Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
17/07/2023, 04:51
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10-20230703-en
General
-
Target
Setup.exe
-
Size
2.4MB
-
MD5
9937c26ad68eb58a208d6d342fb732a3
-
SHA1
d1b3037ec67c614049ce9287529e1b3f1f685dd3
-
SHA256
45392e18601c851f5dc2b7e725dec2c9cb0d97a1c67fe64c4ea8f19fe560437b
-
SHA512
2534fda7731fa7d233b5bde4ee089fcb499145445344ce154d755f734a2cc3bb70ab8a225aba1494c05f0cf1ac84a4b26fb753e7ae9895269b013526d5c6ed15
-
SSDEEP
49152:agGE8+l2lvMGXbPdH9IRz8UQyZ7GHDwUpl5x+X:atEl2l5XbBUPQyZ7GjDQ
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4948-117-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral2/memory/4948-120-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral2/memory/4948-121-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral2/memory/4948-122-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral2/memory/4948-123-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral2/memory/4948-124-0x0000000000400000-0x00000000008F4000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4956 set thread context of 4948 4956 Setup.exe 71 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4956 wrote to memory of 4936 4956 Setup.exe 70 PID 4956 wrote to memory of 4936 4956 Setup.exe 70 PID 4956 wrote to memory of 4936 4956 Setup.exe 70 PID 4956 wrote to memory of 4948 4956 Setup.exe 71 PID 4956 wrote to memory of 4948 4956 Setup.exe 71 PID 4956 wrote to memory of 4948 4956 Setup.exe 71 PID 4956 wrote to memory of 4948 4956 Setup.exe 71 PID 4956 wrote to memory of 4948 4956 Setup.exe 71 PID 4956 wrote to memory of 4948 4956 Setup.exe 71 PID 4956 wrote to memory of 4948 4956 Setup.exe 71 PID 4956 wrote to memory of 4948 4956 Setup.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4948
-