Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 10:26

General

  • Target

    672553d4798cd55d179697399af5523a.exe

  • Size

    990KB

  • MD5

    672553d4798cd55d179697399af5523a

  • SHA1

    918deabf364663ed2db89f9866e834bfdb00bc06

  • SHA256

    6def25287846661b87d6bc6d3ea21e471fc5b8859ce9a9c3e000c2bdeae56d7f

  • SHA512

    a036a69b6d38e5042e1f1a3497b47ce96d3c926909d6896a522ab7826344a383bfc70f425348de5f45443ff09b3e8f89d9872dd718947295cbc24e7ce51e962b

  • SSDEEP

    24576:91G965sjkZcf3Eo63487oYbJd5A8uvKzS4MvKCINHPf4xVEP:ZsR3EoxYBbSDvKz0vKCINvgxVEP

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 41 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\672553d4798cd55d179697399af5523a.exe
    "C:\Users\Admin\AppData\Local\Temp\672553d4798cd55d179697399af5523a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Users\Admin\AppData\Local\Temp\nsd3766.tmp\dlhelpdl.exe
      C:\Users\Admin\AppData\Local\Temp\nsd3766.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~7198~5311~~URL Parts Error~~SendRequest Error~6A-10-79-A2-4C-90~#~~SendRequest Error~~IE~~
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1768
    • C:\Users\Admin\AppData\Local\Temp\nsd3766.tmp\215AppsChecker.exe
      C:\Users\Admin\AppData\Local\Temp\nsd3766.tmp\215AppsChecker.exe /checkispublisherinstalled
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2500-66-0x0000000001F00000-0x0000000001F1A000-memory.dmp

    Filesize

    104KB