Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

8

fb2de2c069...1b.exe

windows7-x64

8

fb2de2c069...1b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2022, 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe

  • Size

    21KB

  • MD5

    5cfb6d515cd6e5478be6d7f99ef8d230

  • SHA1

    b7ec4125a88b26ffdca906141ab99f4d61a79ee3

  • SHA256

    fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b

  • SHA512

    796823ff1ceb64ea706348f5e19120f638451d0c11836de2fa9b2734a6d386d146d8a84e7e8f15bdd0257424c6fa2f24ff46b6c2dba0d8e769aa82e41281e5c3

  • SSDEEP

    384:kIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZ/BMG8IVmLD4:kRGuY2P0Vo6r7SiAwyrMRjbpBMjnRnbl

Score
8/10
evasionspywarestealerupx

Malware Config

Signatures

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 5 IoCs
    evasion
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe
    "C:\Users\Admin\AppData\Local\Temp\fb2de2c069f646306d5acf58dc2c9fd917f320d6f59391525e3e59d1a2ea211b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\4CCA.tmp\dan.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im opera.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1260
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im firefox.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:944
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:904
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im iexplore.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:460
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im magent.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1048
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\pass +h +s +a +r
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:1540
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe -ea C:\pass\MailAgent\reg\agent.reg "HKEY_CURRENT_USER\software\Mail.Ru\Agent\magent_logins2
        3⤵
        • Runs .reg file with regedit
        PID:780
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe -ea C:\pass\MailAgent\reg\agent_3.reg "HKEY_CURRENT_USER\software\Mail.Ru\Agent\magent_logins3
        3⤵
        • Runs .reg file with regedit
        PID:1864
      • C:\Windows\SysWOW64\xcopy.exe
        Xcopy Mra\Base C:\pass\MailAgent /K /H /G /Q /R /S /Y /E
        3⤵
        • Enumerates system info in registry
        PID:688
      • C:\Windows\SysWOW64\xcopy.exe
        Xcopy Mra\Update\ver.txt C:\pass\MailAgent /K /H /G /Q /R /S /Y
        3⤵
        • Enumerates system info in registry
        PID:624

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4CCA.tmp\dan.bat
    Filesize

    1KB

    MD5

    78a19ee5542b671682e84dd24bfcf12c

    SHA1

    fcc42a36f23a08e5c472cea5980f19f52e2f9e36

    SHA256

    4c98d2430494d4789f476b613926694a051d88da76f508d3f66f4791d8ba2f03

    SHA512

    ba9666e9129dad638e92ad444f6b184363d2454616a6ff3f37db161150700d630214b64c3801ede3b850527ea2e3a10e9ef11ca0f831a248bf48cafd832d7eb6

    Download Submit

  • memory/1088-54-0x0000000076681000-0x0000000076683000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1088-55-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1088-70-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download