Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

1

a680fb2851...77.exe

windows11-21h2-x64

7

Resubmissions

12/10/2024, 18:38

241012-w94ttszbjp 7

12/10/2024, 18:35

241012-w8bfwszajq 7

Analysis

  • max time kernel
    445s
  • max time network
    1165s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/10/2024, 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe

  • Size

    1.1MB

  • MD5

    66310e73ba135067af9453c699a4c694

  • SHA1

    330a52436c0294d2ead08f7b86b9091591f55878

  • SHA256

    a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177

  • SHA512

    4893113b6fdf875b399fee26ca7153951fa5f84434e5de6504d5645657e9b8396efcdc72889dcc78ed49149434aa13e27006ea7855339f289e06781a7f20d49a

  • SSDEEP

    24576:BEqS1t2qh4zwnOd30BQuO883eB/qeV5WYeXEncWFtDxk4rk:Gd6EYr88O9TDncWNk4rk

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe
    "C:\Users\Admin\AppData\Local\Temp\a680fb2851207f6606214c2bb266a46ad37afefa9df85dc43a7730fe14bfc177.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Boats Boats.bat & Boats.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2920
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa opssvc"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2840
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5088
      • C:\Windows\SysWOW64\findstr.exe
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4608
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 767644
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3448
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "MinsSlutsCompensationBest" Sexuality
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5000
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Investment + ..\Collectibles + ..\Usr + ..\Tell + ..\Maintain + ..\Arms + ..\Essay + ..\Having J
        3⤵
        • System Location Discovery: System Language Discovery
        PID:984
      • C:\Users\Admin\AppData\Local\Temp\767644\Hepatitis.pif
        Hepatitis.pif J
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Users\Admin\AppData\Local\Temp\767644\RegAsm.exe
          C:\Users\Admin\AppData\Local\Temp\767644\RegAsm.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2616
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\767644\Hepatitis.pif
    Filesize

    872KB

    MD5

    18ce19b57f43ce0a5af149c96aecc685

    SHA1

    1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

    SHA256

    d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

    SHA512

    a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\767644\J
    Filesize

    623KB

    MD5

    d0f8204072b82e078833bf1727c85881

    SHA1

    0b93c822a97dc8f1ce1957cda4eaf25cfe9e416f

    SHA256

    3341c28fa5ec43f8dd6444e072c653ab814c773caf13c1f1dc838a09d3cc3999

    SHA512

    d0cb90bc5f15268581aeb79d1375d81602b886cf82686e9885d7260d62ff3a66f1281be4852572aecda2b63726187ab3faea2d10b30e8f2ae3c85d3d26abf097

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\767644\RegAsm.exe
    Filesize

    63KB

    MD5

    42ab6e035df99a43dbb879c86b620b91

    SHA1

    c6e116569d17d8142dbb217b1f8bfa95bc148c38

    SHA256

    53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b

    SHA512

    2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Arms
    Filesize

    79KB

    MD5

    0c32b9d39a642771c955215f14cd8e21

    SHA1

    078e15f9c344525b61c8fdab81821ddc9181cd18

    SHA256

    ea0d58d4bc3341422368e5b6259153c05cbeb0c7f3439771ddbe94900d319030

    SHA512

    cb71c50791503c50427e409a151b20076f0a6be70a4565c40c27c25289e7e5c75af702dd3847afe5c34c8609e971af10ac164d3958d8ee5f0f7ce2fb0cbab0d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Boats
    Filesize

    16KB

    MD5

    9d42197cdf269de306f38af0f0641ef1

    SHA1

    78e91ac01fe71e4ee1e2dfe2147d1e7a6647acb5

    SHA256

    c2bb7f9586469b1b703fa67664625705512b1f4c98d10589356c2623dad28d0d

    SHA512

    c09fd69e2d3554b0a611085ff99627de1b5b2cdf6fdc7bc1b7012dc19a59af4fbfcea1c3e9b2925228ff27e60a7385cac532f8eb4a6be0bdd6f74307bebdc76e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Collectibles
    Filesize

    95KB

    MD5

    0d394eb8840f0d8dea95f2b956dc1038

    SHA1

    60ceef3d8abd63ad50b1e78e495b9be4a7726160

    SHA256

    0f8f3828320274f8e23144a4841f0c0564ee11034a5b9630bcb6a467acff6870

    SHA512

    74cd2956e13a5541a00b82b732d4ca1a1f180ad0521a2b3d7a0b889cdcf35a65632e7eb4db408be28f505e05abcb711ea0ea3a83d5517ca5a514f2d5b4d2e191

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Essay
    Filesize

    78KB

    MD5

    517ee413f681d536ad909779d659edb5

    SHA1

    092a92b7cb072a7e80bb176a884cf434074cf7bf

    SHA256

    44ac6b3f22b65c71411027f5dea8bb4712baff0a59765e95e739e0a692fe8e95

    SHA512

    345dbdaeb7770c3a4b1c71a4ebdd0f2fe9793e036e36c51c1b074c773d689df7651aa34f368512e1afc2484591de4f238624a6f9ee2756fc39ca4b58b366a4c7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Having
    Filesize

