Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29/01/2024, 06:32
Behavioral task
behavioral1
Sample
7f2330def39913a8dfa6252f81637197.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7f2330def39913a8dfa6252f81637197.exe
Resource
win10v2004-20231215-en
General
-
Target
7f2330def39913a8dfa6252f81637197.exe
-
Size
249KB
-
MD5
7f2330def39913a8dfa6252f81637197
-
SHA1
5f4e7714e7a278ad5279a62f1b352e80252c934d
-
SHA256
9de7bad6c008475fc6b83764c55296f7e45a32342c445c46ce3e384737ad30fe
-
SHA512
e26e44875fcb4d963b44352abacb537cd2df9a3feeffe03521b0e6858287d98e8c1c48f377bf5ed314e062c6b7a89f3c5b5932e41f57601dbae8e69988b1cb47
-
SSDEEP
6144:IM0Ky/jFZofhxOeqKlusmJTZVDcgR2Ge0Uxe955WMenawoS:IM0KybFZShMeqqufpXDJQGexGjHwoS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2696 Recycle.Bin.exe 2844 Recycle.Bin.exe 2724 SaK4395.exe -
Loads dropped DLL 5 IoCs
pid Process 1504 7f2330def39913a8dfa6252f81637197.exe 1504 7f2330def39913a8dfa6252f81637197.exe 2696 Recycle.Bin.exe 2844 Recycle.Bin.exe 2844 Recycle.Bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2432-0-0x0000000000400000-0x0000000000752000-memory.dmp upx behavioral1/memory/1504-3-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/1504-5-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/1504-7-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/1504-9-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/1504-11-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2432-12-0x0000000000400000-0x0000000000752000-memory.dmp upx behavioral1/memory/1504-14-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/files/0x00310000000142c9-23.dat upx behavioral1/memory/1504-30-0x0000000000AC0000-0x0000000000E12000-memory.dmp upx behavioral1/memory/2696-32-0x0000000000400000-0x0000000000752000-memory.dmp upx behavioral1/memory/2696-39-0x0000000000400000-0x0000000000752000-memory.dmp upx behavioral1/memory/1504-42-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2844-47-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2844-67-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral1/memory/2724-88-0x00000000028D0000-0x0000000002A94000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\0A3UUE7EUYVV4Y9GMAGABZJZUNQV = "C:\\Recycle.Bin\\Recycle.Bin.exe /q" SaK4395.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2432 set thread context of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2696 set thread context of 2844 2696 Recycle.Bin.exe 30 -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PhishingFilter SaK4395.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" SaK4395.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" SaK4395.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery SaK4395.exe Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" SaK4395.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1504 7f2330def39913a8dfa6252f81637197.exe 1504 7f2330def39913a8dfa6252f81637197.exe 2844 Recycle.Bin.exe 2724 SaK4395.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1504 7f2330def39913a8dfa6252f81637197.exe Token: SeDebugPrivilege 1504 7f2330def39913a8dfa6252f81637197.exe Token: SeDebugPrivilege 1504 7f2330def39913a8dfa6252f81637197.exe Token: SeDebugPrivilege 1504 7f2330def39913a8dfa6252f81637197.exe Token: SeDebugPrivilege 2844 Recycle.Bin.exe Token: SeDebugPrivilege 2844 Recycle.Bin.exe Token: SeDebugPrivilege 2724 SaK4395.exe Token: SeDebugPrivilege 2724 SaK4395.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2432 7f2330def39913a8dfa6252f81637197.exe 2696 Recycle.Bin.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 2432 wrote to memory of 1504 2432 7f2330def39913a8dfa6252f81637197.exe 28 PID 1504 wrote to memory of 2696 1504 7f2330def39913a8dfa6252f81637197.exe 29 PID 1504 wrote to memory of 2696 1504 7f2330def39913a8dfa6252f81637197.exe 29 PID 1504 wrote to memory of 2696 1504 7f2330def39913a8dfa6252f81637197.exe 29 PID 1504 wrote to memory of 2696 1504 7f2330def39913a8dfa6252f81637197.exe 29 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2696 wrote to memory of 2844 2696 Recycle.Bin.exe 30 PID 2844 wrote to memory of 2724 2844 Recycle.Bin.exe 32 PID 2844 wrote to memory of 2724 2844 Recycle.Bin.exe 32 PID 2844 wrote to memory of 2724 2844 Recycle.Bin.exe 32 PID 2844 wrote to memory of 2724 2844 Recycle.Bin.exe 32 PID 2844 wrote to memory of 2724 2844 Recycle.Bin.exe 32 PID 2844 wrote to memory of 2724 2844 Recycle.Bin.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f2330def39913a8dfa6252f81637197.exe"C:\Users\Admin\AppData\Local\Temp\7f2330def39913a8dfa6252f81637197.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\7f2330def39913a8dfa6252f81637197.exeC:\Users\Admin\AppData\Local\Temp\7f2330def39913a8dfa6252f81637197.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Recycle.Bin\Recycle.Bin.exe"C:\Recycle.Bin\Recycle.Bin.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Recycle.Bin\Recycle.Bin.exeC:\Recycle.Bin\Recycle.Bin.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\SaK4395.exe"C:\Users\Admin\AppData\Local\Temp\SaK4395.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5649ff12ebf081a1e7f3a283753b82a1b
SHA1c79757cfa811a1d27a7bae0c3f366c779aab457a
SHA256311da4bc1cd00e3d85994738b84171ca59d69ff70fea4c8e94d831199d2a4097
SHA51261b27d2d184efe36765eb1a303dcd19ec6395b748b06ce9d43cb547fd5842e2f26839821a8851b56083192f5aed6827deeaeedd80cd9315476042283d120ac73
-
Filesize
249KB
MD57f2330def39913a8dfa6252f81637197
SHA15f4e7714e7a278ad5279a62f1b352e80252c934d
SHA2569de7bad6c008475fc6b83764c55296f7e45a32342c445c46ce3e384737ad30fe
SHA512e26e44875fcb4d963b44352abacb537cd2df9a3feeffe03521b0e6858287d98e8c1c48f377bf5ed314e062c6b7a89f3c5b5932e41f57601dbae8e69988b1cb47
-
Filesize
3KB
MD529090b6b4d6605a97ac760d06436ac2d
SHA1d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA25698a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA5129121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be