Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

4193f57c71...93.exe

windows7-x64

9

4193f57c71...93.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/06/2024, 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4193f57c71a4c5a46fb50bbadee6e9d1786bba4820f17da52bbd0b741e311693.exe

  • Size

    387KB

  • MD5

    6a83e0018512174846a87c577db58ba2

  • SHA1

    91e67bb940eb4736aca57e93f9251cc21816e7fd

  • SHA256

    4193f57c71a4c5a46fb50bbadee6e9d1786bba4820f17da52bbd0b741e311693

  • SHA512

    52032a277a6c5f204efce6b122c453c08bcc9bb47b1f486d27a328e197163f24abef622744879dadc69ea4d771e4b1f8e925c6556014d9177f0e5dad12dd9a85

  • SSDEEP

    6144:/rTfUHeeSKOS9ccFKk3Y9t9YZjuiYz1MpA5nL:/n8yN0Mr8ZjtI1z5nL

Score
9/10
persistencespywarestealer

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 20 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4193f57c71a4c5a46fb50bbadee6e9d1786bba4820f17da52bbd0b741e311693.exe
    "C:\Users\Admin\AppData\Local\Temp\4193f57c71a4c5a46fb50bbadee6e9d1786bba4820f17da52bbd0b741e311693.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4160
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3668 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Microsoft Build\Isass.exe
      Filesize

      387KB

      MD5

      6a83e0018512174846a87c577db58ba2

      SHA1

      91e67bb940eb4736aca57e93f9251cc21816e7fd

      SHA256

      4193f57c71a4c5a46fb50bbadee6e9d1786bba4820f17da52bbd0b741e311693

      SHA512

      52032a277a6c5f204efce6b122c453c08bcc9bb47b1f486d27a328e197163f24abef622744879dadc69ea4d771e4b1f8e925c6556014d9177f0e5dad12dd9a85

      Download Submit

    • C:\odt\office2016setup.exe
      Filesize

      5.5MB

      MD5

      0d87f9b022eb9de5206b939610f91c15

      SHA1

      af088d0b3a9888fb244affa76c327645137a3c11

      SHA256

      fa975a3766239301aaf689c23ffd13194e241cafc1afdfef04718cac2eae4b34

      SHA512

      a8f11e25dd3d8bf8e938425dc1a5692ebf7d000f9a6b2686aebf05448cea124f47717a043fcc774551bd3f12f0bcaa0d2c049caba9d06732fc7142e2185b48b0

      Download Submit

    • memory/1496-8-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/1496-0-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/1496-1-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4160-21-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-28-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-10-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-13-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-17-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-7-0x0000000001A50000-0x0000000001A51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4160-6-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-22-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-27-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-34-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-38-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-45-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-46-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-54-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-55-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download

    • memory/4160-64-0x0000000000400000-0x00000000016A8E52-memory.dmp

      Filesize

      18.7MB

      Download