Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe
Resource
win7-20220812-en
General
-
Target
9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe
-
Size
292KB
-
MD5
977d6201a366a1dd0d3a7c36c2bb3b67
-
SHA1
0d09c75a78a68d274bdc67eea184d492a4d9c569
-
SHA256
9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2
-
SHA512
89b4c18919b90239d9d66fcdac40ff8464df0341023cc612c7e77c7efbd313fd39648343d16bf767c3bfea5b4294ed1443448de9b0e1bdc56079926eabcd18b0
-
SSDEEP
6144:4DClU9LocwcrcywT4DMezsW+PsBl2Zh+hH80PsKKifn4m+8:Hy9LocwBT4DMefmMlY+58nKjf4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1068 search.json.exe 1056 search.json.exe -
Deletes itself 1 IoCs
pid Process 1520 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1648 set thread context of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1068 set thread context of 1056 1068 search.json.exe 30 -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\539376EF-00000001.eml:OECustomProperty WinMail.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 1068 search.json.exe 1056 search.json.exe 1056 search.json.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeSecurityPrivilege 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe Token: SeSecurityPrivilege 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe Token: SeSecurityPrivilege 1204 explorer.exe Token: SeSecurityPrivilege 1204 explorer.exe Token: SeManageVolumePrivilege 1992 WinMail.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1992 WinMail.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1992 WinMail.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 1068 search.json.exe 1068 search.json.exe 1992 WinMail.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 1648 wrote to memory of 2028 1648 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 28 PID 2028 wrote to memory of 1068 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 29 PID 2028 wrote to memory of 1068 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 29 PID 2028 wrote to memory of 1068 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 29 PID 2028 wrote to memory of 1068 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 29 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 1068 wrote to memory of 1056 1068 search.json.exe 30 PID 2028 wrote to memory of 1520 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 31 PID 2028 wrote to memory of 1520 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 31 PID 2028 wrote to memory of 1520 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 31 PID 2028 wrote to memory of 1520 2028 9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe 31 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1056 wrote to memory of 1204 1056 search.json.exe 32 PID 1204 wrote to memory of 1372 1204 explorer.exe 18 PID 1204 wrote to memory of 1372 1204 explorer.exe 18 PID 1204 wrote to memory of 1372 1204 explorer.exe 18
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe"C:\Users\Admin\AppData\Local\Temp\9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exeC:\Users\Admin\AppData\Local\Temp\9f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2.exe3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\search.json.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\search.json.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\search.json.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\search.json.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"6⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1c9a9e09.bat"4⤵
- Deletes itself
PID:1520
-
-
-
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize340B
MD5de1b509c5af2c3e4914d8304920b1264
SHA1cf90d13a2fc2e7e61b3a14922df4a9b0b142a7b7
SHA2568d8620cb5794b32368f156a3728dde78a4e881939772d49f9837371a31c6cb89
SHA5120e4d125da62a5171bb0755e3b9eb1340a02399699ea133b14eba71e1bf829f0f42c9cd83e55604e9f499c0743454303710bdf557a653df38711cbb2d248316d6
-
Filesize
307B
MD5786b3c563887ce794a640e8271f01761
SHA176173dd494de504d6c93e9c380b112d479bb9d6f
SHA2569713d8b10c571b6ba5e6df1d8012620b5a311ae0d15ea7dd80942144b26281fe
SHA5122944ca910ac65d645cefe6dbd5c490fdb24218a8dd103a066e97dc97229397f27b5f7dc5bc92c98e0baa3d057b568308026ea6385fa8d3d15a7fbd4e855f67d0
-
Filesize
292KB
MD5977d6201a366a1dd0d3a7c36c2bb3b67
SHA10d09c75a78a68d274bdc67eea184d492a4d9c569
SHA2569f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2
SHA51289b4c18919b90239d9d66fcdac40ff8464df0341023cc612c7e77c7efbd313fd39648343d16bf767c3bfea5b4294ed1443448de9b0e1bdc56079926eabcd18b0
-
Filesize
292KB
MD5977d6201a366a1dd0d3a7c36c2bb3b67
SHA10d09c75a78a68d274bdc67eea184d492a4d9c569
SHA2569f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2
SHA51289b4c18919b90239d9d66fcdac40ff8464df0341023cc612c7e77c7efbd313fd39648343d16bf767c3bfea5b4294ed1443448de9b0e1bdc56079926eabcd18b0
-
Filesize
292KB
MD5977d6201a366a1dd0d3a7c36c2bb3b67
SHA10d09c75a78a68d274bdc67eea184d492a4d9c569
SHA2569f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2
SHA51289b4c18919b90239d9d66fcdac40ff8464df0341023cc612c7e77c7efbd313fd39648343d16bf767c3bfea5b4294ed1443448de9b0e1bdc56079926eabcd18b0
-
Filesize
292KB
MD5977d6201a366a1dd0d3a7c36c2bb3b67
SHA10d09c75a78a68d274bdc67eea184d492a4d9c569
SHA2569f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2
SHA51289b4c18919b90239d9d66fcdac40ff8464df0341023cc612c7e77c7efbd313fd39648343d16bf767c3bfea5b4294ed1443448de9b0e1bdc56079926eabcd18b0
-
Filesize
292KB
MD5977d6201a366a1dd0d3a7c36c2bb3b67
SHA10d09c75a78a68d274bdc67eea184d492a4d9c569
SHA2569f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2
SHA51289b4c18919b90239d9d66fcdac40ff8464df0341023cc612c7e77c7efbd313fd39648343d16bf767c3bfea5b4294ed1443448de9b0e1bdc56079926eabcd18b0
-
Filesize
292KB
MD5977d6201a366a1dd0d3a7c36c2bb3b67
SHA10d09c75a78a68d274bdc67eea184d492a4d9c569
SHA2569f03fdd6d560640a9433804d027e1390904e8d02c67deb7cb937e33437ec7ba2
SHA51289b4c18919b90239d9d66fcdac40ff8464df0341023cc612c7e77c7efbd313fd39648343d16bf767c3bfea5b4294ed1443448de9b0e1bdc56079926eabcd18b0