Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/09/2022, 10:49
Behavioral task
behavioral1
Sample
64c86753f97bdb8bc213eeedc601fad6685c03fc6c104be6b8672ed46e51f0dd.exe
Resource
win7-20220812-en
General
-
Target
64c86753f97bdb8bc213eeedc601fad6685c03fc6c104be6b8672ed46e51f0dd.exe
-
Size
1.8MB
-
MD5
29f5eff625ead99d5eb20b2b4304167f
-
SHA1
a71dfe299a95ba820d8652d16c010da06438ffd7
-
SHA256
64c86753f97bdb8bc213eeedc601fad6685c03fc6c104be6b8672ed46e51f0dd
-
SHA512
5aa94399ef2ed26df1131de9bdc5a39ac684cccdf7efb663efefd273c5c9ae230993b9e16ffbc439c92f8d406052eaad18b7bd45dc160d4b0ef88e8069ef4037
-
SSDEEP
24576:Sx5jJI/ga/ri30am6ZOBCrhfKR6rW6l56J4KmMjz3phXtgx2D1GR3ugA+IChSADm:05j2/SrZbRk6rn5/KZtox25w3uPKSq
Malware Config
Extracted
ffdroider
http://103.106.202.174
Signatures
-
FFDroider payload 5 IoCs
resource yara_rule behavioral1/memory/1836-55-0x0000000000400000-0x0000000000853000-memory.dmp family_ffdroider behavioral1/memory/1836-57-0x0000000000400000-0x0000000000853000-memory.dmp family_ffdroider behavioral1/memory/1836-56-0x0000000000400000-0x0000000000853000-memory.dmp family_ffdroider behavioral1/memory/1836-58-0x0000000000400000-0x0000000000853000-memory.dmp family_ffdroider behavioral1/memory/1836-71-0x0000000000400000-0x0000000000853000-memory.dmp family_ffdroider -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyStart = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64c86753f97bdb8bc213eeedc601fad6685c03fc6c104be6b8672ed46e51f0dd.exe" 64c86753f97bdb8bc213eeedc601fad6685c03fc6c104be6b8672ed46e51f0dd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 1836 64c86753f97bdb8bc213eeedc601fad6685c03fc6c104be6b8672ed46e51f0dd.exe