Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

0eac1f1303...93.exe

windows7-x64

7

0eac1f1303...93.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    103s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2023, 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe

  • Size

    951KB

  • MD5

    a3df44994428bfe9b70f9774e76347bb

  • SHA1

    0eac1f1303e55f7c0239af4b1eca3e992ed05693

  • SHA256

    52ab9f2e3878dd9fa61c7bbbdfff113485fb4c12f8af0fa28b938696d68e54bb

  • SHA512

    75bf4289be57495b878b06d6bc540911b31508753e8fb4ec1bbeec29dad124de9cdc75e378c657728e0d77278b8973ec5144f886b2305b8688e21572a0c20530

  • SSDEEP

    24576:yli277DjOWEIycmmy7UmCJrYTSKIKTn6ALDx:UiWvhnyc7ytc

Score
7/10
collectionpersistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe
    "C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3284
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xStBrvuHffFYx.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1404
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xStBrvuHffFYx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B96.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1084
    • C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe
      "C:\Users\Admin\AppData\Local\Temp\0eac1f1303e55f7c0239af4b1eca3e992ed05693.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4580

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    0608d164968e24760d653f3e205f759b

    SHA1

    0c73448c92d06e4a105cf16faec875ee72d2ef18

    SHA256

    9d56a3c3ef9567ff28408e959e75ba0c829776610cd6febc83bd91ca5f469dac

    SHA512

    882fabf67830dd842b9d40e6bf4535f8abe42a6cb8c0e6908d8f7e4a8ac5958b19367ec9bce80c12ccd2053511f92145168e50376374ffb5c538207e4e0f253c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp1B96.tmp
    Filesize

    1KB

    MD5

    20270ee1906d68c62de9e6c6c738369d

    SHA1

    289d58f8b57eb55f19c510dc95489ed89b1c9edd

    SHA256

    d088d3a4c5ee929318e9e8287acd3af9e193c51300e08894b5a76c1e4762a52b

    SHA512

    68c04d53f08b74e95c442479983853eeccb62ae7cee7a3b1a0b3536c9c028069dcef85a5349158eb0cbfcd0a428e6ab36f4730eb51a202df619056456e3c174d

    Download Submit

  • memory/1404-156-0x0000000007370000-0x0000000007406000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1404-155-0x0000000007160000-0x000000000716A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1404-159-0x0000000007410000-0x0000000007418000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1404-158-0x0000000007430000-0x000000000744A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1404-157-0x0000000007320000-0x000000000732E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1404-154-0x00000000070F0000-0x000000000710A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1404-143-0x0000000004D50000-0x0000000004D72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1404-153-0x0000000007740000-0x0000000007DBA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1404-151-0x0000000071060000-0x00000000710AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1404-146-0x00000000056C0000-0x0000000005726000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1404-148-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3284-149-0x0000000006060000-0x0000000006092000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3284-150-0x0000000071060000-0x00000000710AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3284-139-0x00000000021A0000-0x00000000021D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3284-152-0x0000000006040000-0x000000000605E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3284-141-0x0000000004BA0000-0x00000000051C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3284-145-0x0000000005280000-0x00000000052E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3804-132-0x0000000000680000-0x0000000000774000-memory.dmp

    Filesize

    976KB

    Download

  • memory/3804-135-0x0000000005100000-0x000000000510A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3804-136-0x0000000008B30000-0x0000000008BCC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3804-134-0x0000000005110000-0x00000000051A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3804-133-0x00000000057D0000-0x0000000005D74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4580-147-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4580-162-0x00000000069F0000-0x0000000006A40000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4580-163-0x0000000006CB0000-0x0000000006E72000-memory.dmp

    Filesize

    1.8MB

    Download