Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/09/2022, 06:22
Behavioral task
behavioral1
Sample
809b9513cecea98e925419a39a6244a2.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
General
-
Target
809b9513cecea98e925419a39a6244a2.exe
-
Size
1.8MB
-
MD5
809b9513cecea98e925419a39a6244a2
-
SHA1
91ce1a46ba918e898021e7ab07323d155acb58e3
-
SHA256
5685ca25aa397dbe143b527532479e9df78750f068990785075c13622ade021e
-
SHA512
c5739b9311c99231c8d59053abab341d7f9bd36e6fdcca082a226b4173c07f303da0bf90d7948cbc475c172f0bca239e5346d402a7162e249560c49db183fcef
-
SSDEEP
49152:q3n7xKVvTj90emnEvpjPHDWPts+SEY8JeH79wLJ6zdrji1:q3n7xUTjyeYEvpjStsbP
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1976-56-0x0000000000190000-0x000000000078A000-memory.dmp upx behavioral1/memory/1976-57-0x0000000000190000-0x000000000078A000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1976 809b9513cecea98e925419a39a6244a2.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1976 809b9513cecea98e925419a39a6244a2.exe Token: SeIncreaseQuotaPrivilege 1728 WMIC.exe Token: SeSecurityPrivilege 1728 WMIC.exe Token: SeTakeOwnershipPrivilege 1728 WMIC.exe Token: SeLoadDriverPrivilege 1728 WMIC.exe Token: SeSystemProfilePrivilege 1728 WMIC.exe Token: SeSystemtimePrivilege 1728 WMIC.exe Token: SeProfSingleProcessPrivilege 1728 WMIC.exe Token: SeIncBasePriorityPrivilege 1728 WMIC.exe Token: SeCreatePagefilePrivilege 1728 WMIC.exe Token: SeBackupPrivilege 1728 WMIC.exe Token: SeRestorePrivilege 1728 WMIC.exe Token: SeShutdownPrivilege 1728 WMIC.exe Token: SeDebugPrivilege 1728 WMIC.exe Token: SeSystemEnvironmentPrivilege 1728 WMIC.exe Token: SeRemoteShutdownPrivilege 1728 WMIC.exe Token: SeUndockPrivilege 1728 WMIC.exe Token: SeManageVolumePrivilege 1728 WMIC.exe Token: 33 1728 WMIC.exe Token: 34 1728 WMIC.exe Token: 35 1728 WMIC.exe Token: SeIncreaseQuotaPrivilege 1728 WMIC.exe Token: SeSecurityPrivilege 1728 WMIC.exe Token: SeTakeOwnershipPrivilege 1728 WMIC.exe Token: SeLoadDriverPrivilege 1728 WMIC.exe Token: SeSystemProfilePrivilege 1728 WMIC.exe Token: SeSystemtimePrivilege 1728 WMIC.exe Token: SeProfSingleProcessPrivilege 1728 WMIC.exe Token: SeIncBasePriorityPrivilege 1728 WMIC.exe Token: SeCreatePagefilePrivilege 1728 WMIC.exe Token: SeBackupPrivilege 1728 WMIC.exe Token: SeRestorePrivilege 1728 WMIC.exe Token: SeShutdownPrivilege 1728 WMIC.exe Token: SeDebugPrivilege 1728 WMIC.exe Token: SeSystemEnvironmentPrivilege 1728 WMIC.exe Token: SeRemoteShutdownPrivilege 1728 WMIC.exe Token: SeUndockPrivilege 1728 WMIC.exe Token: SeManageVolumePrivilege 1728 WMIC.exe Token: 33 1728 WMIC.exe Token: 34 1728 WMIC.exe Token: 35 1728 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1196 1976 809b9513cecea98e925419a39a6244a2.exe 27 PID 1976 wrote to memory of 1196 1976 809b9513cecea98e925419a39a6244a2.exe 27 PID 1976 wrote to memory of 1196 1976 809b9513cecea98e925419a39a6244a2.exe 27 PID 1196 wrote to memory of 1728 1196 cmd.exe 29 PID 1196 wrote to memory of 1728 1196 cmd.exe 29 PID 1196 wrote to memory of 1728 1196 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\809b9513cecea98e925419a39a6244a2.exe"C:\Users\Admin\AppData\Local\Temp\809b9513cecea98e925419a39a6244a2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-