Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 19:18
Static task
static1
Behavioral task
behavioral1
Sample
0cd1e3e4181803c81e500412fbe79b70.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0cd1e3e4181803c81e500412fbe79b70.exe
Resource
win10v2004-20231215-en
General
-
Target
0cd1e3e4181803c81e500412fbe79b70.exe
-
Size
204KB
-
MD5
0cd1e3e4181803c81e500412fbe79b70
-
SHA1
bf69949401e43145e962537df925e5b7a7246864
-
SHA256
7dd8befa6135e039fd241d52e4975b3bc1268e24e4e0dcae1c0699ab482b404b
-
SHA512
d876f9c64842c3a9821464deb7c3154b196239afad679ffa58e2c3d0aa09d1c2e1be71f1a62eebc851eb6f82b2a77c775e7e5ae14ea3ff45001299d56bdf0558
-
SSDEEP
6144:WpAKPdcFEABgdr5yKzq+DbJqEWHmipRE1OQJveZoTdf:kAGcFEA6q+3JqpHmDHVeZy
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dwm.exe" 0cd1e3e4181803c81e500412fbe79b70.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/824-2-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/1636-6-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/1636-5-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/824-15-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2792-90-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/2792-89-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/824-92-0x0000000000400000-0x000000000048D000-memory.dmp upx behavioral1/memory/1636-94-0x0000000000520000-0x0000000000620000-memory.dmp upx behavioral1/memory/824-194-0x0000000000400000-0x000000000048D000-memory.dmp upx -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 824 wrote to memory of 1636 824 0cd1e3e4181803c81e500412fbe79b70.exe 27 PID 824 wrote to memory of 1636 824 0cd1e3e4181803c81e500412fbe79b70.exe 27 PID 824 wrote to memory of 1636 824 0cd1e3e4181803c81e500412fbe79b70.exe 27 PID 824 wrote to memory of 1636 824 0cd1e3e4181803c81e500412fbe79b70.exe 27 PID 824 wrote to memory of 2792 824 0cd1e3e4181803c81e500412fbe79b70.exe 30 PID 824 wrote to memory of 2792 824 0cd1e3e4181803c81e500412fbe79b70.exe 30 PID 824 wrote to memory of 2792 824 0cd1e3e4181803c81e500412fbe79b70.exe 30 PID 824 wrote to memory of 2792 824 0cd1e3e4181803c81e500412fbe79b70.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe"C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exeC:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exeC:\Users\Admin\AppData\Local\Temp\0cd1e3e4181803c81e500412fbe79b70.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5e064d1abbfe3576cf1afeefb41695d27
SHA1df52f8ff217712bff8f7462a5ff1d05c9e4e7fc8
SHA256ee8e80ff6011b87654b10bba6c692fe15fed9dfc89b7a27b01f2aaee8b542368
SHA512187daed5e8904b0c0abae9d8fa6babd0a5b404b5e1fef386b145f7ce00455377a297de414a86187c4e91bd1fc632139f55fc21846ee1d90451186d3527da3758
-
Filesize
996B
MD5469e0ed0bafd757cfd6db90903c489dd
SHA115110bf29b8357132e480aec0e978e5b6467480c
SHA2566ae82967d4ee3aae3269b7f7556b436c3d7cd276bb1c4c3d6751f66037a13a28
SHA5126d5c2edca6b981d5354f826362fdf5984114df1b915c1d280f946a65b67e7897a6d0c6f0c59f0a72ad6f2b40dafb86be23b6f6451019cbcc8e6cbb00e96833e8