Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 19:01
Static task
static1
Behavioral task
behavioral1
Sample
365e3abc434dd080c3ee8bbd86739eac.exe
Resource
win7-20231215-en
General
-
Target
365e3abc434dd080c3ee8bbd86739eac.exe
-
Size
1.2MB
-
MD5
365e3abc434dd080c3ee8bbd86739eac
-
SHA1
3fae6886e7cb3c9c836154bfc1014f7574e95558
-
SHA256
22fbbb2d9503b10560b779b14733616d19d66ae46fd54e64ff326a338653fc83
-
SHA512
b92db089fff74e8387301a443d6f78cac2ee3e21d234ede63bba3c448cce2f6286521bb0b9dffac513fbd10aab0859eb992c79fa77ad8e51f4b254ba4d9e1a2d
-
SSDEEP
24576:N00JRlD0wr7tV1F7pl2BocE+pgaFd9uN0cxi5SzA:N0g1HtV1F7pIBC+pfON04i5S
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~2\is259417479.log 365e3abc434dd080c3ee8bbd86739eac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main 365e3abc434dd080c3ee8bbd86739eac.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2908 365e3abc434dd080c3ee8bbd86739eac.exe 2908 365e3abc434dd080c3ee8bbd86739eac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2908 365e3abc434dd080c3ee8bbd86739eac.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2908 365e3abc434dd080c3ee8bbd86739eac.exe 2908 365e3abc434dd080c3ee8bbd86739eac.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2840 2908 365e3abc434dd080c3ee8bbd86739eac.exe 28 PID 2908 wrote to memory of 2840 2908 365e3abc434dd080c3ee8bbd86739eac.exe 28 PID 2908 wrote to memory of 2840 2908 365e3abc434dd080c3ee8bbd86739eac.exe 28 PID 2908 wrote to memory of 2840 2908 365e3abc434dd080c3ee8bbd86739eac.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\365e3abc434dd080c3ee8bbd86739eac.exe"C:\Users\Admin\AppData\Local\Temp\365e3abc434dd080c3ee8bbd86739eac.exe"1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\365e3abc434dd080c3ee8bbd86739eac.exe"C:\Users\Admin\AppData\Local\Temp\365e3abc434dd080c3ee8bbd86739eac.exe" /_ShowProgress2⤵PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD583487401daf307d6c726a479de1ee6f9
SHA1c173be4937a63672570078b325864c76b28040b8
SHA256f4f0f59fccd9b87b208b416423797dcfb532472dcfef99bef41a11ea9f6f713b
SHA512da69729b6682acd1c46587c7c3b4533d9afbcf84c17e55f43798f1fee0097c7a2f39860e6dbc6a9b1cb26dc63d9afab4511071981ad5fd494f36ad9659c56e50
-
Filesize
156B
MD51ea9e5b417811379e874ad4870d5c51a
SHA1a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa
-
Filesize
5KB
MD5c4defa8d39bae67d8f65a0db206ce195
SHA161c4c8d278c15f4fbcf3d5c471adf796135920b5
SHA256ac85063553d730cb11945522296d3887dc200fba829024c92bb3c72ce24b4de1
SHA5128d9565d2ddbb5b9d336b7275f5e3c3398444cd467a162a5831238057855273571991bfe1812c50a5a94446014e15871ba1a42dfc9f3b53e73d31f185acc2b39f
-
Filesize
507B
MD5abc5fac091a8548789f3e6b4553ef430
SHA1c02d3c132f87607b7081a7b61fbd48728cc75ee4
SHA256d482709570c0f9259ccf0ca4569a9ca05b37798910fe650da459b30dd832c845
SHA5125e01c691a1b4e2e767e73c32bd74866ebe5a61532438c4c222058f832c26901824fe365157f23a3f559de171332b743c9a55f0ae4ce5c004ae24cd906595a2b3
-
Filesize
21KB
MD5e4f15874b7d6a90e64364a02269bc4df
SHA163e6ea43b6f890cb00dab260967723730f525cb0
SHA2561d4313dacef0bbf110c9f7b8bf4035334a6f7c9f2e05caa775aef936e4fb69d3
SHA512fc707be1c0209b83f4403e95d2c2b67703d68309b6d27842d596c44179980c29e020a639b90956b79e4661c1e82f8ab615a054475c66d855b49669d7f20ebd35
-
Filesize
1KB
MD5a379d9826c7537e27c3d039e6d816382
SHA119fc3f105175fa7b61d91e3217f2f7b56bc752a6
SHA256ed26660ccbec7a439f5158741892beb9b63d2e7b9c491e359535d2cbce4f4e72
SHA512cd2b2c5a559968857ff759351d8d5133410be863b97587ef50ea0b769ff46d142e96aedd24eeeb01b0aca55292cf91a86ea9569fa4c3838007a2aa76ab60ae55
-
Filesize
1KB
MD508ffc7fcaf5adc850cc454275a98274c
SHA1d504fa7e100b7dc379b83a8565b307e6485bf29b
SHA25628879145d87be92a4ca7896fc60f6eaa81d5baa5d12af34e768e2ad374a8ffa4
SHA51296639e4bf4cfc9d353c071768f88cc6da7342619c5e19cffcff0e2fd53edae13b49e398ddc51b2d78ef89900f895f2b26172360222e860dcf11ea43560a111bc
-
Filesize
10KB
MD557ca1a2085d82f0574e3ef740b9a5ead
SHA12974f4bf37231205a256f2648189a461e74869c0
SHA256476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e
SHA5122d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c
-
Filesize
1KB
MD51f6b8e14e2373b4b184bb57ac1fca760
SHA1ed2fec181aee0ec89d19215566a784be4ff4e5a1
SHA25614336d4607b68a7ddc02e28cbafe89ea75d089fa7621e3304b04d249019b9da5
SHA5128e778d230eece0528ab51b2c6afa9545b583def95dc184e187cc9914139f79bd67f715c800b6e9fcd5368dbe343aa4289ae34c2746d4e0d6d2e9353c8d5524eb