Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 22:35

General

  • Target

    2pSetup.exe

  • Size

    2.5MB

  • MD5

    047236c75d06bc5f7a74e73e05cbf73c

  • SHA1

    1e7a6e6e91c09474ec79208eaba8fdbadfb39b76

  • SHA256

    b5d34d7d4f5dd5d40407f56c64abef2b91b668e6782604beccde54ff8147644d

  • SHA512

    1d2491beb6c17ba797e5fe2f7dae9a9fdb88e6d88103d03a82ef6a55df9ce368b97feadff60730d1addfefd01c281150764e246ed7039fc0c61adc1961eace9f

  • SSDEEP

    49152:q3Pnd9+Bq1OPFVvHECplutRiwbKu/oP5HVQYgbuztK9OVnWH/Tvwmd54z1WyAtRC:q3Pnd94TpyRbeiaVmXOVEbvnd+zFz

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 37 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2pSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\2pSetup.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:804
    • C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
      "C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe" -remove
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2836
    • C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
      "C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe" -install
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2784
    • C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe
      "C:\PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2932
    • C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe
      "C:\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pHighIn.exe" 2ptpinst.dll,#5
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1508
  • C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
    C:\PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \PROGRA~2\COUPON~1\bar\1.bin\2pbarsvc.exe

    Filesize

    36KB

    MD5

    c0bebcb3dfc2edb4c296f1802766e1ff

    SHA1

    42191afd20e6359b4c5678acb96ecb03091d17e5

    SHA256

    39189db0555c346d801a918f2f4e1c1a11a279123f9c23a984e1de2d7d70c888

    SHA512

    4ed63a2a792909df0ed07d5c2db2fbd6c14515d3e00c0618b710f4571fb42b91eada8af0d5d260b98f3035f72260fdc59e747470a51bfe75c5bb3b6b4183dddc

  • \PROGRA~2\COUPON~1\bar\1.bin\2pbrmon.exe

    Filesize

    27KB

    MD5

    ba4695385687403aa1820346c88dfa8a

    SHA1

    e7d0f5a1b1d842341a4f0e863f9280a02d7471d6

    SHA256

    2b2a045e70225cd04c7596d61e0950f103dc3745483b3b54032e85ea33db3b97

    SHA512

    942f6a9d5a41036e15d71b7b93a4f0438447c4ebe053e22a4926e5fc13dc912de44df2a203ea0f28a858d7337d7a4bfa4b26127fe5d401d0db76ba0479a87536

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll

    Filesize

    55KB

    MD5

    c1b14848de571fc85c73c79c80bc1d1a

    SHA1

    b133d05665047306caa7765db6da69660acaa50d

    SHA256

    b78b1161f3537108d573df6d695225e27b460e9afdedcdae714ecb99b25d7cdb

    SHA512

    e52478f47841b393d7f917349b22f128cf2c2d4caa1bee02c51a3ba7103579d49d1f243664ae0e099f3fb89b5269b2f6e7188d3a9b234bddb533249eec3c54cc

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrcAs.dll

    Filesize

    59KB

    MD5

    05cb544850086b21597f3580b01e66fa

    SHA1

    e1363223d3524141eb87aa65bd15606fc0031845

    SHA256

    a33efa0b4cbabee12981cc49a96b9144b94a893100abe158b1e055677a7dc4dc

    SHA512

    c1b1c7898e07b8ed50255c3e277cc44f61eae53b46943d0e04e43e05be72b1865124d3395424bba85755510fd1f71bd4b11312577729cf2325beb4bb41a8be16

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll

    Filesize

    36KB

    MD5

    bef8418e2bb907705989694fa04a4f3a

    SHA1

    f1acca6a112aab18be7c4a38e3ebb042960d57c0

    SHA256

    f8dc25c92591c9a921fd367739180b0ddf602f4075d73cd669981bcb1a55cd0a

    SHA512

    c549c655f29abb91e65a3e445a0a28c65e78c82e6aa7c1fc99de2e5e3d3a2a4bc342e64e5f7c80b33a12b47131b74a537847e2446c632960825cf4fdd7e3e96f

