Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2023, 17:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    8.9MB

  • MD5

    887c0911835ace94104d8c570632409a

  • SHA1

    3192b8b83d62a44b22dbdd9f627fde49d16e5350

  • SHA256

    6c54458a3df80f3801df48d60cbafaa64b643f155bdd608140ef508134d52d68

  • SHA512

    f24b3e601874d7f5816f6c5d94598a4e94df6195ad52c32fc716e2c0a7ea518cd6f936722e2eb4654b70d2666365cbd4435bd095633a47d802b6cd1fb41b3bc7

  • SSDEEP

    196608:4Z1+0PfiEOE6NJ8Jkt9KCS1r8ek//fCc3NbFmQLG:4Z1PSEz6GkLS1r8ek/CH4G

Score
10/10
privateloaderloaderspywarestealer

Malware Config

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:5040
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:3308
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:3732

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tempCMSiLy9rNhYhbPg\information.txt
        Filesize

        3KB

        MD5

        e88b6e4f2793774bd35e2afcc46bfc5a

        SHA1

        8a7d548dfb6198aba78178344138ca69cbf56a72

        SHA256

        0548c76add0b06dd3fe3a72d6928d699918247c1f89c07ecc7be5ec07b591eed

        SHA512

        28c76ca66bd140d054a61d7ccbf251214a39c96fb6b4102ec039a3eb186d88ef48d279ee366e954cd28d93b34d9b8bf55c142028697bebf08b5b7dd42d749542

        Download Submit

      • memory/4268-140-0x0000000075290000-0x0000000075A40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4268-134-0x0000000000140000-0x0000000000A38000-memory.dmp

        Filesize

        9.0MB

        Download

      • memory/4268-135-0x00000000057C0000-0x0000000005D64000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4268-136-0x0000000005390000-0x00000000053A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4268-133-0x0000000075290000-0x0000000075A40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5040-150-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-161-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-142-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-149-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-139-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-151-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-162-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-141-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-207-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-204-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-210-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-222-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-137-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download

      • memory/5040-238-0x0000000000400000-0x00000000004FF000-memory.dmp

        Filesize

        1020KB

        Download