Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2023, 17:35
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230703-en
General
-
Target
file.exe
-
Size
8.9MB
-
MD5
887c0911835ace94104d8c570632409a
-
SHA1
3192b8b83d62a44b22dbdd9f627fde49d16e5350
-
SHA256
6c54458a3df80f3801df48d60cbafaa64b643f155bdd608140ef508134d52d68
-
SHA512
f24b3e601874d7f5816f6c5d94598a4e94df6195ad52c32fc716e2c0a7ea518cd6f936722e2eb4654b70d2666365cbd4435bd095633a47d802b6cd1fb41b3bc7
-
SSDEEP
196608:4Z1+0PfiEOE6NJ8Jkt9KCS1r8ek//fCc3NbFmQLG:4Z1PSEz6GkLS1r8ek/CH4G
Malware Config
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 ipinfo.io 35 ipinfo.io -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy file.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini file.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol file.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI file.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4268 set thread context of 5040 4268 file.exe 86 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5040 file.exe 5040 file.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86 PID 4268 wrote to memory of 5040 4268 file.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5040
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:3308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5e88b6e4f2793774bd35e2afcc46bfc5a
SHA18a7d548dfb6198aba78178344138ca69cbf56a72
SHA2560548c76add0b06dd3fe3a72d6928d699918247c1f89c07ecc7be5ec07b591eed
SHA51228c76ca66bd140d054a61d7ccbf251214a39c96fb6b4102ec039a3eb186d88ef48d279ee366e954cd28d93b34d9b8bf55c142028697bebf08b5b7dd42d749542