Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    57s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    07/07/2020, 12:43

General

  • Target

    73533280097647.exe

  • Size

    622KB

  • MD5

    cbbdf22fa1411ba58d30eadcaed48314

  • SHA1

    c7f36a26a7083348b3b390b763d82463e21bfa28

  • SHA256

    6f6a327875691d7d61cdb1e73bbe10e1252493f9e8b2a9c5b0ea31fcc6c38925

  • SHA512

    d49f320f72b191fb43f15c26cc791c218fc480cc48f488fe2b6aaca7210755e434e02cf083abdc6c394aed04c101e7966bfc2dac25edf31ce465c9e6ba8c5a84

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 16 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • NetWire RAT payload 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73533280097647.exe
    "C:\Users\Admin\AppData\Local\Temp\73533280097647.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    PID:1360
    • C:\Users\Admin\Desktop\44.0.exe
      "C:\Users\Admin\Desktop\44.0.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: EnumeratesProcesses
      PID:324
    • C:\Users\Admin\AppData\Local\Temp\73533280097647.exe
      "C:\Users\Admin\AppData\Local\Temp\73533280097647.exe"
      2⤵
        PID:1776

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1776-7-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/1776-9-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB