Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

07053ea86d...b9.exe

windows7-x64

10

07053ea86d...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07053ea86dd370d8e7c1e935a96af3b9.exe

  • Size

    173KB

  • MD5

    07053ea86dd370d8e7c1e935a96af3b9

  • SHA1

    102ae2b6fe49621aaa4580921367dec4a9c446dd

  • SHA256

    6129c6cdfa86b869afbdad5062d6a6c0dd7c1b090c804e328b63b9eb9aea957b

  • SHA512

    1974cf3c9da338a24fcae5526d49f9267cebc54e0756eafdbd358c55374bca6fc0cc109909c7ef3af42807c624c5cba2f8d23f4f86f6a3e81bbd4a9fca9e5306

  • SSDEEP

    3072:7T62yBAnxZpjuXrwuDP0yuDaZiH95wtDsSlNfgZ6QdpsQJXvwJiRF9m:34CZpOk+P0haZYEZl2Z6QnJ/qiRF

Score
10/10
evasionpersistencespywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe
    "C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2096
    • C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe
      C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe startC:\Users\Admin\AppData\Roaming\39F7F\D9E99.exe%C:\Users\Admin\AppData\Roaming\39F7F
      2⤵
        PID:1568
      • C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe
        C:\Users\Admin\AppData\Local\Temp\07053ea86dd370d8e7c1e935a96af3b9.exe startC:\Program Files (x86)\7F4AB\lvvm.exe%C:\Program Files (x86)\7F4AB
        2⤵
          PID:1764
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2364

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\39F7F\F4AB.9F7
        Filesize

        1KB

        MD5

        502919f72ca9f03518aa007e3455da0f

        SHA1

        1da0baad57ae1050498c86cbe7704591b33483a4

        SHA256

        e3828882056e177dbdfd976ba3fb09115970283bef3ff18a2c6b24619dbaade3

        SHA512

        4da694132c17b74b1b395ebb64a091aaafb442a9273675698ced01c24421fbc625b19ca15fa87e7797bb67e3f913546d6e55f872b8a43ba63e2362e26a926efe

        Download Submit

      • C:\Users\Admin\AppData\Roaming\39F7F\F4AB.9F7
        Filesize

        600B

        MD5

        7e6228b48cd10a6c2dffac9f858d182b

        SHA1

        ce74d0ae87ae7566d50a434536e6cad80ef77c99

        SHA256

        bf0c854d78e64149f7dddc0a7771e880a49b7a6832f6267d4b5cd56cf05006c2

        SHA512

        7ba925e0457d4fd6f36d5077a9a43db72f021bfe283a6d017df5f568ce5c3b3ff32cc220661691a60ad57e15d3ef9283326ed45a0fa15c127977e66d04123e4d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\39F7F\F4AB.9F7
        Filesize

        1KB

        MD5

        f13b7c30bc593a0053969f39f6a9d73b

        SHA1

        1886430a34f17d08a79d9970a6121b8c03b206db

        SHA256

        27cbba27c9c35b8bef8b129be53f3e650a8fd6c9b976c9aeb9494f9a0f8fecd4

        SHA512

        7e84cadc8db35bf996af53661d00c66aa32432d7530b35dce297cc148f5c0bb410f163789ef538953d25e37bb35b1d817454b06e8d70a65231ba5730ec7d6b0f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\39F7F\F4AB.9F7
        Filesize

        897B

        MD5

        47a36db5add49638940293c6572aa9d4

        SHA1

        9c93805b97d9bc5aa5464696be6534b7b96412fe

        SHA256

        5ed312439200f3d0259960f5d519f94b66d3368c3c6df9cef479a838573bbc54

        SHA512

        2f47732113c957febb4ce67b9029ffccb1bbd29560b37504a7d5080a34b5be4aea84087ce2721942a694220018fd0bb78f7676b20d84598fa13a121f6023a886

        Download Submit

      • memory/1568-16-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/1764-122-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/1764-192-0x0000000000530000-0x0000000000630000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1764-123-0x0000000000530000-0x0000000000630000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2096-55-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2096-1-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2096-48-0x0000000000620000-0x0000000000720000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2096-125-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2096-3-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2096-2-0x0000000000620000-0x0000000000720000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2096-47-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2096-194-0x0000000000400000-0x0000000000452000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2364-124-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2364-193-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

        Filesize

        4KB

        Download