Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

unpacked_payload.exe

windows7-x64

7

unpacked_payload.exe

windows10-2004-x64

7

Resubmissions

01/02/2023, 10:11 UTC

230201-l774csef8s 7

01/02/2023, 10:09 UTC

230201-l67q7sef7y 7

31/01/2023, 09:53 UTC

230131-lw4xkahf4z 7

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2023, 10:09 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    unpacked_payload.exe

  • Size

    165KB

  • MD5

    0868d9608bc629bdc8ee88f608ed307b

  • SHA1

    7a3f3a5cd72a46277cd0f6e4e4467b901b7f4238

  • SHA256

    7f0d201d80f3d5c61c6c3c9c49d4bed8a55a2ca377b007cbb3ae59c94a78ac97

  • SHA512

    299476991ef999880bde2f9464f05eb5c05df23bb7baf565c30a1a77f4308d29935b595d8521b5f032ed13634ba04cd3578479e8adc3cbb9177b32f9b609f876

  • SSDEEP

    3072:Hsz57rzTsEIBOnM0rcTEkIAdEIGeUoyjcYejLPI4N:Hsz99rTBmlp/jLw4

Score
7/10
collectionpersistencespywarestealer

Malware Config

Signatures

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\unpacked_payload.exe
    "C:\Users\Admin\AppData\Local\Temp\unpacked_payload.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • outlook_office_path
    • outlook_win_path
    PID:1648

Network

  • flag-unknown
    DNS
    api.ipify.org
    unpacked_payload.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api4.ipify.org
    api4.ipify.org
    IN A
    64.185.227.155
    api4.ipify.org
    IN A
    173.231.16.76
    api4.ipify.org
    IN A
    104.237.62.211
  • flag-unknown
    GET
    https://api.ipify.org/
    unpacked_payload.exe
    Remote address:
    64.185.227.155:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Length: 12
    Content-Type: text/plain
    Date: Wed, 01 Feb 2023 10:10:19 GMT
    Vary: Origin
  • 64.185.227.155:443
    https://api.ipify.org/
    tls, http
    unpacked_payload.exe
    950 B
     7.1kB
     10
    12

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 8.8.8.8:53
    api.ipify.org
    dns
    unpacked_payload.exe
    59 B
     126 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    64.185.227.155
    173.231.16.76
    104.237.62.211

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1648-54-0x0000000000CE0000-0x0000000000D10000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1648-55-0x0000000075811000-0x0000000075813000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.