Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    39s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2022, 22:35

General

  • Target

    794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe

  • Size

    1.4MB

  • MD5

    b8c770530fbbf660c60f010bb41aea47

  • SHA1

    d80f9426ec9b8674b51067296708afd26f7c8dc1

  • SHA256

    794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556

  • SHA512

    72dbcc949445a70dbf01d94d099310e43918f53e457af9f3b95cc0579b0173b667240fb417c277a4683659992bc465f819b33df4bb5d6ab182e2526d934bad79

  • SSDEEP

    24576:i8oaOEZREGtLrZRxC1fDrOF/xpZREGtLrZRxC1fDrOF/x:iKJZRdLw7rW/DZRdLw7rW/

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe
    "C:\Users\Admin\AppData\Local\Temp\794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EA9.tmp" "c:\Users\Admin\AppData\Local\Temp\5gbktrax\CSC6F88ADC899C49CDB2917ADFCF43C9E0.TMP"
        3⤵
          PID:1528
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        C:\Users\Admin\AppData\Roaming\svchost.exe
        2⤵
        • Executes dropped EXE
        PID:1680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 588
        2⤵
        • Program crash
        PID:540

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.dll

      Filesize

      5KB

      MD5

      e455fa2b571df257d11a87d223c4e936

      SHA1

      5aac9273ae0fff21642a732a4990ef3597af4954

      SHA256

      5e9fea593a2d36cdb2c8df7f136c03630e671f540337f2e97489e9b00b06fa39

      SHA512

      aa6edde421c99f677cb3c2e246e282810022de85295df2eb7baf9654790c30633fcbaaf4d1cfbe6cce0a32a333a373aeeba85e3058fd83c56f7c2fd3d1dda17e

    • C:\Users\Admin\AppData\Local\Temp\RES8EA9.tmp

      Filesize

      1KB

      MD5

      43c51a70acf989919f137fceb8fa0f40

      SHA1

      accc5046cc30124bc217bdd886e79cfd78141c33

      SHA256

      50e8e1651155039d8e476eb82ccdc878883f136ccd3aeffd51c135fc2b1142ca

      SHA512

      37e3e65a339e7928290d764f5a9d057ee20f2c68a6eeedeef3bbe15c0bee51af6dff0e254f729e328af77c43a39c4eb6e2adbe1f0ad72cdebc151bd311d189fe

    • C:\Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      340KB

      MD5

      75f298411c935b45714874de4abfa0df

      SHA1

      ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70

      SHA256

      c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc

      SHA512

      fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9

    • \??\c:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.0.cs

      Filesize

      4KB

      MD5

      2216d197bc442e875016eba15c07a937

      SHA1

      37528e21ea3271b85d276c6bd003e6c60c81545d

      SHA256

      2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af

      SHA512

      7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

    • \??\c:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.cmdline

      Filesize

      224B

      MD5

      695c17b2234761380034e285430b5399

      SHA1

      c7abfd15b53ad4be6f2e962618bed13663471652

      SHA256

      47a19c50275c2978a203c2de67e6f1f04f65a6cd11aedca89529dd9765af85dd

      SHA512

      fe11aec0be2597d622e231f462dc626edd342f84eeccec2979f9c0cae4596f33b7485e579ccb1498734cd24420032d1a1956a3d76998220f6040c41322455d8b

    • \??\c:\Users\Admin\AppData\Local\Temp\5gbktrax\CSC6F88ADC899C49CDB2917ADFCF43C9E0.TMP

      Filesize

      652B

      MD5

      515b1a74f898dc1426a88edb12c28d17

      SHA1

      70dd4f4a2cdd4a6a0a13085908365b072e61eedc

      SHA256

      8d31e10192cb99cf68f9fe4e641db08fd2f2393ab8877826c17c005c6bfd9d80

      SHA512

      6560e26e5ed7d886df1c7adcac0e8a9a53c39b5f3f3779d2b33d239ba2d0355928c3b83cbfa14fda756cda3a99b9f4ef0aa94b6fc196e6200741b4e3f4c2f026

    • \Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      340KB

      MD5

      75f298411c935b45714874de4abfa0df

      SHA1

      ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70

      SHA256

      c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc

      SHA512

      fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9

    • \Users\Admin\AppData\Roaming\svchost.exe

      Filesize

      340KB

      MD5

      75f298411c935b45714874de4abfa0df

      SHA1

      ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70

      SHA256

      c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc

      SHA512

      fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9

    • memory/1680-66-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1680-67-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1680-69-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1680-71-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1680-73-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1680-74-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1680-79-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1680-80-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1680-82-0x0000000000400000-0x0000000000457000-memory.dmp

      Filesize

      348KB

    • memory/1912-54-0x00000000011D0000-0x000000000133C000-memory.dmp

      Filesize

      1.4MB

    • memory/1912-63-0x0000000000560000-0x0000000000568000-memory.dmp

      Filesize

      32KB

    • memory/1912-55-0x0000000076041000-0x0000000076043000-memory.dmp

      Filesize

      8KB