Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Client‮4PM..exe

windows10-1703-x64

4

Client‮4PM..exe

windows10-2004-x64

7

Analysis

  • max time kernel
    202s
  • max time network
    202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2024, 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client‮4PM..exe

  • Size

    16KB

  • MD5

    78546805aa20d09136de689620dc6ca2

  • SHA1

    3bfafdc380309d9ba9632d81ee220f063f6fe522

  • SHA256

    f52dd2dd58a66fb26ff986cd9bd6b033d0bca73800606ba4f6e6033fa44bf023

  • SHA512

    ef6210d14cec248d8361a5aa01f597853aad0305ebac68f51e00e73123e983a4bb502130a72e1a5fc910de1363a661caaa864f3f8ff06fd5d57728d9304f5ddc

  • SSDEEP

    384:KLGXnSVdX5/VBji1D9oDPlMNcLlb5sVKZyz5Ct:KLGXnSVdTBjyclMNE4o

Score
7/10
credential_accessspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client‮4PM..exe
    "C:\Users\Admin\AppData\Local\Temp\Client‮4PM..exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GawrHJfW.vbs"
      2⤵
        PID:4876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\GawrHJfW.vbs
      Filesize

      150B

      MD5

      502b0b2bd2887a2a1dbd470b8ee92d9c

      SHA1

      7a3907f54b2f8b57be6072d28aff3f6174f8f010

      SHA256

      a31b7d0b86764919634b44f2ceca8dda07981aa6a2a9a3f7050cf95e7b480807

      SHA512

      bba93f39efab99a6aeedaa12a9c654477cd34204df1424222fe819ff82eb36511b7dccfc01b7b687e21cca101a37d88ef143d6aaf658e6a25b959cf5d3d5191e

      Download Submit

    • memory/2220-8-0x000000001CFE0000-0x000000001D004000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2220-10-0x00000000015C0000-0x00000000015D9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2220-3-0x000000001C650000-0x000000001C6F6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2220-4-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-5-0x000000001CDF0000-0x000000001CE52000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2220-6-0x00007FFE032A5000-0x00007FFE032A6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2220-7-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-0-0x00007FFE032A5000-0x00007FFE032A6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2220-2-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-11-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-9-0x000000001D280000-0x000000001D31C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2220-12-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-13-0x00000000013F0000-0x000000000140E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2220-14-0x0000000001520000-0x0000000001536000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2220-15-0x0000000001690000-0x000000000169C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2220-1-0x000000001C180000-0x000000001C64E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2220-20-0x00007FFE02FF0000-0x00007FFE03991000-memory.dmp

      Filesize

      9.6MB

      Download