Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

04d4326343...e8.exe

windows7-x64

8

04d4326343...e8.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    118s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04d4326343cdf1d4baef0f88aee6dce8.exe

  • Size

    13KB

  • MD5

    04d4326343cdf1d4baef0f88aee6dce8

  • SHA1

    427d54e74f33b594ccf789145044e87cf7325492

  • SHA256

    609e27656ad00574815d2a355cf429da58e082ff6ba245e74e06335a4113ea14

  • SHA512

    a1233dff180afe52e8fc65d21b42ef9b1d97a98e8206bfe4183e85051b635e5956ce70355fd93abb7ca7caebdfdc9b27277ef8919a9ba9c7bb6a7e276d7158bb

  • SSDEEP

    384:FtTdZjseIebeqoM6Jw3toQTgQBi88+wYzLY:7bfLFoM76QTf4BYvY

Score
8/10
adwarepersistencestealer

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d4326343cdf1d4baef0f88aee6dce8.exe
    "C:\Users\Admin\AppData\Local\Temp\04d4326343cdf1d4baef0f88aee6dce8.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\04D432~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2748
    • C:\Windows\SysWOW64\issearch.exe
      C:\Windows\system32\issearch.exe
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\issearch.exe
    Filesize

    28KB

    MD5

    fc7b0c097f584c0090b7dd5b8ec59934

    SHA1

    faa106f33bcb592fb876e4d44a3b481827aeea4b

    SHA256

    dacc6f71bd1c3069fba75abfcaac97359aa949a92d4bf92119a19d38242a0623

    SHA512

    1c159073ef7d5f8f220a2eb4bdc072aff8db2941a7cde854828f5cabb526fbe0ae1d8fc5f35085c01101ecf3eebbd2d93c01e15b840cb459291742cc1d61eb94

    Download Submit

  • \Windows\SysWOW64\ixt0.dll
    Filesize

    18KB

    MD5

    0164585125ce7417a90db7afa671536f

    SHA1

    74e24beea416fb9c0a23fd66102909b46110f03a

    SHA256

    e11c7aafc30d9d0b5da7364058e7949150d8a0ab71e7f4c583ff64f81dd9206b

    SHA512

    ad2636db623c4645bd1c86cf5f6a98f2403c51ba4a09468f3b573d9681f342c2a7ead0a37d5b5a6a349c45d5e143fe3037674be3190331d529bac65379b2314e

    Download Submit