Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
9Static
static
7DLL/msvcp140d.zip
windows11-21h2-x64
4msvcp140d.dll
windows11-21h2-x64
1DLL/try.exe
windows11-21h2-x64
9DLL/ucrtbased.zip
windows11-21h2-x64
1ucrtbased.dll
windows11-21h2-x64
1DLL/vcrunt...1d.zip
windows11-21h2-x64
1vcruntime140_1d.dll
windows11-21h2-x64
1DLL/vcruntime140d.zip
windows11-21h2-x64
1vcruntime140d.dll
windows11-21h2-x64
1Setup.exe
windows11-21h2-x64
9idman642build17.exe
windows11-21h2-x64
8Analysis
-
max time kernel
133s -
max time network
123s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/08/2024, 05:57
Behavioral task
behavioral1
Sample
DLL/msvcp140d.zip
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
msvcp140d.dll
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
DLL/try.exe
Resource
win11-20240802-en
Behavioral task
behavioral4
Sample
DLL/ucrtbased.zip
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
ucrtbased.dll
Resource
win11-20240802-en
Behavioral task
behavioral6
Sample
DLL/vcruntime140_1d.zip
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
vcruntime140_1d.dll
Resource
win11-20240802-en
Behavioral task
behavioral8
Sample
DLL/vcruntime140d.zip
Resource
win11-20240802-en
Behavioral task
behavioral9
Sample
vcruntime140d.dll
Resource
win11-20240802-en
Behavioral task
behavioral10
Sample
Setup.exe
Resource
win11-20240802-en
Behavioral task
behavioral11
Sample
idman642build17.exe
Resource
win11-20240802-en
General
-
Target
DLL/try.exe
-
Size
3.2MB
-
MD5
72fb4d268a7dc2eb8152554d8bbc8fc8
-
SHA1
eb37533b8ba3222fab367e12655a100b1176861f
-
SHA256
a3ef1710401a745f77c2dd06b1e737f49fe513fa565aa3787f49451a915551a2
-
SHA512
e0f6bfe0036a5fac121357335b01b41affc0563bb87157876aa55e1588ea1b67ed9439f4a8679199dbbc40b6a86a1977ec533b901de5b1badaeef0fffc7da601
-
SSDEEP
49152:b9EDPnCegEtmBTs02Yhgqp3TihYzzxxg3wsIVe3pI0mmR7+A+mLO+iaFovVL3q:b9mtiTs0pcyvxxADR7+ILnFG
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
pid Process 2468 Activator.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: try.exe File opened (read-only) \??\F: try.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ipinfo.io 26 ipinfo.io 1 ipinfo.io -
Program crash 1 IoCs
pid pid_target Process procid_target 2504 3768 WerFault.exe 79 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language try.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Activator.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe 3768 try.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3768 wrote to memory of 2468 3768 try.exe 84 PID 3768 wrote to memory of 2468 3768 try.exe 84 PID 3768 wrote to memory of 2468 3768 try.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\DLL\try.exe"C:\Users\Admin\AppData\Local\Temp\DLL\try.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\Activator.exe"C:\Users\Admin\AppData\Local\Temp\Activator.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 11602⤵
- Program crash
PID:2504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3768 -ip 37681⤵PID:2280
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194KB
MD52b2204c85f334de4695369f631926664
SHA1f2704bd77341c26f3217cde9d9458b072a550f34
SHA25669db6b1262af756060efd63ca54a933cbec740ac193221a88bbc46df9ac53de9
SHA512e7cfd3d263cb93e06470279fc22fac243080619a12490ba2c3daaeda0cf6b74da095129d38db3180b1c3478d30f96ae8701bb684cca44e40993efeba620aa019