Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/02/2024, 11:10
Behavioral task
behavioral1
Sample
9703bfbf2193f74c2a9657da6a712f2c.exe
Resource
win7-20231215-en
General
-
Target
9703bfbf2193f74c2a9657da6a712f2c.exe
-
Size
1.3MB
-
MD5
9703bfbf2193f74c2a9657da6a712f2c
-
SHA1
98d6a8f91eb0391c56f958acd3d5b7c2b806fd1a
-
SHA256
cffd3fd4c116eb56dea4b7980ac4a2e7be07944a182eddaa983ecdd2e5a7b79e
-
SHA512
7f189652ff71aa9dd71e8115a798cab591c50e291f59703a3f57d576e7cffd1f027bf435ab674a850af79a3dfc6d92899489b06f671017a72af1cb536c19d0d8
-
SSDEEP
24576:xE+/9mM4YahIyZzRD4JCle1Jar1kNYTxrlxTwIhQDiysu3IrAj/Xt:i+/9ShIytRD4sle1JUeYTHZwIhpo3+0X
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3028 NANY.exe 2888 Stealer.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine Stealer.exe Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine NANY.exe -
Loads dropped DLL 4 IoCs
pid Process 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 3000 9703bfbf2193f74c2a9657da6a712f2c.exe -
resource yara_rule behavioral1/memory/3000-0-0x0000000000400000-0x0000000000583000-memory.dmp upx behavioral1/files/0x000a000000012247-10.dat upx behavioral1/memory/3000-22-0x0000000000400000-0x0000000000583000-memory.dmp upx behavioral1/memory/3028-14-0x0000000000400000-0x00000000004EF000-memory.dmp upx behavioral1/memory/3028-23-0x0000000000400000-0x00000000004EF000-memory.dmp upx behavioral1/memory/3028-25-0x0000000000400000-0x00000000004EF000-memory.dmp upx behavioral1/memory/3028-48-0x0000000000400000-0x00000000004EF000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main Stealer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3028 NANY.exe 3028 NANY.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2888 Stealer.exe 2888 Stealer.exe 2888 Stealer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3000 wrote to memory of 3028 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 28 PID 3000 wrote to memory of 3028 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 28 PID 3000 wrote to memory of 3028 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 28 PID 3000 wrote to memory of 3028 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 28 PID 3000 wrote to memory of 2888 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 29 PID 3000 wrote to memory of 2888 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 29 PID 3000 wrote to memory of 2888 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 29 PID 3000 wrote to memory of 2888 3000 9703bfbf2193f74c2a9657da6a712f2c.exe 29 PID 3028 wrote to memory of 1268 3028 NANY.exe 10 PID 3028 wrote to memory of 1268 3028 NANY.exe 10 PID 3028 wrote to memory of 1268 3028 NANY.exe 10 PID 3028 wrote to memory of 1268 3028 NANY.exe 10
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\9703bfbf2193f74c2a9657da6a712f2c.exe"C:\Users\Admin\AppData\Local\Temp\9703bfbf2193f74c2a9657da6a712f2c.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\NANY.exe"C:\Users\Admin\AppData\Local\Temp\NANY.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\Stealer.exe"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"3⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2888
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
718KB
MD5b75e313d3096471bd893e213bdaae9d5
SHA119d260e90680d559b3b8928aa2f74d4514be2225
SHA256ea08abf0bde31916430b058c118788cf32eb602b40f46cd44cddaf31ef68e06a
SHA5125c617d80bf7c20e24a27c5200f39c06bf8c47c64266b4f64b15bc8e8b5611f75fa394d017a140cab257e4397ca5c31787c2af98fc4b549d4a796852960f6b11e
-
Filesize
768KB
MD50664b2cf168fe8f3199730160afcf4d7
SHA1585bd1c07060b1db76b4f5b37a0f40458f2fd01f
SHA2562def416c0467fefce46743f7f5e73225d7b97587e9f816e94874ce813a1b2dbf
SHA5125de165ed469072054fbaa00897b09270f9b7673ef4c302ed4922ec0621317891ca579ff87b74d0b1bedae792aaf4bf15f2312bdcad53a41baef22b6f4ee0a7d2