Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/12/2023, 01:16
Static task
static1
Behavioral task
behavioral1
Sample
22af06c40a6972c3d05acfbf88736807.exe
Resource
win7-20231215-en
General
-
Target
22af06c40a6972c3d05acfbf88736807.exe
-
Size
513KB
-
MD5
22af06c40a6972c3d05acfbf88736807
-
SHA1
4d77cb9179339d472806f20b3036dd2187e07d9e
-
SHA256
5e779c17147a3270553c7042beef05e6946805a52adf85f8f5b9e6bf38f6984b
-
SHA512
1342ed861ed07e6b06c441d163f4c27cb534ed64e59f92867d69606e94a08656c9993a430f10ae1bcd7b10b313db81eec8b2d6b852093c794495acde9108455c
-
SSDEEP
12288:lHCKLz4cDlLqz3Nl1/DR3Br8PWEXi1gHAVR7:lj40lmdt3Br8z8gHSR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2004 csrss.exe -
Loads dropped DLL 4 IoCs
pid Process 1868 22af06c40a6972c3d05acfbf88736807.exe 1868 22af06c40a6972c3d05acfbf88736807.exe 1868 22af06c40a6972c3d05acfbf88736807.exe 1868 22af06c40a6972c3d05acfbf88736807.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1868 set thread context of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28 PID 1868 wrote to memory of 2004 1868 22af06c40a6972c3d05acfbf88736807.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\22af06c40a6972c3d05acfbf88736807.exe"C:\Users\Admin\AppData\Local\Temp\22af06c40a6972c3d05acfbf88736807.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Roaming\csrss.exeC:\Users\Admin\AppData\Roaming\csrss.exe2⤵
- Executes dropped EXE
PID:2004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD50d98150856b32db0ac49bb27b1f146d5
SHA18d665bb424f76add2d7c27b40f19680d583eba97
SHA256784dc2bafc894656f2040965e89f304a732858b668a6e1200eae45ca03819100
SHA512accb298f2a8df4ced4b5de258b555f5fef4c8a08cfaf395e8f84a5f43c8ba70449e89782243d6872fdd8f39d84c768466dae2e8eedfa24a7fd5ccde566acb109
-
Filesize
15KB
MD5e45cfd4c08936e02fb4f57f7972b2d8d
SHA1aa7c70a63af530b17fa551d95aa5ff7ae27c00d7
SHA256158af74f121ce91d8718dbd29c061863eea32b0dd550718768f060b927c8a59d
SHA51299f9ede95e6b90aea3de3d288625843ef02e7e20e6b432d4c7fd2c10e19c52d971ff8a5fcef8c71d38a14e2adfdfae63697f0b1acdfe21df7fff51c440996a8a
-
Filesize
8KB
MD5408ca60609d57759329cd9dc4894924c
SHA109fd93199b6a1bd65626fe14e37f010f030aeb43
SHA2568da3fe6873bc4babc07893817fb793d6788078a18d582ba4967dbd4a2d1ca94d
SHA5129a94174cd7cf379bd93a7e061a6bbc09a26b79e630fba588457c55a9bce45260d7e2365da8b219cccfc3bdb78ef952fbb94b2b6e51fb44c970c0f873ca0edbc1