Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
202s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 06:27
Behavioral task
behavioral1
Sample
Client4PM..exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Client4PM..exe
Resource
win10v2004-20241007-en
General
-
Target
Client4PM..exe
-
Size
16KB
-
MD5
78546805aa20d09136de689620dc6ca2
-
SHA1
3bfafdc380309d9ba9632d81ee220f063f6fe522
-
SHA256
f52dd2dd58a66fb26ff986cd9bd6b033d0bca73800606ba4f6e6033fa44bf023
-
SHA512
ef6210d14cec248d8361a5aa01f597853aad0305ebac68f51e00e73123e983a4bb502130a72e1a5fc910de1363a661caaa864f3f8ff06fd5d57728d9304f5ddc
-
SSDEEP
384:KLGXnSVdX5/VBji1D9oDPlMNcLlb5sVKZyz5Ct:KLGXnSVdTBjyclMNE4o
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Client4PM..exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Client4PM..exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Client4PM..exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Client4PM..exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Client4PM..exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Client4PM..exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion Client4PM..exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Client4PM..exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate Client4PM..exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings Client4PM..exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2220 Client4PM..exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2220 wrote to memory of 4876 2220 Client4PM..exe 92 PID 2220 wrote to memory of 4876 2220 Client4PM..exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client4PM..exe"C:\Users\Admin\AppData\Local\Temp\Client4PM..exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GawrHJfW.vbs"2⤵PID:4876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
150B
MD5502b0b2bd2887a2a1dbd470b8ee92d9c
SHA17a3907f54b2f8b57be6072d28aff3f6174f8f010
SHA256a31b7d0b86764919634b44f2ceca8dda07981aa6a2a9a3f7050cf95e7b480807
SHA512bba93f39efab99a6aeedaa12a9c654477cd34204df1424222fe819ff82eb36511b7dccfc01b7b687e21cca101a37d88ef143d6aaf658e6a25b959cf5d3d5191e