Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
71s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
01/02/2023, 12:47
General
-
Target
Your File Is Ready To Download.exe
-
Size
1.6MB
-
MD5
0cc5612e909e1df2c53ae56ad258bb21
-
SHA1
f134a96132867224b2e0a0a06a6e21714de859d7
-
SHA256
87c79d29737dca30e36aac1c90ac3eab82f71393b815a9d7c086565e257fd434
-
SHA512
97d9c4fd420ac08ed5e21d48810e78dc13375141aa1f072fbe33fd6b2caf19f576aa99953ec0ea0f10104561a137a118ce615a1e0949ff41e2d071cffa23de1b
-
SSDEEP
24576:14nXubIQGyxbPV0db26yZm6lubtQo+8YzqNAh3XBQ0FPcQsY8Nl85Xab6s5vT:1qe3f6h6lut9+QAPcTYy2W7
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
-
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Your File Is Ready To Download.exe"C:\Users\Admin\AppData\Local\Temp\Your File Is Ready To Download.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-VJ1GS.tmp\Your File Is Ready To Download.tmp"C:\Users\Admin\AppData\Local\Temp\is-VJ1GS.tmp\Your File Is Ready To Download.tmp" /SL5="$70126,847369,780800,C:\Users\Admin\AppData\Local\Temp\Your File Is Ready To Download.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Your File Is Ready To Download.exe"C:\Users\Admin\AppData\Local\Temp\Your File Is Ready To Download.exe" /SILENT3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-6P4CP.tmp\Your File Is Ready To Download.tmp"C:\Users\Admin\AppData\Local\Temp\is-6P4CP.tmp\Your File Is Ready To Download.tmp" /SL5="$80126,847369,780800,C:\Users\Admin\AppData\Local\Temp\Your File Is Ready To Download.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\ServiceApp\install.bat" install"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\system32\sxsext.dll" /f6⤵
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f6⤵
-
-
-
C:\Users\Admin\AppData\Local\ServiceApp\InstallExtension.exe"C:\Users\Admin\AppData\Local\ServiceApp\InstallExtension.exe" install5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\ServiceApp\chrome.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate7⤵
- Creates scheduled task(s)
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\ServiceApp\reg.bat" install"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\ServiceApp\reg.xml" /tn GoogleUpdate6⤵
- Creates scheduled task(s)
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://getfiles.wiki/welcome.php5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
342B
MD59ff68745eb67f90b5322e74322514aed
SHA1cbcc80b551165e1289536c36b4be88ea85320982
SHA2565370211e38552f79c89f9fcddf08872d0e887fec505ca0887cb13a62743c2e62
SHA512608a1ed9dfc1eb7f14d8d7d791ad1f48074ee597319bddc1be3dc16d21ecbaab31db04de9228e13aa85e9a0d8dc8d46cb109382ab4db9d85aae7873b031510fe
-
Filesize
5KB
MD59e21a24152b24bf62b38d3cf34a17a83
SHA12c3ff3113b119c34eebf1cae63df7cf69df27b05
SHA256a34708f5d1a417161a94ed79e28d5f09fca7d4140663d05895b1e7f72d123d62
SHA512860fb13d7faf93257dc823ad917bffb8924eeae7558b15316135613a0333c0402bb2236208d2b9993ad67f9bd22b07e8176a0117fc0d22516649313374c96e40
-
Filesize
82KB
MD58c97466e3871f11b2e4164d57815935a
SHA18f42b5eed7385b0783f9c6cebef9d145cd4d271d
SHA2565ee53990ddd5924f27744a565e06c12667018210dfc18e444b8f468402a86023
