Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 13:46

General

  • Target

    22db929365b57752f6181d4b23016241.exe

  • Size

    33KB

  • MD5

    22db929365b57752f6181d4b23016241

  • SHA1

    30efa866aea90cf92998826c113d08b4e9f66d2f

  • SHA256

    39fe6cf655f0881af0b3ba2a02e7b2803ca195788279f177696dbc6c1be77eb8

  • SHA512

    d1ae032f4c41668709cc0630c35e80325443155319d4a4c4044ab595d6cd729660f5c40c160d5cddd0892ac937af5a0351b059b4b5603a979de000f2e0b358c2

  • SSDEEP

    768:UnykwyDKF0Pw95DDaxq56pv4tZiR+T0vjFfbM:Unyk9ojmpp8a+T0Fb

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 11 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\SysWOW64\net.exe
    net stop cryptsvc
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop cryptsvc
      2⤵
        PID:3044
    • C:\Windows\SysWOW64\sc.exe
      sc delete cryptsvc
      1⤵
      • Launches sc.exe
      PID:2516
    • C:\Windows\SysWOW64\sc.exe
      sc config cryptsvc start= disabled
      1⤵
      • Launches sc.exe
      PID:1932
    • C:\Users\Admin\AppData\Local\Temp\22db929365b57752f6181d4b23016241.exe
      "C:\Users\Admin\AppData\Local\Temp\22db929365b57752f6181d4b23016241.exe"
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Users\Admin\AppData\Local\Temp\1703764730.dat, ServerMain c:\users\admin\appdata\local\temp\22db929365b57752f6181d4b23016241.exe
        2⤵
        • Deletes itself
        • Loads dropped DLL
        PID:2636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1703764730.dat

      Filesize

      33KB

      MD5

      6a40e894109842465daee6a885c9c63b

      SHA1

      a1920cd29e08ca0f582b885d2287d78a22da3650

      SHA256

      7a52ffaa9a745615b5b613cab93253ad7f44c64eed8c03c91cbfd0575998b429

      SHA512

      7ba8452bb78813ac757b41ace66e6dbd7e2a5a1fff6dab1bfd873709dc538f1b5e43342745b76828d56be27dad0d61c9ae91e2494c9cf8b6e8e35915c5aaad1e

    • memory/1904-0-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/1904-11-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB