08dea2c7aa2551cd932c2d79cc6f12fb24f4ac9ecaf1ba45a0c3576c3e2
-
SHA512
64bdeec8be75a99687c1ccf3284e6453f48978b9fcebcf6ef8a31e7e36ba7fd38f2e0a31ae79693cae1fa44930a1752341dd173989f4fe42caaef541767ce074
-
SSDEEP
49152:yNAryfH4y9JnO/BXCRr2mLxZHQy1RhCvBl6j/IvOnb08InAT23HAGdmb:322/vjAbYb3gGd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1832 ConvertDatabase_[2MB]_[unsign].exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe 1832 ConvertDatabase_[2MB]_[unsign].exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2656 wrote to memory of 1832 2656 Authenticator.exe 82 PID 2656 wrote to memory of 1832 2656 Authenticator.exe 82 PID 2656 wrote to memory of 1832 2656 Authenticator.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Authenticator.exe"C:\Users\Admin\AppData\Local\Temp\Authenticator.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Temp\Kits64\1\ConvertDatabase_[2MB]_[unsign].exe"C:\Temp\Kits64\1/ConvertDatabase_[2MB]_[unsign].exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD54404d147bc680a067abd60f798b60647
SHA18c484e8d27795725d58f31cd16e2c955c0d91b0a
SHA256ae5dbcaa5ce696f3bef64c58e1461ec91da0cf8ab35569a0f057289f3ecbddcd
SHA512cd58a787587591808d6f71a6c57778191a5aa8a9b9fdaaf5aacb14a04f4530b98b80621f475a249999c431898e069451ecaa29c375fcc879f8b1017e9a388100