Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/02/2024, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
a2ea6e4e09ee6e11611c02511553aff4.exe
Resource
win7-20240221-en
General
-
Target
a2ea6e4e09ee6e11611c02511553aff4.exe
-
Size
178KB
-
MD5
a2ea6e4e09ee6e11611c02511553aff4
-
SHA1
13be966fedc0d56d32d4d5e37964121969ea2c9b
-
SHA256
aa81b851bdc6b697895c44f2bb2d7667db55efe95699adbf20f31a272753ca57
-
SHA512
7881bc2ca32f26200b847589b870b1b49f1b0b66e121792e67ba631d2729349f2b1c9eee75a2d4caaacf2d3307bedab934cebfd717d447fbe5b27855816a9ee2
-
SSDEEP
3072:gs3/nGv6XSIk/44xD5aoMaTnR5UAsri+UP:PvnGv6XSIk/4C5aVaU8+s
Malware Config
Extracted
pony
http://diet-virut.com:8080/pony/gate.php
http://98.158.129.17:8080/pony/gate.php
-
payload_url
http://www.longingtech.com/14jJyU.exe
http://ghanaleakplus.com/KVvCk7B.exe
http://arvina.cz/PpBCye.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 2932 a2ea6e4e09ee6e11611c02511553aff4.exe Token: SeTcbPrivilege 2932 a2ea6e4e09ee6e11611c02511553aff4.exe Token: SeChangeNotifyPrivilege 2932 a2ea6e4e09ee6e11611c02511553aff4.exe Token: SeCreateTokenPrivilege 2932 a2ea6e4e09ee6e11611c02511553aff4.exe Token: SeBackupPrivilege 2932 a2ea6e4e09ee6e11611c02511553aff4.exe Token: SeRestorePrivilege 2932 a2ea6e4e09ee6e11611c02511553aff4.exe Token: SeIncreaseQuotaPrivilege 2932 a2ea6e4e09ee6e11611c02511553aff4.exe Token: SeAssignPrimaryTokenPrivilege 2932 a2ea6e4e09ee6e11611c02511553aff4.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2932 a2ea6e4e09ee6e11611c02511553aff4.exe