Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 06:02
Static task
static1
Behavioral task
behavioral1
Sample
timeSync.exe
Resource
win7-20231215-en
General
-
Target
timeSync.exe
-
Size
237KB
-
MD5
ae0792e1f93f7682ce03c8f4f9e2906b
-
SHA1
7056ade37113830af70ae02fe06184374c06dc90
-
SHA256
bd0619e369e9f557fa70e19f5447a08a625cec708e14459d53fdb338ecf30305
-
SHA512
95d09e2679f5bd9c53b5e36e17c013565f9245029d8dfbe4ea22810f6b444c45b5c7e77069d29e3c7e7a1c5d7a098bad1977dbcf6c310c8407278873db1710f6
-
SSDEEP
3072:fJOKSG+jJx3AdF7mSJief2m1KpEtbUT1nGBvUEtrSWe/qcRbP1XRQ9mtxxgwT:fJOKS/EF7kpGegrmfgIt4
Malware Config
Extracted
stealc
http://5.42.64.41
-
url_path
/40d570f44e84a454.php
Signatures
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1936 cmd.exe -
Loads dropped DLL 2 IoCs
pid Process 2396 timeSync.exe 2396 timeSync.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 timeSync.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString timeSync.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2156 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2396 timeSync.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2396 wrote to memory of 1936 2396 timeSync.exe 31 PID 2396 wrote to memory of 1936 2396 timeSync.exe 31 PID 2396 wrote to memory of 1936 2396 timeSync.exe 31 PID 2396 wrote to memory of 1936 2396 timeSync.exe 31 PID 1936 wrote to memory of 2156 1936 cmd.exe 33 PID 1936 wrote to memory of 2156 1936 cmd.exe 33 PID 1936 wrote to memory of 2156 1936 cmd.exe 33 PID 1936 wrote to memory of 2156 1936 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\timeSync.exe"C:\Users\Admin\AppData\Local\Temp\timeSync.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2156
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD50f94a9545012dde854113fa1afad0b90
SHA19784fadce4ffaf877b20a6ed805e02e9d32409ff
SHA25664ebb5d77fca88dc9c65327c65c0cc207ce7b82a4397a01370da934312720284
SHA5120359e21e81b8f86d0f4fcefc177dd338df37f23a9f62ec3a91843c5f7c7ff6a587b4b0c4ddbb429b0d7096f7ee2f8c19996606105400bf28984e9fd257aa6136
-
Filesize
78KB
MD59e59913b3cdcfb6ae555e76b0cba4b35
SHA1d9cf67470109f2923490e55fde59ba2b9cf5253f
SHA256ce8afb6e8447d58da9ff41bde8c13b987fb500cd47d35d838c8c505efc2da6e3
SHA512213867184ae83fad4609f54bd26fd5f9645995e545c059ebe5be279f76671729458ccd95ffabc73fe3d58dcd741f3a3507eba2c4c53d8a80a702a9240cd60d4f