Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 06:02
Static task
static1
Behavioral task
behavioral1
Sample
64a80359bff8a5e94be61f23c125903b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
64a80359bff8a5e94be61f23c125903b.exe
Resource
win10v2004-20231215-en
General
-
Target
64a80359bff8a5e94be61f23c125903b.exe
-
Size
256KB
-
MD5
64a80359bff8a5e94be61f23c125903b
-
SHA1
99eb53bcba202cfd17b6faf9eccb27eb77cff81a
-
SHA256
3b8bf4df71917350d38daf2b4a17b68b05e1d9fa8e327b21b83275fe5dffd0be
-
SHA512
2936025e4ec05210a61551be6e1a891c291dff70bfb71d68502e4963e2fbbb0c789b7fe35ef52ecb7654c35f80d7c45aa2162f9b7a0d7bb0731d9d943430f97e
-
SSDEEP
6144:oawa9mjimYaQLHrhaYaQuWwkU/YoYaQLHrhaYaQ:oawRXY2YVJUbY2Y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4368 outlook.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\sys32.exe" 64a80359bff8a5e94be61f23c125903b.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\sys32.exe 64a80359bff8a5e94be61f23c125903b.exe File opened for modification C:\Windows\outlook.cfg outlook.exe File created C:\Windows\crc32.cfg outlook.exe File created C:\Windows\sys32.exe 64a80359bff8a5e94be61f23c125903b.exe File created C:\Windows\outlook.exe 64a80359bff8a5e94be61f23c125903b.exe File opened for modification C:\Windows\outlook.exe 64a80359bff8a5e94be61f23c125903b.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5024 4368 WerFault.exe 69 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1492 wrote to memory of 4368 1492 64a80359bff8a5e94be61f23c125903b.exe 69 PID 1492 wrote to memory of 4368 1492 64a80359bff8a5e94be61f23c125903b.exe 69 PID 1492 wrote to memory of 4368 1492 64a80359bff8a5e94be61f23c125903b.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\64a80359bff8a5e94be61f23c125903b.exe"C:\Users\Admin\AppData\Local\Temp\64a80359bff8a5e94be61f23c125903b.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\outlook.exeC:\Windows\outlook.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 298163⤵
- Program crash
PID:5024
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 43681⤵PID:4360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e7f05826ac1d5ee4c1ed937b2b1df5da
SHA19d3b705d45320b97175507e707868a8766563c0c
SHA2563c6a506527545f07d270b5bc3b4394a9b20b690a56d95d6b45299bb35d6b5773
SHA5125a7b193486a7b55c6d54a38f4fe330d1c1b5c3b01746e4171ba1facc095e49321dec5f782691a014b8b1970edf2decd48e5291d2d46e8fecaec5309f158c498a
-
Filesize
684B
MD5a7fcb69d3ab6306442ab6a8799deb4d0
SHA12a09b7a3b14316afd077713a915cc4400b7aae5c
SHA2568cf8dac4cb0fc69b6b7b38fdde054b7028a21a24df69b03fd6f3ec8b65f3f7d8
SHA51232160721a6d72091f9bfb15151fb710c6323c189d921fa11fdd726801a8a314c5b70dc57e18d9a798e3d1b60e138985fc64004f2030ba65b97297728c9e4b001
-
Filesize
1KB
MD5bf2a61a4cb762926c76f30e217b60d33
SHA1fdaa553112f629aba37cca387118d4e752a4aee0
SHA2566201dc017497d4449f27c90f735e39fa722c4d20ef87cc7dd0e5889fa940ed84
SHA51220053c09febf64dce536712c80b6ec74d0fffbd4feef9c84870290f10cdb66365b95445be134979665e2885453dd8c7327e56e0edc8b12a09e6fc2148b56c09a
-
Filesize
1KB
MD57f7f6b186f77f5f3aab326842794d8c8
SHA1e3f9de1084621bb7f2e650784ebdf1b9d951f822
SHA256b6b0139fd9f05ffe2373101933bc6a063f4972dde31a798782e86766837a3bbf
SHA51272c14a11887bee186ea55c5511d36dd73feac979c019184d8a58d17e63779afe01c3c0f9512e9a653e82d2e34f9b638be13882c211358d5b5d0c25dd245b9490
-
Filesize
49KB
MD50e9379e357aba95f8b9883af9b67675e
SHA1280a174a414e5b8588f42b6328af2c8c8ff4394f
SHA25696b9c4ead67d03eb2c69103a983274e013e3466e80d8f95bd7cf3aea8be05b28
SHA5126cc383806882729cd889b025802ac0d5e1c55a74b3e7d7c98932644e8802fe52b5b14a886eff70ab7deaa70fb60bb9898e55b5cd83b5b99e2a2d107dce367784