Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3vapev4[1].exe
windows11-21h2-x64
7$PLUGINSDI...ls.dll
windows11-21h2-x64
3$PLUGINSDI...em.dll
windows11-21h2-x64
3LICENSES.c...m.html
windows11-21h2-x64
1d3dcompiler_47.dll
windows11-21h2-x64
1ffmpeg.dll
windows11-21h2-x64
1libEGL.dll
windows11-21h2-x64
1libGLESv2.dll
windows11-21h2-x64
1resources/elevate.exe
windows11-21h2-x64
1sigortacixd.exe
windows11-21h2-x64
7vk_swiftshader.dll
windows11-21h2-x64
1vulkan-1.dll
windows11-21h2-x64
1$PLUGINSDI...7z.dll
windows11-21h2-x64
3Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/06/2024, 12:16
Static task
static1
Behavioral task
behavioral1
Sample
vapev4[1].exe
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win11-20240419-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
LICENSES.chromium.html
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
d3dcompiler_47.dll
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
ffmpeg.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
libEGL.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
libGLESv2.dll
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
resources/elevate.exe
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
sigortacixd.exe
Resource
win11-20240508-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
vk_swiftshader.dll
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
vulkan-1.dll
Resource
win11-20240611-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win11-20240508-en
windows11-21h2-x64
General
-
Target
sigortacixd.exe
-
Size
154.8MB
-
MD5
46253ba66e62c99f2b4f56ad079f4a15
-
SHA1
15b5b512fea69bc6082265b574b5548d4169e712
-
SHA256
70f82bf21f88abd131fe52fc21b85c2778715af3d28d8c8bec8729389013d59d
-
SHA512
9e5e2eba88287ea8220487a7afa8aaccf970c530988ca8c407aa17a9db38d1c2bfffe3f2420722e05b9c7826054dd1577abe71abfc4909d822ed3a128adcd93b
-
SSDEEP
1572864:1UNrUK1epsL/7TCuLct0wGWlm0ZMy2Q5t92grqsSlHSIcelNVtC+vp5FD+gr0cAU:eegW7q48MGo
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe sigortacixd.exe -
Loads dropped DLL 2 IoCs
pid Process 3132 sigortacixd.exe 3132 sigortacixd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2152 tasklist.exe 1812 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3132 sigortacixd.exe 3132 sigortacixd.exe 3132 sigortacixd.exe 3132 sigortacixd.exe 3132 sigortacixd.exe 3132 sigortacixd.exe 3732 sigortacixd.exe 3732 sigortacixd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1812 tasklist.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeDebugPrivilege 2152 tasklist.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe Token: SeShutdownPrivilege 3132 sigortacixd.exe Token: SeCreatePagefilePrivilege 3132 sigortacixd.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 3132 wrote to memory of 4972 3132 sigortacixd.exe 78 PID 3132 wrote to memory of 4972 3132 sigortacixd.exe 78 PID 4972 wrote to memory of 1812 4972 cmd.exe 80 PID 4972 wrote to memory of 1812 4972 cmd.exe 80 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5116 3132 sigortacixd.exe 82 PID 3132 wrote to memory of 5032 3132 sigortacixd.exe 83 PID 3132 wrote to memory of 5032 3132 sigortacixd.exe 83 PID 3132 wrote to memory of 1316 3132 sigortacixd.exe 84 PID 3132 wrote to memory of 1316 3132 sigortacixd.exe 84 PID 1316 wrote to memory of 2152 1316 cmd.exe 86 PID 1316 wrote to memory of 2152 1316 cmd.exe 86 PID 3132 wrote to memory of 3732 3132 sigortacixd.exe 87 PID 3132 wrote to memory of 3732 3132 sigortacixd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\sigortacixd.exe"C:\Users\Admin\AppData\Local\Temp\sigortacixd.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
C:\Users\Admin\AppData\Local\Temp\sigortacixd.exe"C:\Users\Admin\AppData\Local\Temp\sigortacixd.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\zz" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1892,i,14752151691650645064,13220161137471478584,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\sigortacixd.exe"C:\Users\Admin\AppData\Local\Temp\sigortacixd.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\zz" --mojo-platform-channel-handle=1732 --field-trial-handle=1892,i,14752151691650645064,13220161137471478584,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
-
C:\Users\Admin\AppData\Local\Temp\sigortacixd.exe"C:\Users\Admin\AppData\Local\Temp\sigortacixd.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\zz" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1892,i,14752151691650645064,13220161137471478584,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD54d46c172c39805df5c9de9af42ba5a88
SHA1a2dd4f8e3d798f68f8530d5f7d254ad224c8587b
SHA2565623d8e82583c26d405e82add2f80945ff8a797e40ff52640e1390259edcd4c6
SHA512f809a0631579936d9b6b618cb95b27c643cea9add825fafd48a86bc8d2853079321a8b9afa750585f811f3a92617e4bc8e67b89aca00f3c591a50cbbb14a7f5d
-
Filesize
154KB
MD5db6a7abae9b0da59c9011ed4f94b6fbd
SHA1e73242bf71c93beb7156534f3f2502d44eb15d5d
SHA2564ee5214adfb5178ad574585d8834b21f83718dc0c47a53a406935c713be0c167
SHA512e02cea4dcaa056196cdc6c1146bf9379270b0f062b807cb5eb247e3842830b525127132286525eb21920d0ace24ab14d66758402487b410d58ba847a29955c5b