Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe
Resource
win7-20220812-en
General
-
Target
794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe
-
Size
1.4MB
-
MD5
b8c770530fbbf660c60f010bb41aea47
-
SHA1
d80f9426ec9b8674b51067296708afd26f7c8dc1
-
SHA256
794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556
-
SHA512
72dbcc949445a70dbf01d94d099310e43918f53e457af9f3b95cc0579b0173b667240fb417c277a4683659992bc465f819b33df4bb5d6ab182e2526d934bad79
-
SSDEEP
24576:i8oaOEZREGtLrZRxC1fDrOF/xpZREGtLrZRxC1fDrOF/x:iKJZRdLw7rW/DZRdLw7rW/
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1680 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1912 set thread context of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 -
Program crash 1 IoCs
pid pid_target Process procid_target 540 1912 WerFault.exe 26 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1912 wrote to memory of 948 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 28 PID 1912 wrote to memory of 948 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 28 PID 1912 wrote to memory of 948 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 28 PID 1912 wrote to memory of 948 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 28 PID 948 wrote to memory of 1528 948 csc.exe 30 PID 948 wrote to memory of 1528 948 csc.exe 30 PID 948 wrote to memory of 1528 948 csc.exe 30 PID 948 wrote to memory of 1528 948 csc.exe 30 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 1680 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 31 PID 1912 wrote to memory of 540 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 33 PID 1912 wrote to memory of 540 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 33 PID 1912 wrote to memory of 540 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 33 PID 1912 wrote to memory of 540 1912 794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe"C:\Users\Admin\AppData\Local\Temp\794cf7b533a4fc9b3ec9f38240ff944952e0e04b9275a510a495f8ec8df10556.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5gbktrax\5gbktrax.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8EA9.tmp" "c:\Users\Admin\AppData\Local\Temp\5gbktrax\CSC6F88ADC899C49CDB2917ADFCF43C9E0.TMP"3⤵PID:1528
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
PID:1680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 5882⤵
- Program crash
PID:540
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5e455fa2b571df257d11a87d223c4e936
SHA15aac9273ae0fff21642a732a4990ef3597af4954
SHA2565e9fea593a2d36cdb2c8df7f136c03630e671f540337f2e97489e9b00b06fa39
SHA512aa6edde421c99f677cb3c2e246e282810022de85295df2eb7baf9654790c30633fcbaaf4d1cfbe6cce0a32a333a373aeeba85e3058fd83c56f7c2fd3d1dda17e
-
Filesize
1KB
MD543c51a70acf989919f137fceb8fa0f40
SHA1accc5046cc30124bc217bdd886e79cfd78141c33
SHA25650e8e1651155039d8e476eb82ccdc878883f136ccd3aeffd51c135fc2b1142ca
SHA51237e3e65a339e7928290d764f5a9d057ee20f2c68a6eeedeef3bbe15c0bee51af6dff0e254f729e328af77c43a39c4eb6e2adbe1f0ad72cdebc151bd311d189fe
-
Filesize
340KB
MD575f298411c935b45714874de4abfa0df
SHA1ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70
SHA256c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc
SHA512fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9
-
Filesize
4KB
MD52216d197bc442e875016eba15c07a937
SHA137528e21ea3271b85d276c6bd003e6c60c81545d
SHA2562e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af
SHA5127d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f
-
Filesize
224B
MD5695c17b2234761380034e285430b5399
SHA1c7abfd15b53ad4be6f2e962618bed13663471652
SHA25647a19c50275c2978a203c2de67e6f1f04f65a6cd11aedca89529dd9765af85dd
SHA512fe11aec0be2597d622e231f462dc626edd342f84eeccec2979f9c0cae4596f33b7485e579ccb1498734cd24420032d1a1956a3d76998220f6040c41322455d8b
-
Filesize
652B
MD5515b1a74f898dc1426a88edb12c28d17
SHA170dd4f4a2cdd4a6a0a13085908365b072e61eedc
SHA2568d31e10192cb99cf68f9fe4e641db08fd2f2393ab8877826c17c005c6bfd9d80
SHA5126560e26e5ed7d886df1c7adcac0e8a9a53c39b5f3f3779d2b33d239ba2d0355928c3b83cbfa14fda756cda3a99b9f4ef0aa94b6fc196e6200741b4e3f4c2f026
-
Filesize
340KB
MD575f298411c935b45714874de4abfa0df
SHA1ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70
SHA256c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc
SHA512fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9
-
Filesize
340KB
MD575f298411c935b45714874de4abfa0df
SHA1ffb7a394a635e8ba3a28346c4c9fbfc2a5812d70
SHA256c920743ee1b6bdb8443ab9b9982baabf6eeb3c17b3dce8c9b99a99b77d79d8bc
SHA512fc52bebfbe1cbe2de6258a1a413cc04db4c28a95eee035f9c8fd08c0d051154b949cae6043770350972eeeaed52114445bd32ea0c02bfab2159e5cd4365d69c9