Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/06/2024, 01:31

General

  • Target

    9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe

  • Size

    326KB

  • MD5

    2274f9d8e7fb7825466a3e8a74afaa67

  • SHA1

    f11bf9ec82a7a56bd83bc42198fff51c322c6445

  • SHA256

    9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8

  • SHA512

    66aa6c262f0fc44f739e2cbfe2d70d3ad9ab3439e9fcb49d82b2a360c3a692c32b6320c81a0219adf1d39b2ffbc03c6758ca6bb76884dd3fb23d049f0b9055e8

  • SSDEEP

    6144:YaVWdyzOxeA1DfdwX3MmIOFg8vMn9S3N+WAGVkyzzbnicRmEzoC:YMROxdDfOnMmXaW9dVkyLicIs

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe
    "C:\Users\Admin\AppData\Local\Temp\9fb3189684afe5e097f7cd1122e9228289967361d0d43738c927cce5b5d3a1f8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\7zSCBDF4857\setup-stub.exe
      .\setup-stub.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4180
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 2228
        3⤵
        • Program crash
        PID:968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4180 -ip 4180
    1⤵
      PID:2436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7zSCBDF4857\setup-stub.exe

      Filesize

      465KB

      MD5

      e02ec4f1e463e59d089b1f933b2d3b9e

      SHA1

      d351495cd8053518846ecfb5136f2b0229ae2ab9

      SHA256

      1dee41f355cb45ea62b531b52ff59ca7fd040491d9bfc170a2f4c3400bdfc958

      SHA512

      2e4381f983088fdf28b4d323f52d444b960154403dea21d13da1631eba66d0eec53d88dcdcc351f48af18896fd952e0a8b2c79b8bfbe4be28eab4e5925e8e559

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\CityHash.dll

      Filesize

      43KB

      MD5

      737379945745bb94f8a0dadcc18cad8d

      SHA1

      6a1f497b4dc007f5935b66ec83b00e5a394332c6

      SHA256

      d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

      SHA512

      c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\InetBgDL.dll

      Filesize

      7KB

      MD5

      d4f7b4f9c296308e03a55cb0896a92fc

      SHA1

      63065bed300926a5b39eabf6efdf9296ed46e0cc

      SHA256

      6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

      SHA512

      d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\System.dll

      Filesize

      12KB

      MD5

      6e55a6e7c3fdbd244042eb15cb1ec739

      SHA1

      070ea80e2192abc42f358d47b276990b5fa285a9

      SHA256

      acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

      SHA512

      2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\UAC.dll

      Filesize

      18KB

      MD5

      113c5f02686d865bc9e8332350274fd1

      SHA1

      4fa4414666f8091e327adb4d81a98a0d6e2e254a

      SHA256

      0d21041a1b5cd9f9968fc1d457c78a802c9c5a23f375327e833501b65bcd095d

      SHA512

      e190d1ee50c0b2446b14f0d9994a0ce58f5dbd2aa5d579f11b3a342da1d4abf0f833a0415d3817636b237930f314be54e4c85b4db4a9b4a3e532980ea9c91284

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\UserInfo.dll

      Filesize

      4KB

      MD5

      61ecfcdd332cb31d32c6c019052834a2

      SHA1

      6de38d0c8991d349d29c208e98c44dbd02682f43

      SHA256

      910749b3dbf360b06cec386ef2133edf07612f6e5bbf3bdd0a4eaeb27db9ce08

      SHA512

      e1f8cea77a39628116dd05c8a8c1c149f254265bd4ffa36880251254e3e921619048620e8e61d3f299503528e2d54ccb8e181a075c01c94e3a4916fe1a152393

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\WebBrowser.dll

      Filesize

      93KB

      MD5

      dfe24aa39f009e9d98b20b7c9cc070b1

      SHA1

      f48e4923c95466f689e8c5408265b52437ed2701

      SHA256

      8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

      SHA512

      665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\installing.html

      Filesize

      1KB

      MD5

      32de55f44c497811dd7ed7f227f5c28d

      SHA1

      c111be08e7f3d268e7a2ed160d0c30833f25ae4a

      SHA256

      6259f3a41a703f13466503e6fbd37ca40e94f565a2f4b4087fbcd87a13bf3ee1

      SHA512

      48bb6f24b3ee2f4b7052205a3843ea34f917ee192b70261d2438c037b0e17d48bce8beb4c31be4141e9618922a45b6b47745b797e5618f18fe00bfc1625309ef

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\installing.js

      Filesize

      2KB

      MD5

      dfa7861bca754036ab853b3bb02b194d

      SHA1

      46d7c5ba614b39caa4857fcba4bdedbabb2c67c0

      SHA256

      2c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878

      SHA512

      c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64

    • C:\Users\Admin\AppData\Local\Temp\nsk4789.tmp\stub_common.js

      Filesize

      817B

      MD5

      58b8ac894c64370cfa137f5848aeb88d

      SHA1

      6a1ac1f88a918a232b79fe798b2de69cf433945f

      SHA256

      0e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd

      SHA512

      ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab

    • memory/3516-0-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB

    • memory/3516-65-0x0000000000400000-0x0000000000446000-memory.dmp

      Filesize

      280KB