Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
57s -
max time network
69s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07/07/2020, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
73533280097647.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
73533280097647.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
73533280097647.exe
-
Size
622KB
-
MD5
cbbdf22fa1411ba58d30eadcaed48314
-
SHA1
c7f36a26a7083348b3b390b763d82463e21bfa28
-
SHA256
6f6a327875691d7d61cdb1e73bbe10e1252493f9e8b2a9c5b0ea31fcc6c38925
-
SHA512
d49f320f72b191fb43f15c26cc791c218fc480cc48f488fe2b6aaca7210755e434e02cf083abdc6c394aed04c101e7966bfc2dac25edf31ce465c9e6ba8c5a84
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1360 wrote to memory of 324 1360 73533280097647.exe 24 PID 1360 wrote to memory of 324 1360 73533280097647.exe 24 PID 1360 wrote to memory of 324 1360 73533280097647.exe 24 PID 1360 wrote to memory of 324 1360 73533280097647.exe 24 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 PID 1360 wrote to memory of 1776 1360 73533280097647.exe 27 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1360 73533280097647.exe Token: SeDebugPrivilege 324 44.0.exe -
Loads dropped DLL 1 IoCs
pid Process 1360 73533280097647.exe -
Executes dropped EXE 1 IoCs
pid Process 324 44.0.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1360 set thread context of 1776 1360 73533280097647.exe 27 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 324 44.0.exe -
NetWire RAT payload 2 IoCs
resource yara_rule behavioral1/memory/1776-7-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1776-9-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1360 73533280097647.exe 324 44.0.exe 324 44.0.exe 1360 73533280097647.exe 1360 73533280097647.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73533280097647.exe"C:\Users\Admin\AppData\Local\Temp\73533280097647.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1360 -
C:\Users\Admin\Desktop\44.0.exe"C:\Users\Admin\Desktop\44.0.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
PID:324
-
-
C:\Users\Admin\AppData\Local\Temp\73533280097647.exe"C:\Users\Admin\AppData\Local\Temp\73533280097647.exe"2⤵PID:1776
-