Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 15:03

General

  • Target

    rUtfalBbvXy6eEmMrseqpFHx.exe

  • Size

    2.0MB

  • MD5

    93156ea35c0014003d9e87bf82a79b33

  • SHA1

    1eacd5ec484996a4dab233cd569c54d1594fb3a9

  • SHA256

    c6ac7d4850131a5422da8170ed1a51f939c4b3b1f312478498e8aa7df374e840

  • SHA512

    024611682daf2ca96112253d1b2cf8afed22639363c9684353a89e396a89e032a4f7ce8236557416e27dd635e3ee82b332aa3e0bfeba0affc439bdd28a3ea322

  • SSDEEP

    49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb

Malware Config

Signatures

  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rUtfalBbvXy6eEmMrseqpFHx.exe
    "C:\Users\Admin\AppData\Local\Temp\rUtfalBbvXy6eEmMrseqpFHx.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3384
    • C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\11111.exe

    Filesize

    458KB

    MD5

    ba3a98e2a1faacf0ad668b4e9582a109

    SHA1

    1160c029a6257f776a6ed1cfdc09ae158d613ae3

    SHA256

    8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5

    SHA512

    d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

  • C:\Users\Admin\AppData\Local\Temp\11111.exe

    Filesize

    391KB

    MD5

    7165e9d7456520d1f1644aa26da7c423

    SHA1

    177f9116229a021e24f80c4059999c4c52f9e830

    SHA256

    40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

    SHA512

    fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

    Filesize

    31B

    MD5

    b7161c0845a64ff6d7345b67ff97f3b0

    SHA1

    d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

    SHA256

    fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

    SHA512

    98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

    Filesize

    1KB

    MD5

    7f0841790db9c7f1f082c81e976eb103

    SHA1

    18183bde138f7ceac2f15d9334a53be2c2db3016

    SHA256

    b32b0673cf09b8f215db036bfb0a6b878937779f5ca525e54f12cd04b27a651a

    SHA512

    35c6870ebbde32c7dced4100cdebf59cfd6dcf75acca39147971ae4703fb68c4071a2173446c8b67acd3d4d1b0c91dbdf6df157cd7d3ed75922821eeedf163c0

  • memory/4320-9-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB