Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ConsoleApp...n2.exe

windows10-1703-x64

1

ConsoleApp...n2.exe

windows10-2004-x64

7

ConsoleApp...n2.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    595s
  • max time network
    599s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2024, 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ConsoleApplication2.exe

  • Size

    4.5MB

  • MD5

    ba6ea0efc527f2dcd8c13606a5e24e9a

  • SHA1

    43a92bb3a589acf1a8480c7f0aeb14c7def349bd

  • SHA256

    85e46e5e1a9b0117c0f1992ae253eac8fb69f854d35e7236583da529985204fc

  • SHA512

    f4e7e4828bae57b8fac2e61ba254806408ef1aa2f35ac0da2b8b9fa5de25e2eaa537344138460f78b0271b82904a3b2e22f3ba078c9d8c3fe46c4f490c0462b5

  • SSDEEP

    49152:mIvjeYIhNma2OwgHK0FqFREXY3Dl11tB+ugTizmRK6HeLAiIM1QfJPgDEWzIOwLy:mIvjeYgGoqF5DlzqTMTDEa

Score
7/10
discoveryexecutionpersistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe
    "C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 1 1.1.1.1
        3⤵
        • Runs ping.exe
        PID:4576
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3356
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:3320
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_VideoController get name
        3⤵
        • Detects videocard installed
        PID:1212
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic cpu get name
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
          PID:5092
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic os get Caption /value
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic os get Caption /value
          3⤵
            PID:3612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2924
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic path win32_VideoController get currentrefreshrate
            3⤵
              PID:4084
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1504
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Get-Content (Get-PSReadlineOption).HistorySavePath
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3528
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c tasklist
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1912
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              3⤵
              • Enumerates processes with tasklist
              PID:2056
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c systeminfo
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3628
            • C:\Windows\SysWOW64\systeminfo.exe
              systeminfo
              3⤵
              • Gathers system information
              PID:3864
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c netsh wlan show profile
            2⤵
              PID:4840
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show profile
                3⤵
                  PID:4468
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
                2⤵
                  PID:1384
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
                    3⤵
                      PID:1776
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
                    2⤵
                      PID:224
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
                        3⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:388
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
                      2⤵
                        PID:3324
                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                          wmic csproduct get uuid
                          3⤵
                            PID:2608
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c wmic os get Caption /value
                          2⤵
                            PID:528
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              wmic os get Caption /value
                              3⤵
                                PID:2992
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c wmic os get Caption /value
                              2⤵
                                PID:3992
                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                  wmic os get Caption /value
                                  3⤵
                                    PID:2344
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:8
                                1⤵
                                  PID:1620
                                • C:\Windows\system32\AUDIODG.EXE
                                  C:\Windows\system32\AUDIODG.EXE 0x47c 0x150
                                  1⤵
                                    PID:4832
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1692,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
                                    1⤵
                                      PID:528

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                      Filesize

                                      1KB

                                      MD5

                                      def65711d78669d7f8e69313be4acf2e

                                      SHA1

                                      6522ebf1de09eeb981e270bd95114bc69a49cda6

                                      SHA256

                                      aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                                      SHA512

                                      05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      18KB

                                      MD5

                                      6aa14918810680b4265af58115ecec18

                                      SHA1

                                      f63010afab1800a82abd5290e8b58dfd664fec56

                                      SHA256

                                      8bd4c124c9a450f81983206fb691fff32f49b745cb9636ed9998975392244b3a

                                      SHA512

                                      4693be45412d68c5be2cc0385cc882830c3a6835a8e65bd4834060674912b5f8d9fadb2ccb7f4b0140b8fa70f2d471e4aa9b3f10a6d2bf1c4cc5547ae1176e95

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      20KB

                                      MD5

                                      7335f9b91e5fb606c5c9cbfc1435ab00

                                      SHA1

                                      4ba115cc010cc83ef4076a952c6e4b7316ca2c83

                                      SHA256

                                      30df36b044f59adaa168798821219bcf7497836738ed7a4bae368e48120c3b77

                                      SHA512

                                      87da3d7fcb71395de9ae4e88a716e98c159535b798f8ee9a751416d7980e6c478ef709e6276bd6288459356dbf84b13b217b3807474ceb59a13ea46105c0e26e

