Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2023, 09:08

General

  • Target

    3bcc1eb867ab61418fe7a99dcffa3734.exe

  • Size

    769KB

  • MD5

    3bcc1eb867ab61418fe7a99dcffa3734

  • SHA1

    cea3fa7f0358089e0ce7786606346d893c7be4a5

  • SHA256

    5392bfbbc84541d99563511dfa736ec514642b68292089154e0126f0e9eddf37

  • SHA512

    808350bc1ed22544ef1420398fd30db2fb2d400437b57ea1058e26bb8095c35f0167c3bce3b1369c2717187d21514cc561f3915c6ad70aa05446d05604e5c105

  • SSDEEP

    3072:Zxyod3gsuVf/LxMmKvcAznwucfxBmN9Cm55l6bNU:xiflLK0CU7hyl6S

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bcc1eb867ab61418fe7a99dcffa3734.exe
    "C:\Users\Admin\AppData\Local\Temp\3bcc1eb867ab61418fe7a99dcffa3734.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Users\Admin\AppData\Local\Temp\ws.exe
      "C:\Users\Admin\AppData\Local\Temp\ws.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ws.exe

    Filesize

    86KB

    MD5

    7c1cfd20b24b912534716c2ca03af538

    SHA1

    f374744c9c7ecff644cc9fb11a77eb10b737577d

    SHA256

    a83f50c1a41c0983d132fef61d20693e6807792534e4ab4b6ea77a32ea5c18d4

    SHA512

    9be1056e8c85376337300c71287bc2ce88c9fd8d7c02f3860054bd3db1f53eb207be9d4a6b49b25c0da46375d81bdd12a55e0ec6435a9f10e9e5e46f3a2b64e6

  • C:\Users\Admin\AppData\Local\Temp\ws.exe

    Filesize

    86KB

    MD5

    7c1cfd20b24b912534716c2ca03af538

    SHA1

    f374744c9c7ecff644cc9fb11a77eb10b737577d

    SHA256

    a83f50c1a41c0983d132fef61d20693e6807792534e4ab4b6ea77a32ea5c18d4

    SHA512

    9be1056e8c85376337300c71287bc2ce88c9fd8d7c02f3860054bd3db1f53eb207be9d4a6b49b25c0da46375d81bdd12a55e0ec6435a9f10e9e5e46f3a2b64e6

  • \Users\Admin\AppData\Local\Temp\ws.exe

    Filesize

    86KB

    MD5

    7c1cfd20b24b912534716c2ca03af538

    SHA1

    f374744c9c7ecff644cc9fb11a77eb10b737577d

    SHA256

    a83f50c1a41c0983d132fef61d20693e6807792534e4ab4b6ea77a32ea5c18d4

    SHA512

    9be1056e8c85376337300c71287bc2ce88c9fd8d7c02f3860054bd3db1f53eb207be9d4a6b49b25c0da46375d81bdd12a55e0ec6435a9f10e9e5e46f3a2b64e6

  • memory/824-54-0x0000000000150000-0x0000000000216000-memory.dmp

    Filesize

    792KB

  • memory/2032-61-0x0000000000B70000-0x0000000000B8C000-memory.dmp

    Filesize

    112KB

  • memory/2032-62-0x000000001AE40000-0x000000001AEC0000-memory.dmp

    Filesize

    512KB