Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 06:11
Static task
static1
Behavioral task
behavioral1
Sample
96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe
Resource
win7-20240708-en
General
-
Target
96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe
-
Size
2.5MB
-
MD5
48d6df0ee3eaa10b4f506951fcc57803
-
SHA1
17edd1ede9ceae0d6146a95123266f35288afb96
-
SHA256
96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1
-
SHA512
01d44b534c878bc210a4b40a1737bfbda907aa87cff5658da5837bc18d1b546ef2b724543593a873fd9b6c2411256df1d488805661a2a9f535c52b562546b23b
-
SSDEEP
49152:wcARyCfxGVZI4oExCv3jCZwgQAwgQAwgQAwgQS:wcA
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 3344 tasklist.exe 5036 tasklist.exe 4424 tasklist.exe 4808 tasklist.exe 1852 tasklist.exe 3336 tasklist.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3316 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe 3316 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3344 tasklist.exe Token: SeDebugPrivilege 5036 tasklist.exe Token: SeDebugPrivilege 4424 tasklist.exe Token: SeDebugPrivilege 4808 tasklist.exe Token: SeDebugPrivilege 1852 tasklist.exe Token: SeDebugPrivilege 3336 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3316 wrote to memory of 728 3316 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe 94 PID 3316 wrote to memory of 728 3316 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe 94 PID 3316 wrote to memory of 728 3316 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe 94 PID 728 wrote to memory of 2628 728 cmd.exe 96 PID 728 wrote to memory of 2628 728 cmd.exe 96 PID 728 wrote to memory of 2628 728 cmd.exe 96 PID 2628 wrote to memory of 3344 2628 cmd.exe 97 PID 2628 wrote to memory of 3344 2628 cmd.exe 97 PID 2628 wrote to memory of 3344 2628 cmd.exe 97 PID 2628 wrote to memory of 3152 2628 cmd.exe 98 PID 2628 wrote to memory of 3152 2628 cmd.exe 98 PID 2628 wrote to memory of 3152 2628 cmd.exe 98 PID 3316 wrote to memory of 3836 3316 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe 100 PID 3316 wrote to memory of 3836 3316 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe 100 PID 3316 wrote to memory of 3836 3316 96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe 100 PID 3836 wrote to memory of 3528 3836 cmd.exe 102 PID 3836 wrote to memory of 3528 3836 cmd.exe 102 PID 3836 wrote to memory of 3528 3836 cmd.exe 102 PID 3528 wrote to memory of 5036 3528 cmd.exe 103 PID 3528 wrote to memory of 5036 3528 cmd.exe 103 PID 3528 wrote to memory of 5036 3528 cmd.exe 103 PID 3528 wrote to memory of 4764 3528 cmd.exe 104 PID 3528 wrote to memory of 4764 3528 cmd.exe 104 PID 3528 wrote to memory of 4764 3528 cmd.exe 104 PID 728 wrote to memory of 4920 728 cmd.exe 105 PID 728 wrote to memory of 4920 728 cmd.exe 105 PID 728 wrote to memory of 4920 728 cmd.exe 105 PID 3836 wrote to memory of 1692 3836 cmd.exe 108 PID 3836 wrote to memory of 1692 3836 cmd.exe 108 PID 3836 wrote to memory of 1692 3836 cmd.exe 108 PID 728 wrote to memory of 544 728 cmd.exe 111 PID 728 wrote to memory of 544 728 cmd.exe 111 PID 728 wrote to memory of 544 728 cmd.exe 111 PID 544 wrote to memory of 4424 544 cmd.exe 112 PID 544 wrote to memory of 4424 544 cmd.exe 112 PID 544 wrote to memory of 4424 544 cmd.exe 112 PID 544 wrote to memory of 4452 544 cmd.exe 113 PID 544 wrote to memory of 4452 544 cmd.exe 113 PID 544 wrote to memory of 4452 544 cmd.exe 113 PID 728 wrote to memory of 3728 728 cmd.exe 114 PID 728 wrote to memory of 3728 728 cmd.exe 114 PID 728 wrote to memory of 3728 728 cmd.exe 114 PID 3836 wrote to memory of 2932 3836 cmd.exe 115 PID 3836 wrote to memory of 2932 3836 cmd.exe 115 PID 3836 wrote to memory of 2932 3836 cmd.exe 115 PID 2932 wrote to memory of 4808 2932 cmd.exe 116 PID 2932 wrote to memory of 4808 2932 cmd.exe 116 PID 2932 wrote to memory of 4808 2932 cmd.exe 116 PID 2932 wrote to memory of 2216 2932 cmd.exe 117 PID 2932 wrote to memory of 2216 2932 cmd.exe 117 PID 2932 wrote to memory of 2216 2932 