Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
178s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2022, 13:40
Behavioral task
behavioral1
Sample
7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe
Resource
win7-20220812-en
General
-
Target
7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe
-
Size
556KB
-
MD5
6f8ddf39f39d16b3447f9217213e3e25
-
SHA1
d70300f1300a0024a8a2f63ac09d05170864fb64
-
SHA256
7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736
-
SHA512
a73ca62133535b43b49dc3fa6d4d1fd5e413be06c20f62fdfd2350ac8744ee026eead24f5e00480fd3424912515ef182dfeea1841957799deee4198e5f1cb3e6
-
SSDEEP
12288:/GosTxSzpDq5VNYdyOshT5l4/86CaIhvPfNMIM1P27QwMMT6:/GosTxSEXzOV/UaIBNLMp20wMMT6
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3384-134-0x0000000000400000-0x0000000000522000-memory.dmp upx behavioral2/memory/3384-135-0x0000000000400000-0x0000000000522000-memory.dmp upx behavioral2/memory/3384-136-0x0000000000400000-0x0000000000522000-memory.dmp upx behavioral2/memory/2316-138-0x0000000000400000-0x0000000000522000-memory.dmp upx behavioral2/memory/2316-139-0x0000000000400000-0x0000000000522000-memory.dmp upx behavioral2/memory/2316-140-0x0000000000400000-0x0000000000522000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~2\is240609734.log 7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3384 7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe 3384 7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3384 wrote to memory of 2316 3384 7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe 84 PID 3384 wrote to memory of 2316 3384 7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe 84 PID 3384 wrote to memory of 2316 3384 7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe"C:\Users\Admin\AppData\Local\Temp\7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe"C:\Users\Admin\AppData\Local\Temp\7acb69b9e0ddf85973997b8d615b7efeff28b742f744f45e5a2730e7c67e4736.exe" /_ShowProgress2⤵PID:2316
-