Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 06:37

General

  • Target

    2d6f723b9839621479baf29358634f10N.exe

  • Size

    515KB

  • MD5

    2d6f723b9839621479baf29358634f10

  • SHA1

    387a9f2845133a53a40a9db143b7332e80df8ae1

  • SHA256

    122647b0e0d506d90083df1b85b045bcdfe2865b7ed56f5841bf3923cb053686

  • SHA512

    adec58c00b406f00308a35cfa1b9046073c443e5b27e4eea0bab108c4f7f7e303c47d446dbd51e89deac807b95f48038c5f24b1c313fb47c08bc7fc3f408fe2c

  • SSDEEP

    12288:/n8yN0Mr8ZmkVyy2Vypm3MsS50ugfWaJexX6:vPuZmkVyy2uY7S5hV6

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe
    "C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
    • C:\Users\Public\Microsoft Build\Isass.exe
      "C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe
        "C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe"
        3⤵
        • Executes dropped EXE
        PID:4836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

    Filesize

    719KB

    MD5

    c4bc3cc03445c896065a59bc76202e6e

    SHA1

    ef043cc077689558f88086cb411063f15dd2afa0

    SHA256

    c49b84414c4ec54f0f318e7bd65781ad517282a427e67ff0610fe873698d1b2a

    SHA512

    86352b4a8b8761be76f95441060d3b1d865ec3ab7b7cd975c493db0285e0db2ec5c45f5314773c5f24e399a5666d3110f341a21e4039afa964c88cbca7e4d922

  • C:\Users\Admin\AppData\Local\Temp\2d6f723b9839621479baf29358634f10N.exe

    Filesize

    250KB

    MD5

    9386c7ffb682c69eadb492071138f495

    SHA1

    cd4cda7c97645a9ce694f9543b989e5fb898bbe7

    SHA256

    a4c297fc0b96651ebb71b15398025f80d1f6f592330792ba3eb01d9cd56f9f99

    SHA512

    9b7c2ee269d6f6f33f8656d9e3958036b441246304dce499e9ada4c7dc844a8d4b42deafc5e1d25dc50d069393f0ce9cdc5765a7ca7b3393511d1defba4f7d21

  • C:\Users\Public\Microsoft Build\Isass.exe

    Filesize

    256KB

    MD5

    38f759cb1674a19b1118366d4a018d9c

    SHA1

    c6583d6f2d8724a1bf6f28608451bfa870dec96a

    SHA256

    0b2f27ac9d4776132ead07bee0ca8d8894602a56bfaa8e6ecc5c2a158d3d65f9

    SHA512

    f2d3d2689236094d7efca17c520347cd453b70715102b34366d2a221ba114a7ede1c1bd142c0e32cd07d282f6254d689a05f05384db93cee9664bf8298fae4ac

  • memory/1960-33-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-41-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-61-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-57-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-7-0x0000000001B60000-0x0000000001B61000-memory.dmp

    Filesize

    4KB

  • memory/1960-49-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-23-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-24-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-27-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-28-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-5-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-32-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-48-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/1960-42-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/2732-6-0x0000000002490000-0x0000000002491000-memory.dmp

    Filesize

    4KB

  • memory/2732-3-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/2732-9-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/4676-22-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB

  • memory/4676-11-0x0000000000400000-0x00000000016A8E52-memory.dmp

    Filesize

    18.7MB