Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

Confirmation.exe

windows7-x64

7

Confirmation.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    122s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirmation.exe

  • Size

    884KB

  • MD5

    29af861baff3d90185ed2ea3d47482d6

  • SHA1

    ce58279e89cd1ccbb88b37e32be7d0115c9f1572

  • SHA256

    e95d1407329d9bf135e8e44cf041709c4ce426d62144c772374d9b782f3bb399

  • SHA512

    1277277c73e4d87e29add0112aac81a4b8edeada4fe49216cc6707c0cfc1c2cca9f522558c90243271da43a33715dada7a4e58933d5f4cc71839b31a3e570bf9

  • SSDEEP

    12288:PnX9K7iSxwfEHtrXTutnP/XGvGVfb9Pke7Qs5RcFbpEK:PntU7NHtvenP/5fbZJMs5RMpE

Score
7/10
spywarestealer

Malware Config

Signatures

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Confirmation.exe
    "C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\chpJlUq.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2852
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\chpJlUq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2664
    • C:\Users\Admin\AppData\Local\Temp\Confirmation.exe
      "C:\Users\Admin\AppData\Local\Temp\Confirmation.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp
    Filesize

    1KB

    MD5

    d16b81e166a60949670fb8f58ae8ee30

    SHA1

    70e836a7844bfd6c4e4bf211a6d6829ffb0414e7

    SHA256

    4e5982f77b17070e402772400ca468ec7cfe30e89f11c4d3f5c6d7882f15d3bf

    SHA512

    54eab8608ddeca611a298c00783a7f5734b0046df49f2d1797a3431be22d1e8c1755c1d1c0890f66e9975a47b7e534a7c611738d517ceb34d1fc68feb1ed7390

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\34QUD8H2UEE5WA43R3SN.temp
    Filesize

    7KB

    MD5

    f08903e70fd442d73e8b45f75af57288

    SHA1

    9d1de49eb43500069ff19ff056f94b7cf67bd32c

    SHA256

    9d500b3f4280f987f094bde3df3de1a28f67482a40e122bfbe95e0318117f85e

    SHA512

    2df3b69f30490f2eab526a4b20c92605485ed96fdf1c17353293ab1e5d08ece9ccbe2fd8c33766b884c25c6167612729b307b1717a3d9897bea133ed56847a61

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    f08903e70fd442d73e8b45f75af57288

    SHA1

    9d1de49eb43500069ff19ff056f94b7cf67bd32c

    SHA256

    9d500b3f4280f987f094bde3df3de1a28f67482a40e122bfbe95e0318117f85e

    SHA512

    2df3b69f30490f2eab526a4b20c92605485ed96fdf1c17353293ab1e5d08ece9ccbe2fd8c33766b884c25c6167612729b307b1717a3d9897bea133ed56847a61

    Download Submit

  • memory/1272-35-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1272-1-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1272-2-0x0000000000610000-0x0000000000650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1272-3-0x00000000005B0000-0x00000000005CC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1272-4-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1272-5-0x0000000000610000-0x0000000000650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1272-6-0x0000000000330000-0x0000000000340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1272-7-0x0000000004E90000-0x0000000004F0A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1272-0-0x0000000000AC0000-0x0000000000BA4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/2708-37-0x000000006F1A0000-0x000000006F74B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2708-44-0x000000006F1A0000-0x000000006F74B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2708-40-0x000000006F1A0000-0x000000006F74B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2708-39-0x0000000002890000-0x00000000028D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2852-36-0x000000006F1A0000-0x000000006F74B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2852-45-0x000000006F1A0000-0x000000006F74B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2852-43-0x0000000002760000-0x00000000027A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2852-38-0x000000006F1A0000-0x000000006F74B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2936-20-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2936-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2936-22-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2936-34-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2936-32-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2936-41-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2936-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2936-42-0x0000000004B30000-0x0000000004B70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2936-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2936-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2936-46-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

    Download