Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

db6ef0fb8a...5d.exe

windows7-x64

8

db6ef0fb8a...5d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 17:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db6ef0fb8a09e3e193f32e8bdc55ed75e8c3c88a2a081fd97bc068902f82ee5d.exe

  • Size

    312KB

  • MD5

    0fc898ac90039678acb755f4bc8a40e2

  • SHA1

    de01e232b99b995a90dc6713449774c3655c251e

  • SHA256

    db6ef0fb8a09e3e193f32e8bdc55ed75e8c3c88a2a081fd97bc068902f82ee5d

  • SHA512

    b85505c735974076eabb5690b4747c79d48f79ec271cd64f9c754d543380feecbedb5539daffd51637fdbcd418362ae5aa05928c37eded09acddfa7aa6857ca9

  • SSDEEP

    6144:PVzc8JNX3lnTPL2STxinek3hiA7rXIB/qfunfieFlk9:Zc8L3lnH2Snk3YA7rXIBCGnKeQ9

Score
8/10
spywarestealerupx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db6ef0fb8a09e3e193f32e8bdc55ed75e8c3c88a2a081fd97bc068902f82ee5d.exe
    "C:\Users\Admin\AppData\Local\Temp\db6ef0fb8a09e3e193f32e8bdc55ed75e8c3c88a2a081fd97bc068902f82ee5d.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1816
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:2036
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1180
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-4063495947-34355257-727531523-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1012
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
      2⤵
        PID:1392

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1180-56-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1744-57-0x0000000002910000-0x0000000002920000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1744-73-0x0000000002A10000-0x0000000002A20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1744-89-0x0000000003E70000-0x0000000003E78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1744-92-0x0000000003E70000-0x0000000003E78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1744-93-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1816-54-0x0000000001000000-0x0000000001078000-memory.dmp

      Filesize

      480KB

      Download

    • memory/1816-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1816-96-0x0000000001000000-0x0000000001078000-memory.dmp

      Filesize

      480KB

      Download