Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2024, 13:56
Behavioral task
behavioral1
Sample
3be8fa0b38501cdb368c5cf5a0615880N.exe
Resource
win7-20240903-en
General
-
Target
3be8fa0b38501cdb368c5cf5a0615880N.exe
-
Size
3.1MB
-
MD5
3be8fa0b38501cdb368c5cf5a0615880
-
SHA1
52083abf2794b5f6f8a429ef5bf5fa552896832f
-
SHA256
1d0c2228e4f710999bd97385b1595cd48bc9b79a837a01eff63efb470a1f92ba
-
SHA512
4d60b1c7d41f9a03147cf1d81640d9b6cd09078c9a8e1634006f505c95cf81a3f0a2f3f31b6c925fd9c90be6c733cac7a54cadf19b0dd0b63ea2b2d8a78ea5bd
-
SSDEEP
49152:eFnAp4kyST0QX9i41ZmCq6M+s8KuqGaX0ToIBAUZLYRXcYz7NWu22wS3BNM8:eFw7ySwQX9iC4n0JBAUZLuMYz1BN
Malware Config
Signatures
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000234bb-17.dat family_blackmoon behavioral2/memory/2588-23-0x0000000000400000-0x000000000072B000-memory.dmp family_blackmoon -
Poullight Stealer payload 3 IoCs
resource yara_rule behavioral2/files/0x00090000000234b2-4.dat family_poullight behavioral2/memory/5088-12-0x000002E309590000-0x000002E3095B0000-memory.dmp family_poullight behavioral2/memory/2588-23-0x0000000000400000-0x000000000072B000-memory.dmp family_poullight -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation 3be8fa0b38501cdb368c5cf5a0615880N.exe -
Executes dropped EXE 2 IoCs
pid Process 5088 build.exe 2160 SALIK.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3be8fa0b38501cdb368c5cf5a0615880N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SALIK.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3572 msedge.exe 3572 msedge.exe 2900 msedge.exe 2900 msedge.exe 5088 build.exe 5088 build.exe 5088 build.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe 464 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5088 build.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe 2900 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2160 SALIK.exe 2160 SALIK.exe 2160 SALIK.exe 2160 SALIK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 5088 2588 3be8fa0b38501cdb368c5cf5a0615880N.exe 82 PID 2588 wrote to memory of 5088 2588 3be8fa0b38501cdb368c5cf5a0615880N.exe 82 PID 2588 wrote to memory of 2160 2588 3be8fa0b38501cdb368c5cf5a0615880N.exe 83 PID 2588 wrote to memory of 2160 2588 3be8fa0b38501cdb368c5cf5a0615880N.exe 83 PID 2588 wrote to memory of 2160 2588 3be8fa0b38501cdb368c5cf5a0615880N.exe 83 PID 2160 wrote to memory of 2900 2160 SALIK.exe 85 PID 2160 wrote to memory of 2900 2160 SALIK.exe 85 PID 2900 wrote to memory of 3552 2900 msedge.exe 86 PID 2900 wrote to memory of 3552 2900 msedge.exe 86 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3640 2900 msedge.exe 87 PID 2900 wrote to memory of 3572 2900 msedge.exe 88 PID 2900 wrote to memory of 3572 2900 msedge.exe 88 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89 PID 2900 wrote to memory of 508 2900 msedge.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3be8fa0b38501cdb368c5cf5a0615880N.exe"C:\Users\Admin\AppData\Local\Temp\3be8fa0b38501cdb368c5cf5a0615880N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\SALIK.exe"C:\Users\Admin\AppData\Local\Temp\SALIK.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=57Cts1S3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab9b846f8,0x7ffab9b84708,0x7ffab9b847184⤵PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2122219743417783574,6070194250827006699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:24⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,2122219743417783574,6070194250827006699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,2122219743417783574,6070194250827006699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:84⤵PID:508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2122219743417783574,6070194250827006699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:14⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2122219743417783574,6070194250827006699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:14⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2122219743417783574,6070194250827006699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:14⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2122219743417783574,6070194250827006699,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:464
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1428
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3796
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54dd2754d1bea40445984d65abee82b21
SHA14b6a5658bae9a784a370a115fbb4a12e92bd3390
SHA256183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d
SHA51292d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1
-
Filesize
152B
MD5ecf7ca53c80b5245e35839009d12f866
SHA1a7af77cf31d410708ebd35a232a80bddfb0615bb
SHA256882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687
SHA512706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD50770fbb0a00993d0ca2accf61f9c484d
SHA102893577b6cfe97a373da709c26da4d907887590
SHA256d03dcddd8af0921a9def8ce93b5a04e2bc51f3565e5a19a5866298eebd0876b2
SHA512f956eafca8612ae0f7c410c97e61eae2560edb84fc388d29d35755d65e78d499e0b7663648973ab2d4afb00f778499a0e05636e6b5befedf9aeb53a8bb1e2fd3
-
Filesize
6KB
MD51b29ab1dc10ed5de9841605ccf65173c
SHA12befa19450aff6a9ee5a7774c94195863aed9516
SHA256420112771ca5a7534dd5e5386e1970bbd67fd196c99dc35e79695653e91c669b
SHA512d377e14068fc6a8e7803b5ccb5988061ac71a7dea049a08d7385f9d3e16653f5df932138b8cacdda946eccc495cc469a8b2dcc2d0330326499d10c8dd045df81
-
Filesize
10KB
MD58cc8d13868b79853c1cf5220b0d91bb4
SHA175ac0dbea805fb3a18625fc891c735ad79f70ce4
SHA256a0cf62020e0a3cf7e09540307c2517e2d7b3b3233e4d999dc5cfce1e9478c5ea
SHA5123e2de5b23ce110d07c8167c1e886a59f31d698fedf5b7e34b197987fb0b6f11c6bc0edf4552b09bea06d6b4afde209528635458b3c669be21f1ff7881e20a4b5
-
Filesize
3.0MB
MD5d0bb5ffd1587460bdc47b813edde4c45
SHA1f81429c4f3b3711be166a13c3736bd13a77e200a
SHA256297aafb2fee9ca3a270f8b6189699c71f60281c5ad3d4a217139d9b97aca22f4
SHA512e8c135e7cfec7d8eed4a10315edb65839914dbbdda660257565002fdf3bba39685a27418e11c3f77781e76b730ac60435b8381dd85d92de529305ac5a6053327
-
Filesize
100KB
MD57151a5a9e84c669ffcee99029e679cd3
SHA18d596f5f14dabb069242f04797f70f288657017e
SHA256d8712c18fd5c3d02d1f799c5b829050dbe8932187d0ce2ce7d1cfe9741fa8b60
SHA51283ca6940e55c2a84ab2597e9a8102b9ff5d6da3b4b07c164b3ae57780a85e2358dbb93f1abe02ef68defcd53eee637ed2e11168977d4d326f6535a33edc9a2a0