Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 23:38
Static task
static1
Behavioral task
behavioral1
Sample
3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe
Resource
win7-20240705-en
General
-
Target
3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe
-
Size
3.1MB
-
MD5
daf1916511811c5c9f879a1299141822
-
SHA1
cc2fcbfc3ebbf57785df5fe3f8ed1874622e3e04
-
SHA256
3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb
-
SHA512
8ec1ebf6afca7ec4596fefe87837df7a931373cfb023cbe62a8776c4ddb84df027c1e07a312b55d3a6ca8753f07f0300a9408e3cf025b3f31ff573720e033c5d
-
SSDEEP
49152:DVAbw8VyRPkVwSdyKE6a8anqApzEVZnk8m0Uf89+zvi1QXsy4TpM+DWUl+n1aso:pA7VyRPS7MLq4ykF09+riyXWz6Ha
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 1156 setup.exe 2612 setup.exe 2740 setup.exe -
Loads dropped DLL 3 IoCs
pid Process 1156 setup.exe 2612 setup.exe 2740 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: setup.exe File opened (read-only) \??\F: setup.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1156 setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3508 wrote to memory of 1156 3508 3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe 86 PID 3508 wrote to memory of 1156 3508 3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe 86 PID 3508 wrote to memory of 1156 3508 3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe 86 PID 1156 wrote to memory of 2612 1156 setup.exe 89 PID 1156 wrote to memory of 2612 1156 setup.exe 89 PID 1156 wrote to memory of 2612 1156 setup.exe 89 PID 1156 wrote to memory of 2740 1156 setup.exe 91 PID 1156 wrote to memory of 2740 1156 setup.exe 91 PID 1156 wrote to memory of 2740 1156 setup.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe"C:\Users\Admin\AppData\Local\Temp\3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exeC:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.60 --initial-client-data=0x32c,0x330,0x334,0x2f0,0x338,0x74b41b54,0x74b41b60,0x74b41b6c3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.4MB
MD5607fb47ad9d20bb16f90e4a38c93bbfe
SHA1578ea8b4bd0bbd32114bfd61910118c3d9cfc355
SHA2568a82ae5c857123cc6972b93828f3a6202c0db4d325ea6d5b1e36dcfb290c1e09
SHA51223470d0aa5989132efa1fcd4b1d183374384e3b75249910c08e22d2fedf315f084028b7299d6f6c0a5230b2ec78179485d0f187d0a87f710d25f1eac81939e47
-
Filesize
5.9MB
MD51e6485e90130bb0cffd2ae2ca7fef2a2
SHA1b9c01fddb3921b6f56d8d774eb0364f7024428e8
SHA256907cb59383443ce62fdcd2eb90e4bf32cf3a0de6078e708f694dfc7bd7166b5b
SHA512e28ec73e1465591827f092b71ab740a8de0b7ffcf5af0b3e4c1c8be37f16f1a87ae4fdfe23c25a305741a5aaf30fd2aab77f55061eb729f0dc5e64aef3dd6527