Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
04/02/2024, 10:05
General
-
Target
8edfe12e2544e6a9687ab9f0b0aaaa74.exe
-
Size
158KB
-
MD5
8edfe12e2544e6a9687ab9f0b0aaaa74
-
SHA1
03db1451090c15bc733075a7635f56dfce71552f
-
SHA256
400cac203dca17cb0d78bb5b5b44b14c72f1929aa767644f745a2375d48843e5
-
SHA512
795c5ebb51c6d935d49618f4e97f531bc3999b3fd54aee615303ded77ab2f065fd964441b26b3a8dd06a17c7cf8b7ef72105a96130214cda9a67428dcebe2b0b
-
SSDEEP
3072:tbUEaIO/ZDa+4ejeiFZu/X8rfYrXeLiwJM:tbUEa/DaQjPDYreNJM
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\8edfe12e2544e6a9687ab9f0b0aaaa74.exe"C:\Users\Admin\AppData\Local\Temp\8edfe12e2544e6a9687ab9f0b0aaaa74.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8edfe12e2544e6a9687ab9f0b0aaaa74.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 5 && del C:\Users\Admin\AppData\Local\Temp\8EDFE1~1.EXE4⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD58641236ed4fc87165f0ea56deed5d451
SHA1c7ea56bfae8f7ae22255af8880a3be9ccdb45736
SHA256c5a781c5895bcbdfa3e6300a51437af03c6eedfd853a5f856d9e2a3ff74356cb
SHA512fbaa13fec898f5154e352a402903c49242ac035fea4f77a11a58fe802d391bc7321f74152e0a4ec71536b7f3c1bf03040ef32ec92cbaa413e5da93e034836a9b
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
36KB
-
Filesize
76KB
-
Filesize
36KB