SHA5128cae337b79693e64c65e81f7b002494b6a1a629e5f6bf95e9451a9a05287d2dfc8191a0ec2942f6c0c82e793eebfb3948f11ac0f76295ea8c362c6c8b6114efd
-
Filesize
3KB
MD531e6777e7b62be8830700f4602be6cfb
SHA1f9029c51a985dc8abf908db03c824f864bdf5d9f
SHA2567faf55efb3b046f2f52315451cff21d327a6f87ad1f4c3bd3ca898d7b26b2be3
SHA5125a6354d2f1bc6bfdf7e44772c3d33510352fd2f11112cecc22912f90ebbba37b54ea35c6534e59ea86458cbc2b782ec53d17950bb97376735a885e66806f6118
-
Filesize
330B
MD5be2f5f54fd03f4265c483352365e95d1
SHA1d06672311c3edc9e13fe77af9075bc721a7c1a59
SHA256b4ce8670b04dbfd47cad089ef826cb18568896677202b6f255ec1161581eb49c
SHA5125f4d34e56cfaffedaf247aadc4b393e997ff4823b034dbb4f26df1939e72ba9d3cd1da178a9bfdded8390bfcb879b45d4094f36da120c1e4c0cd04334aae4d14
-
Filesize
92B
MD5bc1c33048d9306af44de811459ea5cb0
SHA10fec9c2475be134193bf41ef22a4f9982a6201ac
SHA256f1728b3606ef3ea5b3f351f986603c3c9ae67b2543188e434d2652368c0e6dd4
SHA512efa60256c7013f29786cd696dd8c0f1310a5f69ff55e2ea745c175b962973c8b4fa60136b7939aa4b4e0e863120bb4a6ff88773ca460381ef09849547b7e4933
-
Filesize
1KB
MD586a1fa4fdc1e67807b922628291e7b4a
SHA1f9c48496939b9e3eedb5f8bd5341627294b98260
SHA25657e8b4c0a2a68066d643527af8de5be9d0c910cb6d7343aaadd47dfab3060427
SHA512c0a8d3c4b98cf3f60e0ccc45f2ac5de413203a1b6eb5ebad60d0a167a5600ae5a3d16f3c9fe3df5d259315bd7353ca3a8283ea74b0839455ef88b7bad7ceea65
-
Filesize
2.9MB
MD55cc651d1eed82ac69ec98ef51925d614
SHA1060ce174e841235f3986f234fc9905a1c8a4f0c5
SHA256c4ebbd34c6f9dcb5631f64de0af07731f2bb643b3da144a13252c2d9834a6d24
SHA512c01499c9f25ff1d689c5d2925277c9f9c0c278fbe1cc893b6e014559ddf0f60a96f794cdabe70c31869b7d9769ab9d97520eed5c73884a8af973e79579c7b97c
-
Filesize
2.9MB
MD55cc651d1eed82ac69ec98ef51925d614
SHA1060ce174e841235f3986f234fc9905a1c8a4f0c5
SHA256c4ebbd34c6f9dcb5631f64de0af07731f2bb643b3da144a13252c2d9834a6d24
SHA512c01499c9f25ff1d689c5d2925277c9f9c0c278fbe1cc893b6e014559ddf0f60a96f794cdabe70c31869b7d9769ab9d97520eed5c73884a8af973e79579c7b97c
-
Filesize
605B
MD5a8f63b3dab1a78b2640f7f9e4efc75fe
SHA15f75cc262c6892402850c6e23819e8f561487932
SHA2566801718cd593cb4e3a4cd534a43fd4977e1a18811073e49a5c71f5b19abeb579
SHA512e341c34102dea04f72edcc8849cca79ebb012e5a00c835a5c2be6b7f1331483b20a43a8913f9506f57a6bae579b999374b15497224ecfe6a7e73123a6a26c92b
-
Filesize
82KB
MD58c97466e3871f11b2e4164d57815935a
SHA18f42b5eed7385b0783f9c6cebef9d145cd4d271d
SHA2565ee53990ddd5924f27744a565e06c12667018210dfc18e444b8f468402a86023
SHA5128cae337b79693e64c65e81f7b002494b6a1a629e5f6bf95e9451a9a05287d2dfc8191a0ec2942f6c0c82e793eebfb3948f11ac0f76295ea8c362c6c8b6114efd
-
Filesize
2.9MB
MD55cc651d1eed82ac69ec98ef51925d614
SHA1060ce174e841235f3986f234fc9905a1c8a4f0c5
SHA256c4ebbd34c6f9dcb5631f64de0af07731f2bb643b3da144a13252c2d9834a6d24
SHA512c01499c9f25ff1d689c5d2925277c9f9c0c278fbe1cc893b6e014559ddf0f60a96f794cdabe70c31869b7d9769ab9d97520eed5c73884a8af973e79579c7b97c
-
Filesize
2.9MB
MD55cc651d1eed82ac69ec98ef51925d614
SHA1060ce174e841235f3986f234fc9905a1c8a4f0c5
SHA256c4ebbd34c6f9dcb5631f64de0af07731f2bb643b3da144a13252c2d9834a6d24
SHA512c01499c9f25ff1d689c5d2925277c9f9c0c278fbe1cc893b6e014559ddf0f60a96f794cdabe70c31869b7d9769ab9d97520eed5c73884a8af973e79579c7b97c
-
Filesize
8KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
816KB
-
Filesize
816KB
-
Filesize
816KB