Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
08af350036c437cf4c25db00c0b6b267.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
08af350036c437cf4c25db00c0b6b267.exe
Resource
win10v2004-20231215-en
General
-
Target
08af350036c437cf4c25db00c0b6b267.exe
-
Size
232KB
-
MD5
08af350036c437cf4c25db00c0b6b267
-
SHA1
5a1a6e24e59eaab9af037451b53c9a02a153c9e0
-
SHA256
e662d7869dc51b5a75af09fa29327a30fa3a18b388d9c4ca8b425e9884cf14f2
-
SHA512
d0cf3a0f99088dfeb34c923b34bea8febddf551fff01634e22e67f6302a1b15b0c2ecbb4ff92ac21bb22e306262159f91691e722f975070b3b88eda4ea88235d
-
SSDEEP
6144:bZfaGHXxGkvWFvGQ2+8RifCh60unTBY2U4Q:5aCWN2XifChvunTbU
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" 08af350036c437cf4c25db00c0b6b267.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3344 wrote to memory of 4628 3344 08af350036c437cf4c25db00c0b6b267.exe 90 PID 3344 wrote to memory of 4628 3344 08af350036c437cf4c25db00c0b6b267.exe 90 PID 3344 wrote to memory of 4628 3344 08af350036c437cf4c25db00c0b6b267.exe 90 PID 3344 wrote to memory of 3812 3344 08af350036c437cf4c25db00c0b6b267.exe 94 PID 3344 wrote to memory of 3812 3344 08af350036c437cf4c25db00c0b6b267.exe 94 PID 3344 wrote to memory of 3812 3344 08af350036c437cf4c25db00c0b6b267.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe"C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exeC:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵PID:4628
-
-
C:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exeC:\Users\Admin\AppData\Local\Temp\08af350036c437cf4c25db00c0b6b267.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵PID:3812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD563b1cc3904be591f5f4f9fc00c2632ed
SHA1d07a714953663b6cb84c5d9ed06a80b8d069929e
SHA256214dce1698b970e8860178ecf07405178b379224eb7f3a949458f6ce2dce9825
SHA5128ea56f1f4a2de701d32db7ec1b293bbddf281b8e05a541de5433a64805b897c1e1f77bdacc7a257a85a92f5935a5d8f1f76795db0de2832e3851d03a66fe6673
-
Filesize
996B
MD50b46164d49e32ea1200f5229b8874151
SHA14676a71506bca79bcbc8f84beb57ae9b01bdb17d
SHA2568612a65efd44192923e4bd478e0b94957ce090feb299a61a57be411d6dd6ba58
SHA51298f01ddde2d0325a1edc4fd35db08a920de8adf0c1fce2ef9acff3402f043aa5dca814950ff9c35e49e50daadd5fd3c380c9ea34887372b5f2d2ffe5f0752dce
-
Filesize
1KB
MD547f62b9122a636518743b08af6998571
SHA123a92abc39e7624f6066b2283a401b8d41eed431
SHA256384e21568d545accf4693e93d831734fa0cd8f30386771b799ac58fbd2d66ea2
SHA512fe8cfb583ea0f9f915d2dfe0bb0d18e6a41c14001f579c940e82d88cb9cb0f039959b99760b787184df8d9be587b351d6ce2e6ac9ed8ad99466991cf79530fbb