Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

b06ca9689a...96.exe

windows7_x64

10

b06ca9689a...96.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    60s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    02/02/2022, 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b06ca9689a517fa053a77ebce8fab696.exe

  • Size

    605KB

  • MD5

    b06ca9689a517fa053a77ebce8fab696

  • SHA1

    06691dda8b7f412ba4c31f2f78678acbc8262881

  • SHA256

    2f848ea94d4a48694c68e472882222c054d12797c0f7eabd7ebdb9daebd27ece

  • SHA512

    9af05fe8d4b2ecb0abcc3283af18950912cc0888bc1a98b3f9164cd839c41ddf6a2dea2c62dfcaaf8b53dac0eb8255ef6527e3f81f6908677d1ed5bce557e917

Score
10/10
spywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    10203040eam.

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b06ca9689a517fa053a77ebce8fab696.exe
    "C:\Users\Admin\AppData\Local\Temp\b06ca9689a517fa053a77ebce8fab696.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Public\Downloads\systems.exe
      "C:\Users\Public\Downloads\systems.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1460
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\Downloads\vbs.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Public\Downloads\vbs.bat" "
        3⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:676
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -r -t 45
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:576
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1652
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1724

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1460-62-0x0000000000F10000-0x0000000000F64000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1460-64-0x0000000000E50000-0x0000000000E51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1460-67-0x0000000000E55000-0x0000000000E66000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1476-53-0x0000000075D61000-0x0000000075D63000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1652-68-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1652-69-0x0000000002830000-0x0000000002931000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1724-71-0x0000000002750000-0x0000000002851000-memory.dmp

        Filesize

        1.0MB

        Download