Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 08:45

General

  • Target

    12de67671478b5e64f2f453eb861238e.exe

  • Size

    250KB

  • MD5

    12de67671478b5e64f2f453eb861238e

  • SHA1

    ae772610e68b1a5ac05fc9eec1bebc93ae82ea9b

  • SHA256

    5ca4396c17bed61237f10391412184039062e7e7f51e2f334a22eeaccb667f4d

  • SHA512

    35fe593e56c8e7c55ed54707083315d81caf4dac214c5e61c3d5eb959950ef223d61b7c13e71ef34aaac03b4639bff18e6ceb46290a2e157928fc499140cb9c6

  • SSDEEP

    6144:h1OgDPdkBAFZWjadD4s5kY1tvYTlERQDcisW:h1OgLdaOnQpWScVW

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Modifies registry class 45 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12de67671478b5e64f2f453eb861238e.exe
    "C:\Users\Admin\AppData\Local\Temp\12de67671478b5e64f2f453eb861238e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\50f90a5d3f513.exe
      .\50f90a5d3f513.exe /s
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops Chrome extension
      • Installs/modifies Browser Helper Object
      • Modifies registry class
      • System policy modification
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\7zS17C5.tmp\50f90a5d3f513.exe

    Filesize

    71KB

    MD5

    b78633fae8aaf5f7e99e9c736f44f9c5

    SHA1

    26fc60e29c459891ac0909470ac6c61a1eca1544

    SHA256

    d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

    SHA512

    3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

  • memory/2924-81-0x0000000075110000-0x000000007511A000-memory.dmp

    Filesize

    40KB