Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 13:05
Static task
static1
Behavioral task
behavioral1
Sample
3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
Resource
win10v2004-20230915-en
General
-
Target
3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe
-
Size
25KB
-
MD5
4b8261a668e8b609703769edddcb4c97
-
SHA1
55850fc5db482729a97926a604761b89b2f4f696
-
SHA256
3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3
-
SHA512
a138dc8da89284b3a440b883abc56a3700997cb6ff10ca3ca3b57f22ea807a31bf88f7f7d09e1f73d7d5b129523b180a2e915bb4372f8d84fb7b707db944a5fd
-
SSDEEP
384:fJ1mIUcCgKY2mPNIrJwIhn7ytQtJUMTNOt894boE9K/mKHboI3:Xm55gKGPNSHftJDhEvKHbo6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 960 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\spoolsv.exe" 3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\spoolsv.exe" spoolsv.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\spoolsv.exe 3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe File created C:\Windows\spoolsv.exe spoolsv.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\https:\www.google.com 3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\https:\www.google.com spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3344 3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe Token: SeDebugPrivilege 960 spoolsv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3344 wrote to memory of 960 3344 3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe 85 PID 3344 wrote to memory of 960 3344 3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe 85 PID 3344 wrote to memory of 960 3344 3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe"C:\Users\Admin\AppData\Local\Temp\3b1d2a8456dfefabf62680e9bebf780608fab73c29b7fbd47643630e75e136a3.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\spoolsv.exe"C:\Windows\spoolsv.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
347KB
MD5c3dfea2840b207c14b34466563204053
SHA116c990262fbed14e35ad294ff259f756b15b671c
SHA256846ac78931e52ff11698a904d2ffb4abd2d9e645c538e248903e5934e5faaafb
SHA5123e2b2529efee9a340b210ed235191130f423f2b0a5b6dc24de92f546f0fce98e693d8ac1a4cd750a60de787518abd3058d4b3e1fb84fec0989d27028fd2ee416
-
Filesize
25KB
MD57105251150f5420e16bb1d34fe5b1672
SHA19e73b7ef98288724efa1401ee7429f174e6c289d
SHA2563961b551ed592d7e3420e740b33db2571e2583fbfeb826d832faf285ef278028
SHA5123063e3ac9203c9d4a0f2b6f00171ce315af0c5a5613d7e43cf05287148eeabffb49f511246484842f94dc594db6e36908e6507a5560e51c84e53cafad6719c6b
-
Filesize
25KB
MD59ba0942ba2b766b43b832ad20b186324
SHA14352dd8ee4fcf525400ba6d8cd31ef296f421790
SHA256b788302ea044a0843019e224643d5af1935d420ba716e783b28750b9301c0f4c
SHA5129d485424f423342f6135da72a2e396f6215320cf7849deb3d6a24da0d72b1d3d937a3d6a38023607d8bb760948b5e37c5ff4c743e4246d25c259e5f0ecef6b0b
-
Filesize
25KB
MD59ba0942ba2b766b43b832ad20b186324
SHA14352dd8ee4fcf525400ba6d8cd31ef296f421790
SHA256b788302ea044a0843019e224643d5af1935d420ba716e783b28750b9301c0f4c
SHA5129d485424f423342f6135da72a2e396f6215320cf7849deb3d6a24da0d72b1d3d937a3d6a38023607d8bb760948b5e37c5ff4c743e4246d25c259e5f0ecef6b0b