Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 13:46
Behavioral task
behavioral1
Sample
22db929365b57752f6181d4b23016241.exe
Resource
win7-20231129-en
General
-
Target
22db929365b57752f6181d4b23016241.exe
-
Size
33KB
-
MD5
22db929365b57752f6181d4b23016241
-
SHA1
30efa866aea90cf92998826c113d08b4e9f66d2f
-
SHA256
39fe6cf655f0881af0b3ba2a02e7b2803ca195788279f177696dbc6c1be77eb8
-
SHA512
d1ae032f4c41668709cc0630c35e80325443155319d4a4c4044ab595d6cd729660f5c40c160d5cddd0892ac937af5a0351b059b4b5603a979de000f2e0b358c2
-
SSDEEP
768:UnykwyDKF0Pw95DDaxq56pv4tZiR+T0vjFfbM:Unyk9ojmpp8a+T0Fb
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
pid Process 2636 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 2636 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1904-0-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral1/memory/1904-11-0x0000000000400000-0x0000000000416000-memory.dmp upx -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\SysWOW64\yuksuser.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\ksuser.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\yumidimap.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\midimap.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\dllcache\msimg32.dll 22db929365b57752f6181d4b23016241.exe File opened for modification C:\Windows\SysWOW64\yuksuser.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\dllcache\ksuser.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\yumsimg32.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\msimg32.dll 22db929365b57752f6181d4b23016241.exe File created C:\Windows\SysWOW64\gggapp23.dll 22db929365b57752f6181d4b23016241.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2516 sc.exe 1932 sc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1904 22db929365b57752f6181d4b23016241.exe 1904 22db929365b57752f6181d4b23016241.exe 1904 22db929365b57752f6181d4b23016241.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1904 22db929365b57752f6181d4b23016241.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2392 1904 22db929365b57752f6181d4b23016241.exe 16 PID 1904 wrote to memory of 2392 1904 22db929365b57752f6181d4b23016241.exe 16 PID 1904 wrote to memory of 2392 1904 22db929365b57752f6181d4b23016241.exe 16 PID 1904 wrote to memory of 2392 1904 22db929365b57752f6181d4b23016241.exe 16 PID 1904 wrote to memory of 1932 1904 22db929365b57752f6181d4b23016241.exe 21 PID 1904 wrote to memory of 1932 1904 22db929365b57752f6181d4b23016241.exe 21 PID 1904 wrote to memory of 1932 1904 22db929365b57752f6181d4b23016241.exe 21 PID 1904 wrote to memory of 1932 1904 22db929365b57752f6181d4b23016241.exe 21 PID 1904 wrote to memory of 2516 1904 22db929365b57752f6181d4b23016241.exe 20 PID 1904 wrote to memory of 2516 1904 22db929365b57752f6181d4b23016241.exe 20 PID 1904 wrote to memory of 2516 1904 22db929365b57752f6181d4b23016241.exe 20 PID 1904 wrote to memory of 2516 1904 22db929365b57752f6181d4b23016241.exe 20 PID 2392 wrote to memory of 3044 2392 net.exe 17 PID 2392 wrote to memory of 3044 2392 net.exe 17 PID 2392 wrote to memory of 3044 2392 net.exe 17 PID 2392 wrote to memory of 3044 2392 net.exe 17 PID 1904 wrote to memory of 2636 1904 22db929365b57752f6181d4b23016241.exe 35 PID 1904 wrote to memory of 2636 1904 22db929365b57752f6181d4b23016241.exe 35 PID 1904 wrote to memory of 2636 1904 22db929365b57752f6181d4b23016241.exe 35 PID 1904 wrote to memory of 2636 1904 22db929365b57752f6181d4b23016241.exe 35 PID 1904 wrote to memory of 2636 1904 22db929365b57752f6181d4b23016241.exe 35 PID 1904 wrote to memory of 2636 1904 22db929365b57752f6181d4b23016241.exe 35 PID 1904 wrote to memory of 2636 1904 22db929365b57752f6181d4b23016241.exe 35
Processes
-
C:\Windows\SysWOW64\net.exenet stop cryptsvc1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cryptsvc2⤵PID:3044
-
-
C:\Windows\SysWOW64\sc.exesc delete cryptsvc1⤵
- Launches sc.exe
PID:2516
-
C:\Windows\SysWOW64\sc.exesc config cryptsvc start= disabled1⤵
- Launches sc.exe
PID:1932
-
C:\Users\Admin\AppData\Local\Temp\22db929365b57752f6181d4b23016241.exe"C:\Users\Admin\AppData\Local\Temp\22db929365b57752f6181d4b23016241.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\rundll32.exeC:\Users\Admin\AppData\Local\Temp\1703764730.dat, ServerMain c:\users\admin\appdata\local\temp\22db929365b57752f6181d4b23016241.exe2⤵
- Deletes itself
- Loads dropped DLL
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD56a40e894109842465daee6a885c9c63b
SHA1a1920cd29e08ca0f582b885d2287d78a22da3650
SHA2567a52ffaa9a745615b5b613cab93253ad7f44c64eed8c03c91cbfd0575998b429
SHA5127ba8452bb78813ac757b41ace66e6dbd7e2a5a1fff6dab1bfd873709dc538f1b5e43342745b76828d56be27dad0d61c9ae91e2494c9cf8b6e8e35915c5aaad1e