Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
General
-
Target
file.exe
-
Size
3.0MB
-
MD5
88d8a1aa36d48e28d506abe4fa3e7322
-
SHA1
03385cdb977d1e7effbe5f9c1712b723778d3ea7
-
SHA256
0d124edbaa3ae482812d236f4ed05b094085949a794d69b0bebc679b4a011720
-
SHA512
3674f482ef11b359f0969476b0b3ca017689a8ba39b91bf99b8751d5f8cc5e8a1077a81cff9cdb268746f39000ab5976f3adb1166f9b34f9c32c3ffdc1a06491
-
SSDEEP
12288:XNzcTCPYV/oVQ+mJkP5isjJyhKxE5n9g8FYE2gXqi:XNzcTUYV3J25iDl9VYE2Mqi
Malware Config
Extracted
stealc
http://94.156.8.100
-
url_path
/5dce321003e6a6b5.php
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2532 Answers.pif -
Loads dropped DLL 3 IoCs
pid Process 2996 cmd.exe 2532 Answers.pif 2532 Answers.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Answers.pif Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Answers.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2148 tasklist.exe 2964 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2660 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2532 Answers.pif 2532 Answers.pif 2532 Answers.pif 2532 Answers.pif 2532 Answers.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2148 tasklist.exe Token: SeDebugPrivilege 2964 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2532 Answers.pif 2532 Answers.pif 2532 Answers.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2532 Answers.pif 2532 Answers.pif 2532 Answers.pif -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2996 1688 file.exe 28 PID 1688 wrote to memory of 2996 1688 file.exe 28 PID 1688 wrote to memory of 2996 1688 file.exe 28 PID 1688 wrote to memory of 2996 1688 file.exe 28 PID 2996 wrote to memory of 2148 2996 cmd.exe 30 PID 2996 wrote to memory of 2148 2996 cmd.exe 30 PID 2996 wrote to memory of 2148 2996 cmd.exe 30 PID 2996 wrote to memory of 2148 2996 cmd.exe 30 PID 2996 wrote to memory of 2608 2996 cmd.exe 31 PID 2996 wrote to memory of 2608 2996 cmd.exe 31 PID 2996 wrote to memory of 2608 2996 cmd.exe 31 PID 2996 wrote to memory of 2608 2996 cmd.exe 31 PID 2996 wrote to memory of 2964 2996 cmd.exe 33 PID 2996 wrote to memory of 2964 2996 cmd.exe 33 PID 2996 wrote to memory of 2964 2996 cmd.exe 33 PID 2996 wrote to memory of 2964 2996 cmd.exe 33 PID 2996 wrote to memory of 2672 2996 cmd.exe 34 PID 2996 wrote to memory of 2672 2996 cmd.exe 34 PID 2996 wrote to memory of 2672 2996 cmd.exe 34 PID 2996 wrote to memory of 2672 2996 cmd.exe 34 PID 2996 wrote to memory of 2400 2996 cmd.exe 35 PID 2996 wrote to memory of 2400 2996 cmd.exe 35 PID 2996 wrote to memory of 2400 2996 cmd.exe 35 PID 2996 wrote to memory of 2400 2996 cmd.exe 35 PID 2996 wrote to memory of 2776 2996 cmd.exe 36 PID 2996 wrote to memory of 2776 2996 cmd.exe 36 PID 2996 wrote to memory of 2776 2996 cmd.exe 36 PID 2996 wrote to memory of 2776 2996 cmd.exe 36 PID 2996 wrote to memory of 2500 2996 cmd.exe 37 PID 2996 wrote to memory of 2500 2996 cmd.exe 37 PID 2996 wrote to memory of 2500 2996 cmd.exe 37 PID 2996 wrote to memory of 2500 2996 cmd.exe 37 PID 2996 wrote to memory of 2532 2996 cmd.exe 38 PID 2996 wrote to memory of 2532 2996 cmd.exe 38 PID 2996 wrote to memory of 2532 2996 cmd.exe 38 PID 2996 wrote to memory of 2532 2996 cmd.exe 38 PID 2996 wrote to memory of 2660 2996 cmd.exe 39 PID 2996 wrote to memory of 2660 2996 cmd.exe 39 PID 2996 wrote to memory of 2660 2996 cmd.exe 39 PID 2996 wrote to memory of 2660 2996 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Op Op.bat & Op.bat & exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:2608
