Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 23:38

General

  • Target

    3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe

  • Size

    3.1MB

  • MD5

    daf1916511811c5c9f879a1299141822

  • SHA1

    cc2fcbfc3ebbf57785df5fe3f8ed1874622e3e04

  • SHA256

    3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb

  • SHA512

    8ec1ebf6afca7ec4596fefe87837df7a931373cfb023cbe62a8776c4ddb84df027c1e07a312b55d3a6ca8753f07f0300a9408e3cf025b3f31ff573720e033c5d

  • SSDEEP

    49152:DVAbw8VyRPkVwSdyKE6a8anqApzEVZnk8m0Uf89+zvi1QXsy4TpM+DWUl+n1aso:pA7VyRPS7MLq4ykF09+riyXWz6Ha

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe
    "C:\Users\Admin\AppData\Local\Temp\3eb4b618d149462629c3c7c6bcfe40fb212485a5310a3ff6809d7aaf4befabdb.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe
      C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe
        C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=112.0.5197.60 --initial-client-data=0x32c,0x330,0x334,0x2f0,0x338,0x74b41b54,0x74b41b60,0x74b41b6c
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2612
      • C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\setup.exe" --version
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS4BDB46B7\setup.exe

    Filesize

    6.4MB

    MD5

    607fb47ad9d20bb16f90e4a38c93bbfe

    SHA1

    578ea8b4bd0bbd32114bfd61910118c3d9cfc355

    SHA256

    8a82ae5c857123cc6972b93828f3a6202c0db4d325ea6d5b1e36dcfb290c1e09

    SHA512

    23470d0aa5989132efa1fcd4b1d183374384e3b75249910c08e22d2fedf315f084028b7299d6f6c0a5230b2ec78179485d0f187d0a87f710d25f1eac81939e47

  • C:\Users\Admin\AppData\Local\Temp\Opera_installer_2408182338129691156.dll

    Filesize

    5.9MB

    MD5

    1e6485e90130bb0cffd2ae2ca7fef2a2

    SHA1

    b9c01fddb3921b6f56d8d774eb0364f7024428e8

    SHA256

    907cb59383443ce62fdcd2eb90e4bf32cf3a0de6078e708f694dfc7bd7166b5b

    SHA512

    e28ec73e1465591827f092b71ab740a8de0b7ffcf5af0b3e4c1c8be37f16f1a87ae4fdfe23c25a305741a5aaf30fd2aab77f55061eb729f0dc5e64aef3dd6527