Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/02/2024, 06:44
Static task
static1
Behavioral task
behavioral1
Sample
a3235608a45546b89e2e06e257ed47fc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a3235608a45546b89e2e06e257ed47fc.exe
Resource
win10v2004-20240221-en
General
-
Target
a3235608a45546b89e2e06e257ed47fc.exe
-
Size
964KB
-
MD5
a3235608a45546b89e2e06e257ed47fc
-
SHA1
69409415761dc6a3d215359c1c0bb7570532408c
-
SHA256
669f00742f8622c69eeba62416b157d7fe894df352c1eff56c35d957ceab5148
-
SHA512
ee44bf591ee65b6737749b6409de6210d61b5ee3cc637517e3b32a8e3458c7a39778905da8950368f1fa0eb9c0d729cb506332e2a16b722234292d895cdf42b2
-
SSDEEP
12288:Q2PXPk618mS7lRFtFpzpmGFYZJ+qNo+kbNMVYuybGGGoYYW:rPRSRj/pmGFcYH+kJ/uyK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2216 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2156 a3235608a45546b89e2e06e257ed47fc.exe 2156 a3235608a45546b89e2e06e257ed47fc.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\gEZxEz\\LPdyBK\\1.4.9.1690\\svchost.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2216 set thread context of 2496 2216 svchost.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2216 2156 a3235608a45546b89e2e06e257ed47fc.exe 28 PID 2156 wrote to memory of 2216 2156 a3235608a45546b89e2e06e257ed47fc.exe 28 PID 2156 wrote to memory of 2216 2156 a3235608a45546b89e2e06e257ed47fc.exe 28 PID 2156 wrote to memory of 2216 2156 a3235608a45546b89e2e06e257ed47fc.exe 28 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29 PID 2216 wrote to memory of 2496 2216 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3235608a45546b89e2e06e257ed47fc.exe"C:\Users\Admin\AppData\Local\Temp\a3235608a45546b89e2e06e257ed47fc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\ProgramData\gEZxEz\LPdyBK\1.4.9.1690\svchost.exe"C:\ProgramData\gEZxEz\LPdyBK\1.4.9.1690\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵PID:2496
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
475KB
MD588661f02728c9503f5330ab4f01e00e9
SHA1ec5021df35c5a87ff73f5076759da155d7ee39aa
SHA256fa6b4516578bae05ea41ad7191dfa28fbc2d6274c4e61909619e081946e4af9d
SHA512f90a0a27efc6c4af4aad45891c86171c3b865f3a16d97a20e9230b5274de2252695bf947fd86f725e032b5d1c3242328471d4c13ea3e1b749076b8e2874ac5c5