Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
17/07/2023, 04:51
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10-20230703-en
General
-
Target
Setup.exe
-
Size
2.4MB
-
MD5
9937c26ad68eb58a208d6d342fb732a3
-
SHA1
d1b3037ec67c614049ce9287529e1b3f1f685dd3
-
SHA256
45392e18601c851f5dc2b7e725dec2c9cb0d97a1c67fe64c4ea8f19fe560437b
-
SHA512
2534fda7731fa7d233b5bde4ee089fcb499145445344ce154d755f734a2cc3bb70ab8a225aba1494c05f0cf1ac84a4b26fb753e7ae9895269b013526d5c6ed15
-
SSDEEP
49152:agGE8+l2lvMGXbPdH9IRz8UQyZ7GHDwUpl5x+X:atEl2l5XbBUPQyZ7GjDQ
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2644-55-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral1/memory/2644-57-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral1/memory/2644-61-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral1/memory/2644-62-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral1/memory/2644-64-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral1/memory/2644-66-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral1/memory/2644-68-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral1/memory/2644-67-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral1/memory/2644-69-0x0000000000400000-0x00000000008F4000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1152 set thread context of 2644 1152 Setup.exe 34 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 1152 wrote to memory of 320 1152 Setup.exe 29 PID 1152 wrote to memory of 320 1152 Setup.exe 29 PID 1152 wrote to memory of 320 1152 Setup.exe 29 PID 1152 wrote to memory of 320 1152 Setup.exe 29 PID 1152 wrote to memory of 320 1152 Setup.exe 29 PID 1152 wrote to memory of 320 1152 Setup.exe 29 PID 1152 wrote to memory of 320 1152 Setup.exe 29 PID 1152 wrote to memory of 2512 1152 Setup.exe 30 PID 1152 wrote to memory of 2512 1152 Setup.exe 30 PID 1152 wrote to memory of 2512 1152 Setup.exe 30 PID 1152 wrote to memory of 2512 1152 Setup.exe 30 PID 1152 wrote to memory of 2512 1152 Setup.exe 30 PID 1152 wrote to memory of 2512 1152 Setup.exe 30 PID 1152 wrote to memory of 2512 1152 Setup.exe 30 PID 1152 wrote to memory of 2180 1152 Setup.exe 31 PID 1152 wrote to memory of 2180 1152 Setup.exe 31 PID 1152 wrote to memory of 2180 1152 Setup.exe 31 PID 1152 wrote to memory of 2180 1152 Setup.exe 31 PID 1152 wrote to memory of 2180 1152 Setup.exe 31 PID 1152 wrote to memory of 2180 1152 Setup.exe 31 PID 1152 wrote to memory of 2180 1152 Setup.exe 31 PID 1152 wrote to memory of 2416 1152 Setup.exe 32 PID 1152 wrote to memory of 2416 1152 Setup.exe 32 PID 1152 wrote to memory of 2416 1152 Setup.exe 32 PID 1152 wrote to memory of 2416 1152 Setup.exe 32 PID 1152 wrote to memory of 2416 1152 Setup.exe 32 PID 1152 wrote to memory of 2416 1152 Setup.exe 32 PID 1152 wrote to memory of 2416 1152 Setup.exe 32 PID 1152 wrote to memory of 1124 1152 Setup.exe 33 PID 1152 wrote to memory of 1124 1152 Setup.exe 33 PID 1152 wrote to memory of 1124 1152 Setup.exe 33 PID 1152 wrote to memory of 1124 1152 Setup.exe 33 PID 1152 wrote to memory of 1124 1152 Setup.exe 33 PID 1152 wrote to memory of 1124 1152 Setup.exe 33 PID 1152 wrote to memory of 1124 1152 Setup.exe 33 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34 PID 1152 wrote to memory of 2644 1152 Setup.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2416
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2644
-