Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 16:29
Behavioral task
behavioral1
Sample
4bea978951b9452de6ebbce207371089.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4bea978951b9452de6ebbce207371089.exe
Resource
win10v2004-20231215-en
General
-
Target
4bea978951b9452de6ebbce207371089.exe
-
Size
775KB
-
MD5
4bea978951b9452de6ebbce207371089
-
SHA1
558728ffa36f6c6fa0bebd6b5f9ec544a413fef7
-
SHA256
ac0aa1fc56d492e81b4a71a9ab06fe35df42c8dd6fcccafa51591fa185d42927
-
SHA512
9a66973759ea7689ee0b8979c6e34fdab96681ccf0cb2ab9697ef89e274a42067ee1436d5a6c29da9f3f2a76466f7821d1f5fd9c9cba095fada19c0cb89b8216
-
SSDEEP
24576:/rl6kD68JmloLQf9MoraVGsEAGV1T+EI0Fsqy:Dl328U2kf9MorarUrLI06
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1352-6-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/1352-6-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral2/memory/1352-6-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft -
resource yara_rule behavioral2/memory/3244-0-0x0000000000EF0000-0x000000000109F000-memory.dmp upx behavioral2/memory/3244-1-0x0000000000EF0000-0x000000000109F000-memory.dmp upx behavioral2/memory/3244-4-0x0000000000EF0000-0x000000000109F000-memory.dmp upx behavioral2/memory/3244-11-0x0000000000EF0000-0x000000000109F000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3244-4-0x0000000000EF0000-0x000000000109F000-memory.dmp autoit_exe behavioral2/memory/3244-11-0x0000000000EF0000-0x000000000109F000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3244 set thread context of 1352 3244 4bea978951b9452de6ebbce207371089.exe 94 -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3244 4bea978951b9452de6ebbce207371089.exe 3244 4bea978951b9452de6ebbce207371089.exe 3244 4bea978951b9452de6ebbce207371089.exe 3244 4bea978951b9452de6ebbce207371089.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3244 4bea978951b9452de6ebbce207371089.exe 3244 4bea978951b9452de6ebbce207371089.exe 3244 4bea978951b9452de6ebbce207371089.exe 3244 4bea978951b9452de6ebbce207371089.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3244 wrote to memory of 1352 3244 4bea978951b9452de6ebbce207371089.exe 94 PID 3244 wrote to memory of 1352 3244 4bea978951b9452de6ebbce207371089.exe 94 PID 3244 wrote to memory of 1352 3244 4bea978951b9452de6ebbce207371089.exe 94 PID 3244 wrote to memory of 1352 3244 4bea978951b9452de6ebbce207371089.exe 94 PID 3244 wrote to memory of 1352 3244 4bea978951b9452de6ebbce207371089.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bea978951b9452de6ebbce207371089.exe"C:\Users\Admin\AppData\Local\Temp\4bea978951b9452de6ebbce207371089.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵PID:1352
-