Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 11:29

General

  • Target

    b306d7aa81bba32e0d51a441f5be19fb71f3d639bfe75127017b2c42ca548d49.exe

  • Size

    25KB

  • MD5

    808149036ca2c8fc70b1eab88d355c16

  • SHA1

    a08f00e5d92ad7d39eff8a021693edeaea8759b1

  • SHA256

    b306d7aa81bba32e0d51a441f5be19fb71f3d639bfe75127017b2c42ca548d49

  • SHA512

    cb9a48b9412ec13fa1c0d5c89e90f37274cef88cde1acd0bb21b223b3ae879c7ed13488a56fef0d0695f450f2ff95c0c0b0212b9265b30e2ac02174a38246470

  • SSDEEP

    384:qc0J+vqBoLotA8oPNIrxKRQSv7QrzVVvOytGxboE9K/mKHrjpjvXgq:8Q3LotOPNSQVwVVxGKEvKHrVXb

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b306d7aa81bba32e0d51a441f5be19fb71f3d639bfe75127017b2c42ca548d49.exe
    "C:\Users\Admin\AppData\Local\Temp\b306d7aa81bba32e0d51a441f5be19fb71f3d639bfe75127017b2c42ca548d49.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\spoolsv.exe
      "C:\Windows\spoolsv.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\KTsJjW0AA0l5rXr.exe

    Filesize

    25KB

    MD5

    847281a9c5bf6f0f213c1c1ef8fc4826

    SHA1

    c870facfe0ea12ea4025b7e5d77f296510bad633

    SHA256

    8ca84464c66f12da45ba840713d127df46bf0145c024a8c1705c3bc96b42d765

    SHA512

    b5efcc83a257955b51c7614084b497a888953c5b9b37920322e229654beb24085cab14946a96b16ec61ed0400e667f8d02d7cf72d1b1a5a9b3825f2fee0e8601

  • C:\Windows\spoolsv.exe

    Filesize

    25KB

    MD5

    82071fd2379c64429acf376487fcddff

    SHA1

    2da42c7eaa62ecee65757b441c939f12b52228fb

    SHA256

    272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

    SHA512

    194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb

  • C:\Windows\spoolsv.exe

    Filesize

    25KB

    MD5

    82071fd2379c64429acf376487fcddff

    SHA1

    2da42c7eaa62ecee65757b441c939f12b52228fb

    SHA256

    272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8

    SHA512

    194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb