Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 17:54
Static task
static1
Behavioral task
behavioral1
Sample
a2634233c62855cbc67bbd269e00fe9d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a2634233c62855cbc67bbd269e00fe9d.exe
Resource
win10v2004-20240221-en
General
-
Target
a2634233c62855cbc67bbd269e00fe9d.exe
-
Size
65KB
-
MD5
a2634233c62855cbc67bbd269e00fe9d
-
SHA1
b5238208924c594bb10111dce2f9fab40158dc24
-
SHA256
3c70b77b1f530155d8d69c2d13c8f5d44d3dc3e8c203cdd4996898ad3ccf8193
-
SHA512
9abc2029f90a835c50b1cd54fc733ce77f5e6cee1baea251cd204b00adbd2a19cff45611ca648adbf19b2aef3205412fa24cc6dfa8464aba08c968ce94a61eb8
-
SSDEEP
768:yAWcdiE5zCt4aVkeqru18JBSTAooVNgIJEs1v61iWlzxVpt0nbKVDuk1wFi:ynoCt4EqTSsJE06DxV8GVDufY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 752 43153a2634233c62855cbc67bbd269e00fe9d.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 43153a2634233c62855cbc67bbd269e00fe9d.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 752 43153a2634233c62855cbc67bbd269e00fe9d.exe 752 43153a2634233c62855cbc67bbd269e00fe9d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 752 43153a2634233c62855cbc67bbd269e00fe9d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3092 a2634233c62855cbc67bbd269e00fe9d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3092 wrote to memory of 752 3092 a2634233c62855cbc67bbd269e00fe9d.exe 85 PID 3092 wrote to memory of 752 3092 a2634233c62855cbc67bbd269e00fe9d.exe 85 PID 3092 wrote to memory of 752 3092 a2634233c62855cbc67bbd269e00fe9d.exe 85 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 43153a2634233c62855cbc67bbd269e00fe9d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2634233c62855cbc67bbd269e00fe9d.exe"C:\Users\Admin\AppData\Local\Temp\a2634233c62855cbc67bbd269e00fe9d.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\43153a2634233c62855cbc67bbd269e00fe9d.exeC:\Users\Admin\AppData\Local\Temp\43153a2634233c62855cbc67bbd269e00fe9d.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5dceb9de0ebfd62d7fceddb4add614f65
SHA1f6ee90a810362d57c3b785b4fa49db7f03554723
SHA25634717f9671fa81488ab9f99c5af81c14f65e9b8ea703621f0e7863a94b909fb5
SHA51200a5add9c20dbd80d480bf66200536f1cb47474b5620c05c4c1cc4e9194bca5b0992a813642eee8cb99ae4a480ca351234ab46abefcf5bc98e254368bc060cb5