Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/08/2024, 08:29
Static task
static1
Behavioral task
behavioral1
Sample
app.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
app.exe
Resource
win10v2004-20240802-en
General
-
Target
app.exe
-
Size
36.2MB
-
MD5
162cde9051852237c54f6ba5caf4d62a
-
SHA1
e88fd479322a27f9a2d4fc7514f4d4f85d248cd3
-
SHA256
6a356e0fdfd98bdc75acdbe7761edb8be958be83387b7a8cc1a09a3be2ecb9bd
-
SHA512
1e0152df595eb429b0258a45ed15c541caf0f8c0eb6e4c07e886b95632f03cd022c2bc54ade4494e764cdd286d3bf3a8c0166b56d16138e9128a321a2ed2438e
-
SSDEEP
393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgm96l+ZArYsFRlpPR:R3on1HvSzxAMNmFZArYsBPv67OZwjW
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3564 app.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2680 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 tasklist.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3564 wrote to memory of 3880 3564 app.exe 82 PID 3564 wrote to memory of 3880 3564 app.exe 82 PID 3564 wrote to memory of 3008 3564 app.exe 83 PID 3564 wrote to memory of 3008 3564 app.exe 83 PID 3008 wrote to memory of 2680 3008 cmd.exe 84 PID 3008 wrote to memory of 2680 3008 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\app.exe"C:\Users\Admin\AppData\Local\Temp\app.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "${filePath}""2⤵PID:3880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21