Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12/02/2024, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
04575cd4a4ef5347718ceea706854ba33c867378b865a9d9c7fff16b666d4307.exe
Resource
win7-20231129-en
General
-
Target
04575cd4a4ef5347718ceea706854ba33c867378b865a9d9c7fff16b666d4307.exe
-
Size
459KB
-
MD5
17e4647572d5755c4f07f2ceecdaf11a
-
SHA1
7a6e22249325b9c3bbc11c30b172997ce79a01b2
-
SHA256
04575cd4a4ef5347718ceea706854ba33c867378b865a9d9c7fff16b666d4307
-
SHA512
791367c7e9bd739a63af148f41a55d91a2a15c34dc72abc2bad5baafcd585048a798d5ba0089468dd723a3dea5fdc914ffc9a55e68037c43015fbaa6c86c57e3
-
SSDEEP
12288:ISsxGETPB372BslW/RQc17THyvAmgelYa:ISsgEjB37EsWRQc17eAelf
Malware Config
Signatures
-
Detects executables packed with unregistered version of .NET Reactor 1 IoCs
resource yara_rule behavioral1/memory/2220-0-0x0000000000160000-0x00000000001D8000-memory.dmp INDICATOR_EXE_Packed_DotNetReactor -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/2220-0-0x0000000000160000-0x00000000001D8000-memory.dmp net_reactor -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2220 04575cd4a4ef5347718ceea706854ba33c867378b865a9d9c7fff16b666d4307.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2220 04575cd4a4ef5347718ceea706854ba33c867378b865a9d9c7fff16b666d4307.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04575cd4a4ef5347718ceea706854ba33c867378b865a9d9c7fff16b666d4307.exe"C:\Users\Admin\AppData\Local\Temp\04575cd4a4ef5347718ceea706854ba33c867378b865a9d9c7fff16b666d4307.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220