Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
16/07/2023, 16:41
Static task
static1
Behavioral task
behavioral1
Sample
f813f3f17cc6a471e19bd341f08392a4.exe
Resource
win7-20230712-en
General
-
Target
f813f3f17cc6a471e19bd341f08392a4.exe
-
Size
465KB
-
MD5
f813f3f17cc6a471e19bd341f08392a4
-
SHA1
64478e1a47287924bb970ab9d54cf394202806e8
-
SHA256
c1420965fdb80d2925b8ba25a0ac20bb49ee08bc8bbc1537d3e23069649cb941
-
SHA512
dfe198a8f811ba6fe2c0db1818ce3757bd852872947727a5c4bebf6c0e78f2b1c2a1e1d2593fd801c9668b72bb7612bda68013ae95843f282c1a4d3be106d692
-
SSDEEP
6144:uLuv+rzoFOgKVHMQExcYAp0NFWUSShtepNYKB4yYuD5ht5RInaOdLuPFGtT:uavJOhWSYAuNFp6PYuDp5RIaBFO
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2568 set thread context of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2664 f813f3f17cc6a471e19bd341f08392a4.exe 2664 f813f3f17cc6a471e19bd341f08392a4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2664 f813f3f17cc6a471e19bd341f08392a4.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28 PID 2568 wrote to memory of 2664 2568 f813f3f17cc6a471e19bd341f08392a4.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f813f3f17cc6a471e19bd341f08392a4.exe"C:\Users\Admin\AppData\Local\Temp\f813f3f17cc6a471e19bd341f08392a4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\f813f3f17cc6a471e19bd341f08392a4.exe"C:\Users\Admin\AppData\Local\Temp\f813f3f17cc6a471e19bd341f08392a4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-