cmd.exe 117 PID 3836 wrote to memory of 3152 3836 cmd.exe 118 PID 3836 wrote to memory of 3152 3836 cmd.exe 118 PID 3836 wrote to memory of 3152 3836 cmd.exe 118 PID 728 wrote to memory of 5088 728 cmd.exe 119 PID 728 wrote to memory of 5088 728 cmd.exe 119 PID 728 wrote to memory of 5088 728 cmd.exe 119 PID 5088 wrote to memory of 1852 5088 cmd.exe 120 PID 5088 wrote to memory of 1852 5088 cmd.exe 120 PID 5088 wrote to memory of 1852 5088 cmd.exe 120 PID 5088 wrote to memory of 4300 5088 cmd.exe 121 PID 5088 wrote to memory of 4300 5088 cmd.exe 121 PID 5088 wrote to memory of 4300 5088 cmd.exe 121 PID 728 wrote to memory of 844 728 cmd.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe"C:\Users\Admin\AppData\Local\Temp\96cdce80844f2f83068a898557e543757604fc019485dac386b879068b2f5dc1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\\Users\\Public\\Downloads\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist.exe | find /I "QLVideoMergeT.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\tasklist.exetasklist.exe4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\SysWOW64\find.exefind /I "QLVideoMergeT.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3152
-
-
-
C:\Windows\SysWOW64\choice.exechoice /t 60 /d y /n3⤵
- System Location Discovery: System Language Discovery
PID:4920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist.exe | find /I "QLVideoMergeT.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\tasklist.exetasklist.exe4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\SysWOW64\find.exefind /I "QLVideoMergeT.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4452
-
-
-
C:\Windows\SysWOW64\choice.exechoice /t 60 /d y /n3⤵
- System Location Discovery: System Language Discovery
PID:3728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist.exe | find /I "QLVideoMergeT.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\tasklist.exetasklist.exe4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\SysWOW64\find.exefind /I "QLVideoMergeT.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4300
-
-
-
C:\Windows\SysWOW64\choice.exechoice /t 60 /d y /n3⤵
- System Location Discovery: System Language Discovery
PID:844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\\Users\\Public\\Downloads\\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist.exe | find /I "QLVideoMergeT.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\tasklist.exetasklist.exe4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Windows\SysWOW64\find.exefind /I "QLVideoMergeT.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4764
-
-
-
C:\Windows\SysWOW64\choice.exechoice /t 60 /d y /n3⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist.exe | find /I "QLVideoMergeT.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\tasklist.exetasklist.exe4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\SysWOW64\find.exefind /I "QLVideoMergeT.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
-
C:\Windows\SysWOW64\choice.exechoice /t 60 /d y /n3⤵
- System Location Discovery: System Language Discovery
PID:3152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist.exe | find /I "QLVideoMergeT.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\tasklist.exetasklist.exe4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Windows\SysWOW64\find.exefind /I "QLVideoMergeT.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4504
-
-
-
C:\Windows\SysWOW64\choice.exechoice /t 60 /d y /n3⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:81⤵PID:644
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Downloads\MzlchxeAZZCEaDuUKmYRRTEjqSMKCPSjzkKvyZLPvwIGDckIsfdtwMWmZlHqeWCAAHCsWSQlpvvwbJHBaiwGQPiXJumiNGkvAuS.cmd
Filesize1KB
MD5d2fc77c706ceb50a40d55280cb8c8d26
SHA19212dc791f9b6688aeb3b9e44077785103f94996
SHA2566b21a5347cd9c2536fde3e62b4cfd9f0a7fe3268ab279245d259ca82182f59c6
SHA512415d5602aa5448e3b65d03468c4516bf96f5d0e31afd325aae6716d72cb7a300ffd5bddbd27a35c4ddf7f3e79185ea42cc5b188ba7977516c43853a2b55ea17c