Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 17:46

General

  • Target

    b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596.exe

  • Size

    2.2MB

  • MD5

    af67f113f6de4648aadc9d7a0be4d0ca

  • SHA1

    d7697c61fe6ca142da8d9a3b14af32ad78778622

  • SHA256

    b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596

  • SHA512

    0ac58161384ae0993fb23516f708db06bd05424c666569c17f7e4cd6e9a563ff28a6bf415e1c60f4492d8dbbbb618a2e7064b58839bf0380afe6e6d62ff0f3eb

  • SSDEEP

    24576:Pe6u/p6D3RSWGDBqSfHfXBYnvakaYhF+Ma1eCFd1Zz9ItONK+ehkrh2J:POB6zYBvGv95F+MqZFdHwVhOcJ

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 16 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 5 IoCs
  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596.exe
    "C:\Users\Admin\AppData\Local\Temp\b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Enumerates connected drives
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_win_path
    PID:4068
    • C:\Windows\SysWOW64\pptpcms.exe
      C:\Windows\SysWOW64\pptpcms.exe /combine local system
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:852
  • C:\Windows\SysWOW64\fssrv.exe
    C:\Windows\SysWOW64\fssrv.exe 40l
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fslsa.scr

    Filesize

    3KB

    MD5

    933b3c5d3728ef6e08af4ae579c00d11

    SHA1

    42dbfbedd813e6dbea1398323f085a88fa014293

    SHA256

    47f3405ab0da5af125bcc6ebb6d17a1573b090c54d7a0a00630ec170ccc4b9d1

    SHA512

    054c8fe49dad9571f7a1c2d015fdf2cc3589113517dc246baa3e68a62c186243d860566fa6339beec07a29c480f57a1009db4f51b813dfae4c26193b82baea1b

  • C:\Users\Public\Documents\ntuser{4CB43D7F-7DCA-4906-8698-FFFFFFFF8094E303}.pol

    Filesize

    4B

    MD5

    59babb838a876914f6b5402512da3d41

    SHA1

    eb72a9af96d374bc1d0045513ae1f4541060a7e5

    SHA256

    443c07a2c83b7b0253a325d2b72ac757c3aa5b41cd749842bc74fb3ee9b26866

    SHA512

    6c7f7fd694df9949b4716d009242b423216aa52e579414505406d6d3fcaa84fd8c9227e55eb80d28ba40068d80fd6f8be089f2b655ebc72872cd226236fa97ea

  • C:\Windows\SysWOW64\fssrv.exe

    Filesize

    2.2MB

    MD5

    fad02385f8f25089176259da4b1acafd

    SHA1

    0439606cf5138e4a62f35c23f6e190e6e05d9997

    SHA256

    efab1d2dd2dcab9990ae6a767fe38e01cf9bd7cc377340cd17da7c3b768b092c

    SHA512

    9ae26d6c7ca0d936ea98a675e0cf8e5352b9e05fd85f3d00e4ba4d05b27b01a52d100913f4cfaee0fc59d4fc8eed76304d0d892f638acf951f3ebebfa0f08be1

  • C:\Windows\SysWOW64\pptpcms.exe

    Filesize

    1.7MB

    MD5

    e28c2987d1344d9b5264259011032c9f

    SHA1

    06e7d7dde7bad8de6439505ad81744839e17e76f

    SHA256

    6fd81fb46ecda7d599d5b2e1f004ce16d4803179923a6c5398b266b8e70946ac

    SHA512

    3843965e249ca6b4172136b465c945eea6cc6920368f049eb3485e2da3831f2331bc5035578edd6a784de3e108de59981f9fdb9c1f9aa6520e235ebccb4e3ede

  • memory/2784-72-0x0000000000400000-0x00000000005AF000-memory.dmp

    Filesize

    1.7MB

  • memory/2784-73-0x0000000001250000-0x0000000001298000-memory.dmp

    Filesize

    288KB

  • memory/2784-75-0x0000000001250000-0x0000000001298000-memory.dmp

    Filesize

    288KB

  • memory/4068-0-0x0000000000400000-0x00000000005AF000-memory.dmp

    Filesize

    1.7MB

  • memory/4068-1-0x0000000000400000-0x00000000005AF000-memory.dmp

    Filesize

    1.7MB

  • memory/4068-2-0x0000000002330000-0x0000000002378000-memory.dmp

    Filesize

    288KB

  • memory/4068-3-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB