Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 17:59
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.75cd1244fd78e304fe4a230239b6ef30.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.75cd1244fd78e304fe4a230239b6ef30.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.75cd1244fd78e304fe4a230239b6ef30.exe
-
Size
170KB
-
MD5
75cd1244fd78e304fe4a230239b6ef30
-
SHA1
0a7984e1cdcca37efbc1877a5c609a6c2945ea7a
-
SHA256
be59515f36a9504b9348e3eb434a2e3565692705444d615f34f819ba27470c61
-
SHA512
2ad42c48eb91262d988a7f68e0067a085c4e84b3f7a0e66d2132bd24a00bc10932a1a6b03190b5f8666da413453674734be8f3f3dab5b4595128545561e6e3cc
-
SSDEEP
3072:wVSYYZbASP/+OGDJIZBcyJ+RXQK4UbwWhbZuq3sPE:w4DbAS6DJIZBaR4bWhbgE
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2080-4-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2080-9-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2612-12-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2588-16-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2080-27-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2080-95-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2080-127-0x0000000000400000-0x0000000000468000-memory.dmp upx -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2612 2080 NEAS.75cd1244fd78e304fe4a230239b6ef30.exe 28 PID 2080 wrote to memory of 2612 2080 NEAS.75cd1244fd78e304fe4a230239b6ef30.exe 28 PID 2080 wrote to memory of 2612 2080 NEAS.75cd1244fd78e304fe4a230239b6ef30.exe 28 PID 2080 wrote to memory of 2612 2080 NEAS.75cd1244fd78e304fe4a230239b6ef30.exe 28 PID 2080 wrote to memory of 2588 2080 NEAS.75cd1244fd78e304fe4a230239b6ef30.exe 30 PID 2080 wrote to memory of 2588 2080 NEAS.75cd1244fd78e304fe4a230239b6ef30.exe 30 PID 2080 wrote to memory of 2588 2080 NEAS.75cd1244fd78e304fe4a230239b6ef30.exe 30 PID 2080 wrote to memory of 2588 2080 NEAS.75cd1244fd78e304fe4a230239b6ef30.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exeC:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exeC:\Users\Admin\AppData\Local\Temp\NEAS.75cd1244fd78e304fe4a230239b6ef30.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
696B
MD574b5ccfe881c8850bc885bd69cf63d56
SHA1e8084423f7465d21965271e9a531d05cf0b9bcb2
SHA256d253fc5fcd61efefc843e669267544b2f4c947cb9e03516aa4cbb96e119c03a3
SHA512e22fba1dd25fea3c4c6b5dbd6de9ada31760e66ff8da35d877049bfe3adcf3268728e946e30ca22371ccef61caeb2a3cc93ab916dc4b2e8293db3ac6a9043548
-
Filesize
996B
MD5e67b3be239ec11ce2d347925d1e2e47d
SHA1acc32f24b0cfa6c606120a31534a39c8d85ed431
SHA256f659483469f1e01c463b6f51b47b5cb8f9f0660021a800fbe2c839d86200918a
SHA51290082662fa572428b95a8a04d15e1101008779aeb494e29d0a887d2f55f0850d83188a66093689351a16f10bc1fc6605d0a2d6b27ed098dd2c63538a8c8236bf
-
Filesize
1KB
MD56e38da25355b03b56c9c4e694647255f
SHA1c06126f6f34b2213674910fa9cefcb92f89c4457
SHA2568d0e868c08f2f393aa9a78a8a89ac0a83eb70db6ef0691fa95006ededf675dab
SHA51216b73d05db5ec47b4d264b267ce43665871d7d38f13f0c260d393711b5b0f6cd2b425b894dc3a510caa3fec59458e1085cd9881d1a81dcfaee35458e3c2902d0