Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 20:44
Static task
static1
Behavioral task
behavioral1
Sample
3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
Resource
win7-20240903-en
General
-
Target
3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe
-
Size
4.5MB
-
MD5
0ea605a1d37f58fd69b564d3468acadd
-
SHA1
a505d7edc719afb52863775c88beef51b338c129
-
SHA256
3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c
-
SHA512
3f5b030379348759917c316c2ffb4f9d971ea6767bc903fb7ac6516dadfac680be8b009e817bb978fdfaf5baf545bec19dd8938573bc4c38458ffdb7b0731c56
-
SSDEEP
98304:CuWRw5bLGZWJ1GWk0y5rmhpJai8vhARFXM4jy+b+B5231DXqpYdVLEQ:CK5+35rQai8vhqFNyXB5OiUV4Q
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2764 UninstallTool.exe 2860 UninstallTool_x64.dat 2872 UninstallToolHelper.exe 1112 Process not Found -
Loads dropped DLL 5 IoCs
pid Process 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 2764 UninstallTool.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe UninstallTool_x64.dat File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST UninstallTool_x64.dat -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UninstallTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UninstallToolHelper.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2860 UninstallTool_x64.dat -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 UninstallTool_x64.dat -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2860 UninstallTool_x64.dat 2860 UninstallTool_x64.dat 2860 UninstallTool_x64.dat 2860 UninstallTool_x64.dat 2860 UninstallTool_x64.dat 2860 UninstallTool_x64.dat 2860 UninstallTool_x64.dat 2860 UninstallTool_x64.dat -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2764 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 30 PID 2688 wrote to memory of 2764 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 30 PID 2688 wrote to memory of 2764 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 30 PID 2688 wrote to memory of 2764 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 30 PID 2688 wrote to memory of 2764 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 30 PID 2688 wrote to memory of 2764 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 30 PID 2688 wrote to memory of 2764 2688 3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe 30 PID 2764 wrote to memory of 2860 2764 UninstallTool.exe 31 PID 2764 wrote to memory of 2860 2764 UninstallTool.exe 31 PID 2764 wrote to memory of 2860 2764 UninstallTool.exe 31 PID 2764 wrote to memory of 2860 2764 UninstallTool.exe 31 PID 2860 wrote to memory of 2872 2860 UninstallTool_x64.dat 32 PID 2860 wrote to memory of 2872 2860 UninstallTool_x64.dat 32 PID 2860 wrote to memory of 2872 2860 UninstallTool_x64.dat 32 PID 2860 wrote to memory of 2872 2860 UninstallTool_x64.dat 32 PID 2860 wrote to memory of 2872 2860 UninstallTool_x64.dat 32 PID 2860 wrote to memory of 2872 2860 UninstallTool_x64.dat 32 PID 2860 wrote to memory of 2872 2860 UninstallTool_x64.dat 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe"C:\Users\Admin\AppData\Local\Temp\3c52d0490b806dcaea4b3638547d86240c00451699a1b35150fe3c992cdfc09c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\dptools\Uninstall Tool\UninstallTool.exe"C:\dptools\Uninstall Tool\UninstallTool.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\dptools\Uninstall Tool\UninstallTool_x64.dat"C:\dptools\Uninstall Tool\UninstallTool_x64.dat"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\dptools\Uninstall Tool\UninstallToolHelper.exeUninstallToolHelper.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
463KB
MD5d82e0a3786dba17f88929d11d6b00b96
SHA1098f9b676677dc3a30530ad5254b7fb41e1391d9
SHA256ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8
SHA5124df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d
-
Filesize
35KB
MD5531bcf591629a57778aa3dd3a1e71fa7
SHA117e8108b5d6667cbf95f585c613dbc508128ce5a
SHA25603581bf9ffa25c6f12a8ac994369f2cc13bd43df5257ead1fb40d45f0ca68753
SHA512de66a073337c9ce8224217156a3b309824f126c26a9fafd2799b95bd9375b0525295f42e41ccd6690e5454327e4136a96da330aa83cef854513fb52d1da15665
-
Filesize
27B
MD5bc665464f458a36775aa32c224bef6dd
SHA1921c21264eb946818e6a19395a82e830fdcb3542
SHA2561b660a9444824b2ff536249b879a6d89989e674f7a09b86e8f93d088783167de
SHA512881531f8cdbb1bf227efa83011c31d3745c4863cdc013db33593af623830f577f476aad7faabf7484a96fe87d668d7e1d4a6bed9368216bc802d40f3a6af0f20
-
Filesize
2KB
MD55e23e0a994153cc073670589621b5c54
SHA11b15cf670d3fd7a25ad022852d4d6f9ef32a819c
SHA2566ff62edc8155c641dfa5fb07bd3ce959a6405d24b6aa36179fbf16481fba86a5
SHA51222da32d7ea7b64192bcde16614b37d25189e7405497f4c8e6fae24b7d10e126f97c4c29fd603808dffaafca67e162e652f3e62a0944772b1967498c58cfaa5c0
-
Filesize
327KB
MD556cfdeea82f27be12d1ad1c9bc737d9b
SHA1c1d4d0147b680bf9a6f6dba2e8c174039c075744
SHA256735925446abf2704e4adcafb495c9dd63d03eaf5888a72704e06655df35f35f0
SHA5122f270042f202c978aaad688c54f383bcabd97a0a32be098229fcb846b079d549aee49940a104d3a0a931b32702743419d1a6e2d6679453bcdf54d787ea797064
-
Filesize
4.7MB
MD54a90019c2a505c3b6688761836be5bc7
SHA163113eae62fdf2fbc660e206b4a296c20ee55b4b
SHA256cd5d53a6e479b914b84841ed6d86103040046f52ac462b1f57614e6e6673b933
SHA512d48b79f58e19c8c6f8e7068b167f00d5e92492e7d1316513fcd537b23a85fbd215730ddf398d12ad69ab7edf870eb5de84d056d23a3e5a38a6589d0d15d28cf0