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll

    Filesize

    686KB

    MD5

    5afbf0822a1353e409b84f406ab6c275

    SHA1

    b57a215306698751f73a4fec91330aa2739594ea

    SHA256

    63020f4bb854913dcddeb0b0bd9469751a4861273391127ce041671ffe776dc5

    SHA512

    bbee841572d868e51a0bb0685da0630a5708c3f444bfb352bd8093c747fa42d1367d99c57c8eed002e2b1db216c1396da1fe3f48eda78390ec6cf11117938ea7

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrstub.dll

    Filesize

    31KB

    MD5

    209d8fffc7ba17b5edf69a558b220f5e

    SHA1

    3e8e000fff561708b23495ae87bdd4bffb1f9e43

    SHA256

    56951b5eb91204eda94ae882da53a97a23b9e0accdff44b359a2dae210d10eef

    SHA512

    9df7533a9daba33c808b3fb40b63741f54619d5f933a40890fae124aecc1439cf3799253512cba50a897c57e1fd15f587449caa8101bf23756e435dd2712f617

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll

    Filesize

    92KB

    MD5

    79f32577d7ce7035054e987310187440

    SHA1

    58416d1488eed6f47ad78a7d0c62b854fe09b895

    SHA256

    3140555e504168d849baa4d7cdf0f8f7fea2a7806d02dcde39afa8f56c72d6e3

    SHA512

    d3e00f991fe41b365f3ed39f40babbb8ec8e4932b2e91395f7f5830a31b9cf6d2e1c28ac5c0816f63e874edf389974152de7676333aaec95543c37aea5afa5b5

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdlghk.dll

    Filesize

    44KB

    MD5

    7e8b85dd3007138116d279c014ab070a

    SHA1

    d6d69499bf74bb3f49b082cfef30ebc28e19454e

    SHA256

    04f1d61353078eec7174b0dc53ad6307615f5841523be566e935d428c70c3bad

    SHA512

    342162246f576e85b52c82324f6c520174f21823b8bcdcf52926c56dee313ea7c028f9934f916e6d42d3368a5371ae4e8fb4c9578b02ea32963a4304d2927769

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdyn.dll

    Filesize

    55KB

    MD5

    d10a7cc5638f78f173901891caa0ea5f

    SHA1

    1d965ff58ad75e94bd00d9a1781a7f7610c1123f

    SHA256

    92243e4c5b7f4df7491917b78bb09a02f986a7e8e79448e48a8f26eb895396a6

    SHA512

    12886949d010e89adcfc0d75e2f81bbcc2a8be770be96f1e27ee380c79d1e93d02eed738431c18baa9a9020e732545e5390d02d41237b52c565141585ffa874f

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pfeedmg.dll

    Filesize

    92KB

    MD5

    8d5dfbad16f8a6c928fcbb84c6cda655

    SHA1

    46d0ac5e455e6b40951b04867aaf21f793e38783

    SHA256

    bdf16d30334874de3710dc2b37a493a1845d396d96f9c80d67d2c589866f4b71

    SHA512

    4737730d149fac4e7569ba8ed804cdd1d8c2b347011746901ddaa922331ecf95c80854029490b802099ba8e0aabba5269dad89a0cd481500b425c9c9a751ea74

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2phighin.exe

    Filesize

    28KB

    MD5

    ede9efd100fed6f723ef26eef67f5bc7

    SHA1

    97401b6d2967a2dfb2ba0605d84e8abd7368450e

    SHA256

    c4ac82da7e7eb1e5e7854571305897a8ae6a2f5704a3116ed8454188d9df3eb5

    SHA512

    7570b96fc89e03daaf8d52caa0aacabb3ec626619678dba75d63d5482ff0a479be002fac3c7d5523f873c84f317aea44a3008d702f4c99cd3ded490dfc80f21a

