Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 15:46
Static task
static1
Behavioral task
behavioral1
Sample
2a6955da5df9d5e7d96436fbb794a228.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2a6955da5df9d5e7d96436fbb794a228.exe
Resource
win10v2004-20231222-en
General
-
Target
2a6955da5df9d5e7d96436fbb794a228.exe
-
Size
130KB
-
MD5
2a6955da5df9d5e7d96436fbb794a228
-
SHA1
1531c001411fd279a523e153b5656c8536d32cbe
-
SHA256
a7b5a96f9e363da6ad6a3977ca8c48629c73ce47af2278b5f5c4918c3108faf8
-
SHA512
a72972d8789c7ff175de650db26f974b21b0efa36eef02596ef242c7ad28e6bb8307fa74aa90807275073baeae7b572d30581c8d95c84b5405bc72215a0909f5
-
SSDEEP
3072:P6soD+rIVF8MTLWsjUf+C+e1Da0DK0end:P5J0VFNTY+gDKNd
Malware Config
Extracted
pony
http://108.166.65.182:8080/pony/gate.php
http://aloucakbileti.com:8080/pony/gate.php
-
payload_url
http://imprentasolucionesgraficas.com/GKGfWUD.exe
http://hidollar.com.au/miDXkQ.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 1708 2a6955da5df9d5e7d96436fbb794a228.exe Token: SeTcbPrivilege 1708 2a6955da5df9d5e7d96436fbb794a228.exe Token: SeChangeNotifyPrivilege 1708 2a6955da5df9d5e7d96436fbb794a228.exe Token: SeCreateTokenPrivilege 1708 2a6955da5df9d5e7d96436fbb794a228.exe Token: SeBackupPrivilege 1708 2a6955da5df9d5e7d96436fbb794a228.exe Token: SeRestorePrivilege 1708 2a6955da5df9d5e7d96436fbb794a228.exe Token: SeIncreaseQuotaPrivilege 1708 2a6955da5df9d5e7d96436fbb794a228.exe Token: SeAssignPrimaryTokenPrivilege 1708 2a6955da5df9d5e7d96436fbb794a228.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1708 2a6955da5df9d5e7d96436fbb794a228.exe