Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Program.exe

windows7_x64

10

Program.exe

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    281s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05/06/2021, 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Program.exe

  • Size

    783KB

  • MD5

    a5ce4452b72ef5e005a652256aa4b842

  • SHA1

    570c2099012673bff0b4bbd8bac54bde38f4832f

  • SHA256

    64b5e1a70578e66ff0c849e4b06a1460065b820970748d4f6a959773aaae122f

  • SHA512

    69d090e9d91861b787e027e4c7dd4d6b500910f92262c4e2e8e9a9fb46b9cfb33caba7d9e0b4e5882adc178028ab7582641bc6625b7561700f3bfcfdf0855ee8

Score
10/10
pandastealerspywarestealer

Malware Config

Signatures

  • Panda Stealer Payload 2 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Program.exe
    "C:\Users\Admin\AppData\Local\Temp\Program.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3560
  • C:\Users\Admin\Desktop\Автономная Установка.exe
    "C:\Users\Admin\Desktop\Автономная Установка.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\Автономная Установка.exe" & schtasks /create /tn \gqcnx55g\cinr4gwe /tr C:\Users\Admin\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:4088
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn \gqcnx55g\cinr4gwe /tr C:\Users\Admin\AppData\Roaming\svchost.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
          3⤵
          • Creates scheduled task(s)
          PID:2084
    • C:\Users\Admin\Desktop\Install.sfx.exe
      "C:\Users\Admin\Desktop\Install.sfx.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Users\Admin\AppData\Local\Temp\bui3ld.exe
        "C:\Users\Admin\AppData\Local\Temp\bui3ld.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2636

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2636-121-0x0000000003410000-0x0000000003411000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2636-120-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2636-118-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

      Filesize

      4KB

      Download