Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

021b0cbf22...06.exe

windows7-x64

10

021b0cbf22...06.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    021b0cbf226901c3dff865badac14606.exe

  • Size

    121KB

  • MD5

    021b0cbf226901c3dff865badac14606

  • SHA1

    de36ae59c8f71b7d7391d52ea2343a1f960908ee

  • SHA256

    7dfeebeb24919749a64ea866080c81d0ab607b42dd27e28a709cef984265c908

  • SHA512

    87354c23fad1d1cccdb028e6e656a18cd9417e7e4fbbe4da1297c200e7710b2f0b2a79073ca42252a27861a3af949cf63ffd1a4497b0a9c6d331035fa44334cc

  • SSDEEP

    3072:/o5GoZYquZIPJCr743kerpmYExqHXhT5RnaY8Is7fCVz9VWokC:/oryZICr743keXnHEIqfCz4ok

Score
10/10
persistencespywarestealerupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\021b0cbf226901c3dff865badac14606.exe
    "C:\Users\Admin\AppData\Local\Temp\021b0cbf226901c3dff865badac14606.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\021b0cbf226901c3dff865badac14606.exe
      C:\Users\Admin\AppData\Local\Temp\021b0cbf226901c3dff865badac14606.exe startC:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
      2⤵
        PID:2876
      • C:\Users\Admin\AppData\Local\Temp\021b0cbf226901c3dff865badac14606.exe
        C:\Users\Admin\AppData\Local\Temp\021b0cbf226901c3dff865badac14606.exe startC:\Users\Admin\AppData\Local\Temp\dwm.exe%C:\Users\Admin\AppData\Local\Temp
        2⤵
          PID:2672

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\stor.cfg
        Filesize

        792B

        MD5

        a0c106036303fc521b0e55effa608257

        SHA1

        8dece7c63011fc75b3d2694c974c29053df06662

        SHA256

        df43c2385ddb6b2cb1dca9c8bb3a3c22d2bbeaeec7abc7d31fd6451144acbc1a

        SHA512

        20b6540d802de061fe048feebd055f52c1c2a0c25bb06d8bb08bc9310735dc839531af64e7d3d441323f1afac6d830c190112525aa6af880fe9ade7a7ce68e47

        Download Submit

      • memory/2356-3-0x0000000000630000-0x0000000000730000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2356-2-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2356-13-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2356-15-0x0000000000630000-0x0000000000730000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2672-12-0x000000000067E000-0x0000000000691000-memory.dmp

        Filesize

        76KB

        Download

      • memory/2672-11-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2876-7-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2876-8-0x00000000004F0000-0x00000000005F0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2876-27-0x00000000004F0000-0x00000000005F0000-memory.dmp

        Filesize

        1024KB

        Download