    29KB

    MD5

    e4f0d47e34d39d6621e2f51972ef5033

    SHA1

    e9365bccc76c187862d71cc26d7063e8dbd80d2b

    SHA256

    7438e5d0e5f29dd25fe9ff2e19dc80763261d7cd7e26526419a75bb4fb845069

    SHA512

    ddeae387a0591ff79f45086eb2816ed45293fd7d77da3d1e797759f1a3a0e08118dad51fad02306b27e8611492fee605fe901f2d1e9fe792a8d38e5d68d01f3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Investment
    Filesize

    74KB

    MD5

    91debba345821583a96eaf0dc2602488

    SHA1

    6a8f5ee33eaa8cb6a4442b040440f3276058fa23

    SHA256

    9c517f91c3bb4050831893114b50cf2d45c275d26b6cb62693eb2c4c117fc986

    SHA512

    faed5051460518e78fb409708d458a3eeb14f5b70480a8613b72b7d95fd1f0a124ee2487081d93d39da7e8f4df4801137edfc9d737c16dc43626092d6f395fe1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Maintain
    Filesize

    89KB

    MD5

    fc06001223188daec0ebec3fd58281a5

    SHA1

    67e38a55320148dfcb0e9a794159611c9fc54392

    SHA256

    ed902227489a535235df6c66fa77603444cb06b1bb1964bb25ba9925ed328576

    SHA512

    0c7380beded918d828874f12d1a8705e62ddd9dc31b958b6309a53b4cb1fa682ffaa391147e27d9953ce03f590feac1bb1770a1abbb37e5d3289ac8e5f4a9cc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Sexuality
    Filesize

    5KB

    MD5

    31091bdd4ac25ac99657ba80ecd99b58

    SHA1

    f0ac4b8914d99395d10b7fcf3593fea104312a52

    SHA256

    c99d10219cf197e96810af6a10905be622508623cb67a902006189e264afbe79

    SHA512

    850f1b201f2e595ca8dec674b58bbbf37141637588c20db660f5ea599d745d4e19a032a98fa78b09c20b83a57f623f59b98b10c7b1a8b25e1f1fa1beb44898d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tell
    Filesize

    99KB

    MD5

    bf47de0749063bb5cdf6101792af5076

    SHA1

    be1082bc1d75aabb97c27a1c2e8e1d985ef1843b

    SHA256

    c4c7cdd21ed46fc747c7034467e1006da9546394239a02cfaa0a00ac910f4e86

    SHA512

    ed04899dbf30df8fa6379cd3165956187a918bc00228000074879adcaa29a9d98aa112f9d462993f38023a3d101fd2b973a2df6a745652e1713be48ddd02255f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Usr
    Filesize

    80KB

    MD5

    c1202143072b2a8542f95275ec0598b2

    SHA1

    6481c289fde305555107ecb5d9922bebe5205d93

    SHA256

    ded71dd2b5a8500aea48c65c9e3154404f9b13c13af60a83831154917f3944ce

    SHA512

    5931e36e5fe9b6d8bebe9ab0fb28a5290a0800a44f94629789867c720068b1994852c143baf7e4f5898cfdecfa77cdc4d4c5abb22c6bb0dec04a29f864253616

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Vocal
    Filesize

    866KB

    MD5

    3b0fd8a40177d6fc4dcb502b414ade5a

    SHA1

    3c4cb556b86ab7932372665480ec4f3ddfce3a93

    SHA256

    a43f4500ef17e216a54a979d265d0825831ce7f4029931efa2a2b863d006261a

    SHA512

    25627124d4ed74d6ef342bbada876b9cadf5ce470438b0a9265a26d8eb3763847de9a1595c0b7700bf65faf7114de92f979f250c9c4b451d1f7860eda3a576a6

    Download Submit

  • memory/2616-37-0x0000000008820000-0x0000000008E38000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2616-40-0x0000000008300000-0x000000000833C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2616-35-0x0000000005240000-0x00000000052D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2616-36-0x0000000005210000-0x000000000521A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2616-31-0x0000000000C00000-0x0000000000C80000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2616-38-0x00000000082A0000-0x00000000082B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2616-39-0x00000000083D0000-0x00000000084DA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2616-34-0x0000000005710000-0x0000000005CB6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2616-41-0x0000000008340000-0x000000000838C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2616-42-0x00000000090B0000-0x0000000009116000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2616-43-0x0000000009780000-0x00000000097F6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2616-44-0x0000000009750000-0x000000000976E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2616-45-0x0000000009EF0000-0x000000000A0B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2616-46-0x000000000AB50000-0x000000000B07C000-memory.dmp

    Filesize

    5.2MB

    Download