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vqp2qzd.zgj.ps1
                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\f6HSjykrvUdpuozP\Nagogy-Grabber (Admin).zip
                                      Filesize

                                      7.7MB

                                      MD5

                                      07fcd15bd754520d8a24722444309866

                                      SHA1

                                      8fd906f1424cd9b7d53d60ec60615990f7af90f2

                                      SHA256

                                      b4b077b0a4c16e4e3f5d272bec336ebaeda3bd90f2201e64d88621a2b18a84d5

                                      SHA512

                                      217120ef908cb323612502673b0f6a7bf7c12cd2f6d0be15cd03f26a61cf0f47b968c30988b3f34215eece60ea012109e25668a692d9a48980eb9d06a5888dd0

                                      Download Submit

                                    • memory/388-63-0x0000000006B90000-0x0000000006BDC000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/388-52-0x0000000005F40000-0x0000000006294000-memory.dmp

                                      Filesize

                                      3.3MB

                                      Download

                                    • memory/3320-20-0x0000000007750000-0x0000000007CF4000-memory.dmp

                                      Filesize

                                      5.6MB

                                      Download

                                    • memory/3320-4-0x0000000005AB0000-0x0000000005B16000-memory.dmp

                                      Filesize

                                      408KB

                                      Download

                                    • memory/3320-17-0x0000000007100000-0x0000000007196000-memory.dmp

                                      Filesize

                                      600KB

                                      Download

                                    • memory/3320-18-0x00000000065E0000-0x00000000065FA000-memory.dmp

                                      Filesize

                                      104KB

                                      Download

                                    • memory/3320-19-0x0000000006FF0000-0x0000000007012000-memory.dmp

                                      Filesize

                                      136KB

                                      Download

                                    • memory/3320-0-0x00000000027C0000-0x00000000027F6000-memory.dmp

                                      Filesize

                                      216KB

                                      Download

                                    • memory/3320-15-0x00000000060E0000-0x00000000060FE000-memory.dmp

                                      Filesize

                                      120KB

                                      Download

                                    • memory/3320-1-0x00000000052E0000-0x0000000005908000-memory.dmp

                                      Filesize

                                      6.2MB

                                      Download

                                    • memory/3320-14-0x0000000005C20000-0x0000000005F74000-memory.dmp

                                      Filesize

                                      3.3MB

                                      Download

                                    • memory/3320-2-0x0000000005240000-0x0000000005262000-memory.dmp

                                      Filesize

                                      136KB

                                      Download

                                    • memory/3320-3-0x0000000005A40000-0x0000000005AA6000-memory.dmp

                                      Filesize

                                      408KB

                                      Download

                                    • memory/3320-16-0x0000000006110000-0x000000000615C000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/3528-39-0x00000000081A0000-0x000000000881A000-memory.dmp

                                      Filesize

                                      6.5MB

                                      Download

                                    • memory/3528-38-0x0000000007AA0000-0x0000000007B16000-memory.dmp

                                      Filesize

                                      472KB

                                      Download

                                    • memory/3528-37-0x0000000006BE0000-0x0000000006C24000-memory.dmp

                                      Filesize

                                      272KB

                                      Download

                                    • memory/3528-36-0x0000000006C40000-0x0000000006C8C000-memory.dmp

                                      Filesize

                                      304KB

                                      Download

                                    • memory/3528-30-0x0000000006070000-0x00000000063C4000-memory.dmp

                                      Filesize

                                      3.3MB

                                      Download

                                    • memory/4896-88-0x0000000075520000-0x0000000075559000-memory.dmp

                                      Filesize

                                      228KB

                                      Download

                                    • memory/4896-185-0x0000000075520000-0x0000000075559000-memory.dmp

                                      Filesize

                                      228KB

                                      Download