Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
17/07/2023, 04:51
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10-20230703-en
General
-
Target
Setup.exe
-
Size
2.4MB
-
MD5
9937c26ad68eb58a208d6d342fb732a3
-
SHA1
d1b3037ec67c614049ce9287529e1b3f1f685dd3
-
SHA256
45392e18601c851f5dc2b7e725dec2c9cb0d97a1c67fe64c4ea8f19fe560437b
-
SHA512
2534fda7731fa7d233b5bde4ee089fcb499145445344ce154d755f734a2cc3bb70ab8a225aba1494c05f0cf1ac84a4b26fb753e7ae9895269b013526d5c6ed15
-
SSDEEP
49152:agGE8+l2lvMGXbPdH9IRz8UQyZ7GHDwUpl5x+X:atEl2l5XbBUPQyZ7GjDQ
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral3/memory/3512-133-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral3/memory/3512-135-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral3/memory/3512-137-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral3/memory/3512-139-0x0000000000400000-0x00000000008F4000-memory.dmp upx behavioral3/memory/3512-140-0x0000000000400000-0x00000000008F4000-memory.dmp upx -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1792 set thread context of 3512 1792 Setup.exe 87 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 25 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1792 wrote to memory of 3512 1792 Setup.exe 87 PID 1792 wrote to memory of 3512 1792 Setup.exe 87 PID 1792 wrote to memory of 3512 1792 Setup.exe 87 PID 1792 wrote to memory of 3512 1792 Setup.exe 87 PID 1792 wrote to memory of 3512 1792 Setup.exe 87 PID 1792 wrote to memory of 3512 1792 Setup.exe 87 PID 1792 wrote to memory of 3512 1792 Setup.exe 87 PID 1792 wrote to memory of 3512 1792 Setup.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3512
-