Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/10/2024, 21:48
Static task
static1
Behavioral task
behavioral1
Sample
a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe
Resource
win10v2004-20241007-en
General
-
Target
a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe
-
Size
736KB
-
MD5
67ea365fa8cc4e5810708b2a20368de0
-
SHA1
9ba503e7c4effa7c1884e9a19acf354fb6d95be5
-
SHA256
a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6a
-
SHA512
2c62061c5f76ae8f45778342e4b48c784e98a17da5601be90462c004cb9e4320d618dfb7f024f8d7a53f8b80988aa2abaca44a5caf78c7965231b18ba9feed6d
-
SSDEEP
12288:gwEJqS+KnjhoS/kZlcbj2UinIpE677LVisji4tBjNJsoSi4CKTDxV6OADMoSJu:gRJqSOibjGnIpEWos3D4CkV6hj
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0008000000016a47-6.dat acprotect behavioral1/files/0x0007000000016c58-34.dat acprotect -
Deletes itself 1 IoCs
pid Process 2668 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2472 Free Ride Games.exe -
Loads dropped DLL 8 IoCs
pid Process 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 2472 Free Ride Games.exe 2472 Free Ride Games.exe 2472 Free Ride Games.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exent_SDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SDM143\\Free Ride Games.exe \"l 'Startup' u 'http://www.freeridegames.com/do/SDMGW?action=config&type=seoDD&contentId=%d' p '143' c '695650'\"" Free Ride Games.exe -
resource yara_rule behavioral1/files/0x0008000000016a47-6.dat upx behavioral1/memory/2276-8-0x0000000010000000-0x0000000010060000-memory.dmp upx behavioral1/files/0x0008000000016c3d-10.dat upx behavioral1/memory/2276-12-0x0000000003FB0000-0x00000000040B9000-memory.dmp upx behavioral1/memory/2472-32-0x0000000000400000-0x0000000000509000-memory.dmp upx behavioral1/files/0x0007000000016c58-34.dat upx behavioral1/memory/2472-40-0x0000000010000000-0x0000000010055000-memory.dmp upx behavioral1/memory/2472-145-0x0000000000400000-0x0000000000509000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Free Ride Games.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main Free Ride Games.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2472 Free Ride Games.exe 2472 Free Ride Games.exe 2472 Free Ride Games.exe 2472 Free Ride Games.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2472 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 31 PID 2276 wrote to memory of 2472 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 31 PID 2276 wrote to memory of 2472 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 31 PID 2276 wrote to memory of 2472 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 31 PID 2276 wrote to memory of 2668 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 32 PID 2276 wrote to memory of 2668 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 32 PID 2276 wrote to memory of 2668 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 32 PID 2276 wrote to memory of 2668 2276 a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe"C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDMGW?action=config&type=seoDD&contentId=%d' p '143' c '695650' l 'Installer'"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD50a05daecdacd937c3af053a994a9fae3
SHA1773398736b3d70486e6a8c42cf36b17bd3802e9a
SHA256cb083188b612e549ad5b4bd2d2001059a2883d6e58c48be66423e4a999460a39
SHA512d4b3b10a36805e9ea448097cb280f86de80b05c0436b8d5eca1908d210177d69db3fda1dd150a20b1f13ca77e62fce8432d9123443dfb03f0b97bc9a81bba8c6
-
Filesize
300B
MD5a17d97b03fb8499a051214494abb065f
SHA1bfcc6006018ba9fa44d12f7adf18b72fa3fdc735
SHA25606b0feea86b87216384e2f3915aac8145e9ce0738b2d8a96b1827dadd9ab69a9
SHA5128fad4cb9cde03c0dbd5fc4d31f456b427d2f29511ad300f84a5b76eb111fbddcaaa5d6c8e7f717cff613950d1d64076b87bc25c6e494e9d9d229c9fc339fed5d
-
Filesize
91KB
MD56b2044ea77b46bc03c4addd9400b4368
SHA15640cc06fae6410deafc61db5412d053c2a76c93
SHA2567fb20aa347d5e2ef38e00c751306c6929766f69f53c9a5c4f30980a48e4caada
SHA51265c79f432f3c087385253f6968b7542a50cdc3d9739fbbbaf7dc0cc8960a01a0cd6819c65a24b5daad0f0163cb4e035a0235b113a21a334c1f21a5519cd7a590
-
Filesize
395KB
MD5cf1101b04dbd53e9034ea91e8c45c530
SHA15b4f3272905924005e01af6f072ed031f5ca91e8
SHA2561baadc3b930973f0784bab0aadbd727a1c2fbfa2145d0430aaa9f68a7a67954e
SHA512d7aed0da5bcc5d09deddc149522e1cf6129c34fae416a74912203e5620013725bd78530342d018b2661de70b7c4b58629709a2c3d19eacca5f07ca335501dd15