Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

f85bd0fdc8...e5.exe

windows7-x64

8

f85bd0fdc8...e5.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2022, 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f85bd0fdc8d542369ce6b4879f2eb4a6a53339257d17756e8c1331e499e682e5.exe

  • Size

    297KB

  • MD5

    67d57e6532486d3860ae7f0f161165d3

  • SHA1

    14e77f816e387fa2c19306f03351fb61600a5314

  • SHA256

    f85bd0fdc8d542369ce6b4879f2eb4a6a53339257d17756e8c1331e499e682e5

  • SHA512

    e48501f60c7dad6fe08ddebd218226db5221bb545bf4ae9c77b3055cd36a4720b1fd8a2fdc5ab79353aef06dfabffcb6cd3e34c440d7f17a4e84c1d8765f2329

  • SSDEEP

    6144:vKWEtwzPU2LT3JW/cTXty0U+Et5X3mqBRx4X+ZWri:XHzV/3JWOXc0U+ErnmqBRqX+Zai

Score
8/10
spywarestealerupx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f85bd0fdc8d542369ce6b4879f2eb4a6a53339257d17756e8c1331e499e682e5.exe
    "C:\Users\Admin\AppData\Local\Temp\f85bd0fdc8d542369ce6b4879f2eb4a6a53339257d17756e8c1331e499e682e5.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2032
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:1552
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1080
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:696
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:664
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
      2⤵
        PID:1296

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/696-57-0x0000000002940000-0x0000000002950000-memory.dmp

      Filesize

      64KB

      Download

    • memory/696-73-0x0000000002A40000-0x0000000002A50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/696-89-0x0000000003E70000-0x0000000003E78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/696-92-0x0000000003E70000-0x0000000003E78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/696-93-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1080-56-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2032-54-0x0000000000400000-0x0000000000475000-memory.dmp

      Filesize

      468KB

      Download

    • memory/2032-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2032-96-0x0000000000400000-0x0000000000475000-memory.dmp

      Filesize

      468KB

      Download