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtml.dll

    Filesize

    96KB

    MD5

    dbb37c245084bfa6d149d6490a3def6c

    SHA1

    46469fd95dcbe9018dd5c20457c6b80f882b06f0

    SHA256

    b14bee662471d747f7c94a62d45c6426934faeb5a597b2ea092bd621253f45b3

    SHA512

    904f04fbbcdd50b3e30620c4e4be477a21c0c3639e54651a929daa4e4700f486112edfeba5496213b6c14732a45205581a93bdabbe9ede27c84e6ed31b1d7339

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll

    Filesize

    164KB

    MD5

    078142e03762f182c420dcec5bf57522

    SHA1

    f715f1c82fa9311405cb7d50bb506dd4a08bcfa3

    SHA256

    9e196cc00408096c7bf61a3bb7615182432b15e9476f86e8e556c7dbeec3597f

    SHA512

    23a3ad0ab94e064f45f317352beaa615040d74f1fd3a20ef29d8d1e53a2b0cfcec5f359de688185f3695682dc22ef51ba04001d175d016504335acb4e1e889a2

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2phttpct.dll

    Filesize

    84KB

    MD5

    64451f703e38ce8ce558916d1b3b298c

    SHA1

    88278506406f9125daff32f8e8459574fe8f38df

    SHA256

    9c9c071529d43298873a129c695508edc52a83e528ac0266fc58707faf2e58df

    SHA512

    559e61be7b7a7d3000e523f6b208805e6908bbfd7fd123b4b869f5ee95337d76fb36e5807a1dcbee3a5379ae9a2f5dbce52be7efbf31c241051c9d9c13af05ca

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pidle.dll

    Filesize

    39KB

    MD5

    3470b060c813074d7ba1e06c019ec03c

    SHA1

    c388e332081ca424274b92f53429e1ddee8e5775

    SHA256

    584b0adfb7daf42504cc7a443f031f1463fbe19b63de8334fc8f18acdf3b1865

    SHA512

    806a2ea5d5b703d4cac8973312da485497c14431b9c1b1a1a9e15f6423215961f1a2d54a429a4aca6f67435f2a3348dea426b86293b46c62af10b7953639bf38

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmlbtn.dll

    Filesize

    47KB

    MD5

    f807dad358658e35e6f0fea173a6b4cf

    SHA1

    0fb2d953de4f1cbc548b6e5525580663c1896295

    SHA256

    b61bc01059e4e9d8dad5a971a071fec40e7b21ee13155de14604da02f997f1bb

    SHA512

    f2002553b415e92874254d07ba44a20104df027443c93b6df7f8240c18d9218b648b4a02c0545ffd2d92ae8b487b59af21bfac5dda5d3e68b2bbb6f06f7ee2a8

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pmsg.dll

    Filesize

    152KB

    MD5

    196c4d88c7c780fc2dc83393512883de

    SHA1

    6343f5711789bfb866e18a172828eb7d45606a62

    SHA256

    ee57dff1e8d60a585c5ee37a52f5c825b75740359fddb5006bb913bb156cadfd

    SHA512

    be685fa9d87c0b7521176fd6bffa37206d068f4efceafc5996bb5ff2f44d49e451a1ba02a28f30c5a6a0cd79c3ccd22da06e3ab7752dcb2f75ab979f56347e89

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pradio.dll

    Filesize

    119KB

    MD5

    05de9983317fe259ad8c88c7880ebeb3

    SHA1

    919d95dafc2ff2580952b8dd14ab8471a73eb4e6

    SHA256

    e35c66f120064017cf47255faee3dbf959bbd9ae182db647becf7d4da0bba53a

    SHA512

    7b2a72955ed6637aef4df3af5cd20f9bd7afe4a3bb926d9353b1da8848628ba07fccf03056074f1208c1a04aafbd437000c817759f25e2c042f0f01f24ca8c11

