Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
11/10/2023, 23:10
General
-
Target
tmp.exe
-
Size
737KB
-
MD5
d54ddeb1ceaa4b97d777db0335765e31
-
SHA1
e7d5613db327190562de2c627afceef830195f6c
-
SHA256
3ba7c1a01fe40fab7b53ae3a50aaba4f1d1300a857f4b91352f2423a3f7a4cb2
-
SHA512
6d07511e8e97896b98b7dfe16adfd19027aff7d7c9b0ec221a5165be28e52d7cd659692ab0ad52db02addc0f0213e60d3fcc9eb9d0bcde1353a52b63e01115aa
-
SSDEEP
12288:f06gzHa2iNP1U8kM7j418EZYw4lB/brrGL98Muv6DXfuADUkySTLs7Tn:8TG1FDOTZYlhrGL98MJDUkRTL4z
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553KB
MD55e2d04cb2fae4e811ca35675c472f5fc
SHA16e2359f8e81f1a1122d1fb50b064878f2aaefc68
SHA256dd46a298ab90ca9ba8a1f633f20abe2dcb805596b5aa68dcb84cce99e3a56be1
SHA51253c8701768ee4a43a6b2095af00aa5f2c53445021a91d3567d02cf8157c7b7c4e629c5c70bb24697d365a7c41c791af0c68b511ab3cf5f356d9d929618421d05
-
Filesize
1.0MB
MD5f1e5f58f9eb43ecec773acbdb410b888
SHA1f1b8076b0bbde696694bbc0ab259a77893839464
SHA256a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14
SHA5120aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456
-
Filesize
61.3MB
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
216KB
-
Filesize
628KB
-
Filesize
964KB
-
Filesize
628KB
-
Filesize
216KB
-
Filesize
3.0MB
-
Filesize
216KB
-
Filesize
216KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
120KB
-
Filesize
232KB
-
Filesize
3.0MB
-
Filesize
232KB
-
Filesize
232KB
-
Filesize
120KB
-
Filesize
232KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
760KB
-
Filesize
488KB
-
Filesize
40KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
96KB
-
Filesize
256KB
-
Filesize
6.9MB