Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2023, 13:15
Static task
static1
Behavioral task
behavioral1
Sample
免杀捆绑最终完整完美无敌无bug修复版.exe
Resource
win7-20220901-en
windows7-x64
4 signatures
150 seconds
General
-
Target
免杀捆绑最终完整完美无敌无bug修复版.exe
-
Size
5.1MB
-
MD5
3ba8f05e693a5de1265c7cc24dc623bd
-
SHA1
a0471cf3a6d22e456c3c15a7b56567727351ee66
-
SHA256
0963805830c260ead8299e6f0b441646b6c10f312336d3bcddf2c91441826d16
-
SHA512
72095c76c3de709ec8748aa783826f8103e33f9d9f9b212d81b0562cd441d8994c13b8b75cc065c1bf182326b76a3f51d33a9735e08e6a3a39b35e41f4fc9242
-
SSDEEP
98304:XWUZkF4qCYg1XyKztb0xZTASC1qvfnUScZxWDMK6UeFLOAkGkzdnEVomFHKnPn6:GU+0YECwmfnUSEUeFLOyomFHKnP6
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa cmd.exe File opened for modification \??\c:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa cmd.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\Windows\Globalization\ICU\icudtl.dat cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 4892 免杀捆绑最终完整完美无敌无bug修复版.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4892 免杀捆绑最终完整完美无敌无bug修复版.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4892 wrote to memory of 4776 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 80 PID 4892 wrote to memory of 4776 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 80 PID 4892 wrote to memory of 4776 4892 免杀捆绑最终完整完美无敌无bug修复版.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\免杀捆绑最终完整完美无敌无bug修复版.exe"C:\Users\Admin\AppData\Local\Temp\免杀捆绑最终完整完美无敌无bug修复版.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del /f /s /q c:\2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4776
-