Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    30/08/2023, 21:47

General

  • Target

    56e2743a76543fb61d9200e68d59aa80ee9827d6e971d91d991c6bc4bc46e339.exe

  • Size

    26KB

  • MD5

    dbe0206b23932d34dd3d3f25085c58ec

  • SHA1

    a0ad74b6108a10711bc45ba7959a65fa137ae01d

  • SHA256

    56e2743a76543fb61d9200e68d59aa80ee9827d6e971d91d991c6bc4bc46e339

  • SHA512

    1a5fe48dc753d919a230c04dc0e0b17180b05d3719b5a0adf67a70a710f9bc5d4766f1446e0a178518393c1a3cb254ee1c90cefde12e3ae8c0c9f53728af0e6d

  • SSDEEP

    384:qc0J+vqBoLotA8oPNIrxKRQSv7QrzVVvOytGxboE9K/mKHrjpjvw/y:8Q3LotOPNSQVwVVxGKEvKHrVUy

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56e2743a76543fb61d9200e68d59aa80ee9827d6e971d91d991c6bc4bc46e339.exe
    "C:\Users\Admin\AppData\Local\Temp\56e2743a76543fb61d9200e68d59aa80ee9827d6e971d91d991c6bc4bc46e339.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\spoolsv.exe
      "C:\Windows\spoolsv.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      PID:1060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FEFLZLmKmvtMTBC.exe

    Filesize

    26KB

    MD5

    2130b755afc735c664829158a31cc239

    SHA1

    3011600b215319c2340a98560d516b1c55b25500

    SHA256

    aa0b1b6fac0a09e33325aa247f4b6cd484cc791f1bdb8aa577f10bf575dbd415

    SHA512

    1bf87329ad6839911508a06fee453b0601afccbf4592341bf29182d5df70ec63713c9dc236e6cd66cb8d9c40648d9b9b59d450318beb151482acbbd7cce9f6c8

  • C:\Users\Admin\AppData\Local\Temp\FEFLZLmKmvtMTBC.exe

    Filesize

    26KB

    MD5

    2130b755afc735c664829158a31cc239

    SHA1

    3011600b215319c2340a98560d516b1c55b25500

    SHA256

    aa0b1b6fac0a09e33325aa247f4b6cd484cc791f1bdb8aa577f10bf575dbd415

    SHA512

    1bf87329ad6839911508a06fee453b0601afccbf4592341bf29182d5df70ec63713c9dc236e6cd66cb8d9c40648d9b9b59d450318beb151482acbbd7cce9f6c8

  • C:\Windows\spoolsv.exe

    Filesize

    25KB

    MD5

    82071fd2379c64429acf376487fcddff

    SHA1

    2da42c7eaa62ecee65757b441c939f12b52228fb

    SHA256

    272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

    SHA512

    194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

  • C:\Windows\spoolsv.exe

    Filesize

    25KB

    MD5

    82071fd2379c64429acf376487fcddff

    SHA1

    2da42c7eaa62ecee65757b441c939f12b52228fb

    SHA256

    272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

    SHA512

    194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb