Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

f813f3f17c...a4.exe

windows7-x64

7

f813f3f17c...a4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    16/07/2023, 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f813f3f17cc6a471e19bd341f08392a4.exe

  • Size

    465KB

  • MD5

    f813f3f17cc6a471e19bd341f08392a4

  • SHA1

    64478e1a47287924bb970ab9d54cf394202806e8

  • SHA256

    c1420965fdb80d2925b8ba25a0ac20bb49ee08bc8bbc1537d3e23069649cb941

  • SHA512

    dfe198a8f811ba6fe2c0db1818ce3757bd852872947727a5c4bebf6c0e78f2b1c2a1e1d2593fd801c9668b72bb7612bda68013ae95843f282c1a4d3be106d692

  • SSDEEP

    6144:uLuv+rzoFOgKVHMQExcYAp0NFWUSShtepNYKB4yYuD5ht5RInaOdLuPFGtT:uavJOhWSYAuNFp6PYuDp5RIaBFO

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f813f3f17cc6a471e19bd341f08392a4.exe
    "C:\Users\Admin\AppData\Local\Temp\f813f3f17cc6a471e19bd341f08392a4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\f813f3f17cc6a471e19bd341f08392a4.exe
      "C:\Users\Admin\AppData\Local\Temp\f813f3f17cc6a471e19bd341f08392a4.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2568-55-0x0000000000250000-0x0000000000350000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2568-57-0x0000000001D30000-0x0000000001D80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2664-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2664-59-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2664-61-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2664-62-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2664-63-0x00000000742B0000-0x000000007499E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2664-65-0x0000000002150000-0x00000000021B4000-memory.dmp

    Filesize

    400KB

    Download

  • memory/2664-64-0x0000000004800000-0x0000000004840000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2664-66-0x0000000004800000-0x0000000004840000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2664-67-0x00000000046F0000-0x0000000004752000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2664-68-0x0000000004800000-0x0000000004840000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2664-69-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2664-71-0x00000000742B0000-0x000000007499E000-memory.dmp

    Filesize

    6.9MB

    Download