Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
02/02/2024, 02:31
Static task
static1
Behavioral task
behavioral1
Sample
885186e0a72510f6888e8ca1780f3c5d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
885186e0a72510f6888e8ca1780f3c5d.exe
Resource
win10v2004-20231215-en
General
-
Target
885186e0a72510f6888e8ca1780f3c5d.exe
-
Size
114KB
-
MD5
885186e0a72510f6888e8ca1780f3c5d
-
SHA1
57dc5452bd6fdc67e8177a92c8cf6b39722d32a6
-
SHA256
644ba316e402faf534a3feb88d6da4ab3299dd337d961fe961f0e89c608e0362
-
SHA512
d2da6a6f8a09367e9b08f186ca8546c19a676938951df9ef79663d135cc425b6d2d8295cdd38a7603e426958320836258a6fc28cdad5868756b8d4ed02f60cd4
-
SSDEEP
1536:TeqejnOkp/2d3C24gJdJp+c2vOUHkrxbBgJiKLDVOpJrnzqYoEZnx3kWGM3SnC6D:TnejnOk/OPpeOUHygBUvZ6WPkVB
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2204 kuod.exe -
Loads dropped DLL 2 IoCs
pid Process 2324 885186e0a72510f6888e8ca1780f3c5d.exe 2324 885186e0a72510f6888e8ca1780f3c5d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy 885186e0a72510f6888e8ca1780f3c5d.exe Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" 885186e0a72510f6888e8ca1780f3c5d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2204 kuod.exe 2324 885186e0a72510f6888e8ca1780f3c5d.exe 2204 kuod.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeSecurityPrivilege 2324 885186e0a72510f6888e8ca1780f3c5d.exe Token: SeSecurityPrivilege 2324 885186e0a72510f6888e8ca1780f3c5d.exe Token: SeSecurityPrivilege 2324 885186e0a72510f6888e8ca1780f3c5d.exe Token: SeSecurityPrivilege 2324 885186e0a72510f6888e8ca1780f3c5d.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2204 2324 885186e0a72510f6888e8ca1780f3c5d.exe 28 PID 2324 wrote to memory of 2204 2324 885186e0a72510f6888e8ca1780f3c5d.exe 28 PID 2324 wrote to memory of 2204 2324 885186e0a72510f6888e8ca1780f3c5d.exe 28 PID 2324 wrote to memory of 2204 2324 885186e0a72510f6888e8ca1780f3c5d.exe 28 PID 2204 wrote to memory of 1044 2204 kuod.exe 13 PID 2204 wrote to memory of 1044 2204 kuod.exe 13 PID 2204 wrote to memory of 1044 2204 kuod.exe 13 PID 2204 wrote to memory of 1044 2204 kuod.exe 13 PID 2204 wrote to memory of 1044 2204 kuod.exe 13 PID 2204 wrote to memory of 1072 2204 kuod.exe 12 PID 2204 wrote to memory of 1072 2204 kuod.exe 12 PID 2204 wrote to memory of 1072 2204 kuod.exe 12 PID 2204 wrote to memory of 1072 2204 kuod.exe 12 PID 2204 wrote to memory of 1072 2204 kuod.exe 12 PID 2204 wrote to memory of 1112 2204 kuod.exe 4 PID 2204 wrote to memory of 1112 2204 kuod.exe 4 PID 2204 wrote to memory of 1112 2204 kuod.exe 4 PID 2204 wrote to memory of 1112 2204 kuod.exe 4 PID 2204 wrote to memory of 1112 2204 kuod.exe 4 PID 2204 wrote to memory of 1876 2204 kuod.exe 8 PID 2204 wrote to memory of 1876 2204 kuod.exe 8 PID 2204 wrote to memory of 1876 2204 kuod.exe 8 PID 2204 wrote to memory of 1876 2204 kuod.exe 8 PID 2204 wrote to memory of 1876 2204 kuod.exe 8 PID 2204 wrote to memory of 2324 2204 kuod.exe 16 PID 2204 wrote to memory of 2324 2204 kuod.exe 16 PID 2204 wrote to memory of 2324 2204 kuod.exe 16 PID 2204 wrote to memory of 2324 2204 kuod.exe 16 PID 2204 wrote to memory of 2324 2204 kuod.exe 16
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1876
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\885186e0a72510f6888e8ca1780f3c5d.exe"C:\Users\Admin\AppData\Local\Temp\885186e0a72510f6888e8ca1780f3c5d.exe"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\Ebet\kuod.exe"C:\Users\Admin\Ebet\kuod.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
366B
MD5c36a96fc87d298b54aeac0267b1dbca6
SHA16acb6ee0815378809b7d19e5814f7163ba76be62
SHA256f9cf0afa7ce92dd8723cbca3df660d62f6c2b3a371b55d173c6c08e3e620e7a8
SHA5120ea22b4524f3400af45724d0412c560047840f640e010224d771bf808d34e490bdea5d3b547e38a0c68a790a97046fc72dabdcf42354d0c101efd5041ebfb188
-
Filesize
114KB
MD5b0b841b0c37eca5466834fe2ef650486
SHA1b8734ce43a0fe873daca2d2b04038fa256922a9d
SHA256086dbda7286541d05d260c1a70d3c11c9517c5a447a8b38ee8328b43f11d8180
SHA51296b620194e081fc911cc3d697249408d201151db22d59924c922be4c13ce42ea520ecf079b53084354a84bd9d32f5a29f38f56f8af64079bdcaeaf3c71fed4ab