Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 06:32
Behavioral task
behavioral1
Sample
7f2330def39913a8dfa6252f81637197.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7f2330def39913a8dfa6252f81637197.exe
Resource
win10v2004-20231215-en
General
-
Target
7f2330def39913a8dfa6252f81637197.exe
-
Size
249KB
-
MD5
7f2330def39913a8dfa6252f81637197
-
SHA1
5f4e7714e7a278ad5279a62f1b352e80252c934d
-
SHA256
9de7bad6c008475fc6b83764c55296f7e45a32342c445c46ce3e384737ad30fe
-
SHA512
e26e44875fcb4d963b44352abacb537cd2df9a3feeffe03521b0e6858287d98e8c1c48f377bf5ed314e062c6b7a89f3c5b5932e41f57601dbae8e69988b1cb47
-
SSDEEP
6144:IM0Ky/jFZofhxOeqKlusmJTZVDcgR2Ge0Uxe955WMenawoS:IM0KybFZShMeqqufpXDJQGexGjHwoS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3232 Recycle.Bin.exe 4100 Recycle.Bin.exe 4820 3XA92CA.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1776-0-0x0000000000400000-0x0000000000752000-memory.dmp upx behavioral2/memory/2516-3-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2516-6-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2516-9-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2516-12-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2516-10-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2516-15-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/1776-7-0x0000000000400000-0x0000000000752000-memory.dmp upx behavioral2/files/0x000600000002320e-25.dat upx behavioral2/memory/3232-33-0x0000000000400000-0x0000000000752000-memory.dmp upx behavioral2/memory/2516-37-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/4100-36-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/4100-50-0x0000000000400000-0x0000000000460000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0A3UUE7EUYVV4Y9GMAGABZJZUNQV = "C:\\Recycle.Bin\\Recycle.Bin.exe /q" 3XA92CA.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1776 set thread context of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 3232 set thread context of 4100 3232 Recycle.Bin.exe 86 -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\PhishingFilter 3XA92CA.exe Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" 3XA92CA.exe Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" 3XA92CA.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" 3XA92CA.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Recovery 3XA92CA.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 7f2330def39913a8dfa6252f81637197.exe 2516 7f2330def39913a8dfa6252f81637197.exe 2516 7f2330def39913a8dfa6252f81637197.exe 2516 7f2330def39913a8dfa6252f81637197.exe 4100 Recycle.Bin.exe 4100 Recycle.Bin.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe 4820 3XA92CA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2516 7f2330def39913a8dfa6252f81637197.exe Token: SeDebugPrivilege 2516 7f2330def39913a8dfa6252f81637197.exe Token: SeDebugPrivilege 2516 7f2330def39913a8dfa6252f81637197.exe Token: SeDebugPrivilege 2516 7f2330def39913a8dfa6252f81637197.exe Token: SeDebugPrivilege 4100 Recycle.Bin.exe Token: SeDebugPrivilege 4100 Recycle.Bin.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe Token: SeDebugPrivilege 4820 3XA92CA.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1776 7f2330def39913a8dfa6252f81637197.exe 3232 Recycle.Bin.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1776 wrote to memory of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 1776 wrote to memory of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 1776 wrote to memory of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 1776 wrote to memory of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 1776 wrote to memory of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 1776 wrote to memory of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 1776 wrote to memory of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 1776 wrote to memory of 2516 1776 7f2330def39913a8dfa6252f81637197.exe 84 PID 2516 wrote to memory of 3232 2516 7f2330def39913a8dfa6252f81637197.exe 85 PID 2516 wrote to memory of 3232 2516 7f2330def39913a8dfa6252f81637197.exe 85 PID 2516 wrote to memory of 3232 2516 7f2330def39913a8dfa6252f81637197.exe 85 PID 3232 wrote to memory of 4100 3232 Recycle.Bin.exe 86 PID 3232 wrote to memory of 4100 3232 Recycle.Bin.exe 86 PID 3232 wrote to memory of 4100 3232 Recycle.Bin.exe 86 PID 3232 wrote to memory of 4100 3232 Recycle.Bin.exe 86 PID 3232 wrote to memory of 4100 3232 Recycle.Bin.exe 86 PID 3232 wrote to memory of 4100 3232 Recycle.Bin.exe 86 PID 3232 wrote to memory of 4100 3232 Recycle.Bin.exe 86 PID 3232 wrote to memory of 4100 3232 Recycle.Bin.exe 86 PID 4100 wrote to memory of 4820 4100 Recycle.Bin.exe 87 PID 4100 wrote to memory of 4820 4100 Recycle.Bin.exe 87 PID 4100 wrote to memory of 4820 4100 Recycle.Bin.exe 87 PID 4100 wrote to memory of 4820 4100 Recycle.Bin.exe 87 PID 4100 wrote to memory of 4820 4100 Recycle.Bin.exe 87 PID 4820 wrote to memory of 2516 4820 3XA92CA.exe 84 PID 4820 wrote to memory of 2516 4820 3XA92CA.exe 84 PID 4820 wrote to memory of 2516 4820 3XA92CA.exe 84 PID 4820 wrote to memory of 2516 4820 3XA92CA.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f2330def39913a8dfa6252f81637197.exe"C:\Users\Admin\AppData\Local\Temp\7f2330def39913a8dfa6252f81637197.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\7f2330def39913a8dfa6252f81637197.exeC:\Users\Admin\AppData\Local\Temp\7f2330def39913a8dfa6252f81637197.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Recycle.Bin\Recycle.Bin.exe"C:\Recycle.Bin\Recycle.Bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Recycle.Bin\Recycle.Bin.exeC:\Recycle.Bin\Recycle.Bin.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\3XA92CA.exe"C:\Users\Admin\AppData\Local\Temp\3XA92CA.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
249KB
MD57f2330def39913a8dfa6252f81637197
SHA15f4e7714e7a278ad5279a62f1b352e80252c934d
SHA2569de7bad6c008475fc6b83764c55296f7e45a32342c445c46ce3e384737ad30fe
SHA512e26e44875fcb4d963b44352abacb537cd2df9a3feeffe03521b0e6858287d98e8c1c48f377bf5ed314e062c6b7a89f3c5b5932e41f57601dbae8e69988b1cb47
-
Filesize
4KB
MD5649ff12ebf081a1e7f3a283753b82a1b
SHA1c79757cfa811a1d27a7bae0c3f366c779aab457a
SHA256311da4bc1cd00e3d85994738b84171ca59d69ff70fea4c8e94d831199d2a4097
SHA51261b27d2d184efe36765eb1a303dcd19ec6395b748b06ce9d43cb547fd5842e2f26839821a8851b56083192f5aed6827deeaeedd80cd9315476042283d120ac73
-
Filesize
3KB
MD529090b6b4d6605a97ac760d06436ac2d
SHA1d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA25698a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA5129121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be