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregfft.dll

    Filesize

    44KB

    MD5

    05b1f48b706799cf55cd8b52a7462f8f

    SHA1

    003efc04aa08e9f1e59aee6199acf5c1863b6818

    SHA256

    3974ea1583ee359c187b2e052985b022656acbbaa156cd030bb02cf7c68c2627

    SHA512

    206ecbb1e2de89765e08a5f6f6bcd1012424129a72ec88e248bd38f182dfdf34cc85c8b3d4bdefcbf3163b7998064d2d1ee123b6e1b43b5658b13c13dfc47144

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pregiet.dll

    Filesize

    44KB

    MD5

    7396779ccb97fe1db173857422226451

    SHA1

    0f7bc5793f586751eb47485a03c0afc8e3d7ab3f

    SHA256

    5e8d884b7bc5f19ef56469e3804998832b281ba1d7b16101acf957046b3b1ef2

    SHA512

    0130a673a8655e2452ea5f4d52973dfce453090eca40d864e18fa33840d02038dafe07d45bb844c39438dc8bc83bad75687203ab9b3469d04bcc886faf724193

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pscript.dll

    Filesize

    43KB

    MD5

    25ac933b59ff336367bd6e28562de857

    SHA1

    41ce69a759faccc49bdb85b1f4f2a84e2ccd1e6e

    SHA256

    5750ed2046caa1ac617254f7c1e4cea3ea8f01bb7eaefcf5a668b49d716640d8

    SHA512

    816ae02a00148589d5be0bf9246220fbb94a5029880e918d307cf8134d74c3d1883e177ee61d2cfcdd9eb01151a86770c60d14197109ffe71f852edcf2e08f76

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll

    Filesize

    136KB

    MD5

    c77e6a85934d428844473c9763747fe9

    SHA1

    31c04d3314cb73be5d623f1bb709f54816ce27a9

    SHA256

    d3f4cddd3f6865c97d75613e4aa0185e5b42e75f44e2c0f0480cfba7f9176a1a

    SHA512

    4ddb51d796dd34635e802bcce03e90eddcf62795f0f1b11a96e6099e4ad963f59fc6d0ab178640a6015ffce44d23231627f3ae9c94bef95cfb7e0a2507aaf0c8

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2ptpinst.dll

    Filesize

    92KB

    MD5

    01acc19c649d35ae3e049095d77fe5bb

    SHA1

    edf0fc52a8cc56f8aa68f05cb5610f37c1f6546a

    SHA256

    bad75288a411654a815184bf6e140771ed1da28fbf2392da7c002e8785700e0d

    SHA512

    8400b6db578440027fe3417ede304a82aacd3025b0e7f433873e4001e3c25e6951d733ee803de13ef271336b24680de4a197258eed731c0d3bf796e4f3a73e6e

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\2puabtn.dll

    Filesize

    43KB

    MD5

    af4987ef966a6270b5e99fafee9c9fa8

    SHA1

    2c3a0790e3638e61e711e3b97a6058b24ea49e57

    SHA256

    9113c634fcdc656a47fedd35a43fd768f6234501e1f12c63c17a599b218e6bee

    SHA512

    c4323519b534623e84568eb3fd1f61c1c268f22491dfc4bd689eb3af02f466c78c171afb016220d5c086ae8139bc160add0d3bb867f6dbfa4f6d41205b2fdfc9

  • \Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll

    Filesize

    31KB

    MD5

    a787e3fbc688c71cf530f951e1629da6

    SHA1

    dcf03b6bc8b5780f9fafc1f5e008a50e4a1f30db

    SHA256

    e63fd19af8bdd92476a365dc9b7a0f312c14a2f9595d6788c3700350b36084c7

    SHA512

    94280e21a65805164be83a234a9918bca190f6ebcb0803203b5611a79b53a3f5f3b05cbb06ad944175e61b9175e1de023c1cef9c11d0f846e69148c2fbb3b983