Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    112s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 21:48

General

  • Target

    a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe

  • Size

    736KB

  • MD5

    67ea365fa8cc4e5810708b2a20368de0

  • SHA1

    9ba503e7c4effa7c1884e9a19acf354fb6d95be5

  • SHA256

    a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6a

  • SHA512

    2c62061c5f76ae8f45778342e4b48c784e98a17da5601be90462c004cb9e4320d618dfb7f024f8d7a53f8b80988aa2abaca44a5caf78c7965231b18ba9feed6d

  • SSDEEP

    12288:gwEJqS+KnjhoS/kZlcbj2UinIpE677LVisji4tBjNJsoSi4CKTDxV6OADMoSJu:gRJqSOibjGnIpEWos3D4CkV6hj

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe
    "C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
      "C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDMGW?action=config&type=seoDD&contentId=%d' p '143' c '695650' l 'Installer'"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4616
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SDM143\ExentCtlInstaller.dll

    Filesize

    91KB

    MD5

    6b2044ea77b46bc03c4addd9400b4368

    SHA1

    5640cc06fae6410deafc61db5412d053c2a76c93

    SHA256

    7fb20aa347d5e2ef38e00c751306c6929766f69f53c9a5c4f30980a48e4caada

    SHA512

    65c79f432f3c087385253f6968b7542a50cdc3d9739fbbbaf7dc0cc8960a01a0cd6819c65a24b5daad0f0163cb4e035a0235b113a21a334c1f21a5519cd7a590

  • C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe

    Filesize

    395KB

    MD5

    cf1101b04dbd53e9034ea91e8c45c530

    SHA1

    5b4f3272905924005e01af6f072ed031f5ca91e8

    SHA256

    1baadc3b930973f0784bab0aadbd727a1c2fbfa2145d0430aaa9f68a7a67954e

    SHA512

    d7aed0da5bcc5d09deddc149522e1cf6129c34fae416a74912203e5620013725bd78530342d018b2661de70b7c4b58629709a2c3d19eacca5f07ca335501dd15

  • C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll

    Filesize

    127KB

    MD5

    0a05daecdacd937c3af053a994a9fae3

    SHA1

    773398736b3d70486e6a8c42cf36b17bd3802e9a

    SHA256

    cb083188b612e549ad5b4bd2d2001059a2883d6e58c48be66423e4a999460a39

    SHA512

    d4b3b10a36805e9ea448097cb280f86de80b05c0436b8d5eca1908d210177d69db3fda1dd150a20b1f13ca77e62fce8432d9123443dfb03f0b97bc9a81bba8c6

  • C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

    Filesize

    300B

    MD5

    a17d97b03fb8499a051214494abb065f

    SHA1

    bfcc6006018ba9fa44d12f7adf18b72fa3fdc735

    SHA256

    06b0feea86b87216384e2f3915aac8145e9ce0738b2d8a96b1827dadd9ab69a9

    SHA512

    8fad4cb9cde03c0dbd5fc4d31f456b427d2f29511ad300f84a5b76eb111fbddcaaa5d6c8e7f717cff613950d1d64076b87bc25c6e494e9d9d229c9fc339fed5d

  • memory/2216-9-0x0000000010000000-0x0000000010060000-memory.dmp

    Filesize

    384KB

  • memory/4616-20-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

  • memory/4616-27-0x0000000010000000-0x0000000010055000-memory.dmp

    Filesize

    340KB

  • memory/4616-30-0x0000000010000000-0x0000000010055000-memory.dmp

    Filesize

    340KB

  • memory/4616-32-0x0000000010000000-0x0000000010055000-memory.dmp

    Filesize

    340KB

  • memory/4616-82-0x0000000000400000-0x0000000000509000-memory.dmp

    Filesize

    1.0MB

  • memory/4616-83-0x0000000010000000-0x0000000010055000-memory.dmp

    Filesize

    340KB