Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04/07/2022, 00:51
Static task
static1
Behavioral task
behavioral1
Sample
bb12e61f99f6c7b2d4c8702d02dec5d9.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bb12e61f99f6c7b2d4c8702d02dec5d9.exe
Resource
win10v2004-20220414-en
General
-
Target
bb12e61f99f6c7b2d4c8702d02dec5d9.exe
-
Size
200KB
-
MD5
bb12e61f99f6c7b2d4c8702d02dec5d9
-
SHA1
3924763176734ee12f708a7f0fdd05f49c473ac4
-
SHA256
fb0901c0241896831cac8f3e139c461ae327fc884812d3a206d4e0b8b7931a2e
-
SHA512
49f6e0ac1ffc8638f8116f5e5d5e3a9548ced2f788638f370bba55225184d71bf1e10e9c8a12aff3911a40b228f337a1bfeb20fc3394e2630601d0b2cd709220
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
pid pid_target Process procid_target 976 2040 WerFault.exe 25 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2040 wrote to memory of 976 2040 bb12e61f99f6c7b2d4c8702d02dec5d9.exe 28 PID 2040 wrote to memory of 976 2040 bb12e61f99f6c7b2d4c8702d02dec5d9.exe 28 PID 2040 wrote to memory of 976 2040 bb12e61f99f6c7b2d4c8702d02dec5d9.exe 28 PID 2040 wrote to memory of 976 2040 bb12e61f99f6c7b2d4c8702d02dec5d9.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb12e61f99f6c7b2d4c8702d02dec5d9.exe"C:\Users\Admin\AppData\Local\Temp\bb12e61f99f6c7b2d4c8702d02dec5d9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 7682⤵
- Program crash
PID:976
-