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:2672
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 289773⤵PID:2400
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 28977\Answers.pif + Regarding + Devoted + Litigation + Quebec + Bird 28977\Answers.pif3⤵PID:2776
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Tired + Theoretical 28977\x3⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\28977\Answers.pif28977\Answers.pif 28977\x3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2660
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
Filesize
452KB
MD57a6280fecb35049852f0621b2fe68056
SHA152061818e4cba5519ccd3df0c2b8f00a268b1dd8
SHA256f45dad331d7325f61a639c35109c3dff0f143cf90df8bc9d0e1781cd1dfc95c5
SHA5127e51018ae5f6b2c5baf5f5bba958bebbfc7bc312e8a9ce841034190fa59bb7ab453f31d4fc4e18ab6515e551da387708bf0afe86dff9ee1e1bdaf3b4ee3abd6c
-
Filesize
120KB
MD5836c07851339002f98303a5c891e4eac
SHA1cc45751b8f91cdb1472356f2aaddd47febbaf727
SHA256a978ac3f2032fdf4d049d96625f0e2b87aef3423833180639066026ee7868ed8
SHA5123453d2f08142d28feef6fb0515b5651cd7ddfd28bfc027f136a7ace391b2670957211b1dee87b6350ce5ef764f9b924efac75a89372d7cbc4884ad61b7063fea
-
Filesize
293KB
MD5c9f80abd4f16771bd3737db863e23dcb
SHA146ae0172a2b91b1d803f8b6c4467f5cc77ea14af
SHA25693a6b75ddcce2cff5408143cf7401fbf72997b1c2328067af24b57d2c27dbe7f
SHA512839a7a1566bfdf7b3745fb8da07920931f08ff94506be181a20949502341e3b639aa17761a83d1a5507ff6f13f9c2953475571c510726f785a0a128a9d016ebf
-
Filesize
120KB
MD55c6fdfbeb0c825491d3750f554c17d34
SHA1d268ac6a38ebcedc44ec26cbed4b6e01d579a94f
SHA2568fdaff9449b777736fb29f83c0b1487301edf35dc7587fa21deff33b53653f2c
SHA5120166394fdd4546528e53053c4b98c3e3bb55d86e4c8ed16ae31159d14bd7c5118cfcee9f664342bd46e5e915ece9ad7c98dfee488edbe2afee18521dc8fc066f
-
Filesize
14KB
MD5d580ec11b3e6507e19206ba4bf57c694
SHA1b992c3641f6912a79070f28702a9962e8940ce00
SHA256b12b66aa2cc0cf0751dd60b3eb561599eff3d18fbb355a5798671990ad631f09
SHA51273f4dcce72a04db7380f9842fbe7047ba9cecaaf5efd7c19863806eba584ffe37df928e95dfbeeadc4c46b775e9ff57de293d5c8c88b3c3df5caf7a87b127606
-
Filesize
228KB
MD5d39006f287c262cb1c3b967980eb486e
SHA1b95d53eadee9e6dbae4a0cabe2142c95d6682d43
SHA256cfc2640eb5a5540551eb0f98d2401b2aa1cf2f0832f08467b63c990b81e3e072
SHA512e8e6260d250ee7ca2cc0de27f21f66591bc4070c70483caf6aee216aebf7b9529eb109ec829e2b771f0a9796305dce57b01e49e7b370082bb400313c25b5f184
-
Filesize
111KB
MD576e943c61037c4ddf03ec734829a59ee
SHA112a74a7d38b08e696feb23e355d478721dd428d0
SHA2564bd083555dac351a8fc53221fedad1b4b86bdd098f499668ed508b336d42ec32
SHA512e7a78675e3cd4b3463ec0da05fe842c9acfc6c377f0e61e69227d34da31102e99d89e393f8eb5f12752ec888d1cc1de052a38b6373d94d677053297b839c4190
-
Filesize
203KB
MD56c881a609113c5e54ec4fa36f728e53f
SHA1cbf09b946769746a5fe50fcc2e8faa9b24c22650
SHA256195e339af3f18876f51bcfc561d3964fa4f713db0ad5d72a749a490df2e43c64
SHA512d46408f17dbe79068a76b4cbae289dc9a365d7ce76991efced6813ca7c58cfe8b11bb55b759b775ad3c6ef3a4d059a7a995c131ecf1b1ae3243243f3eeea3661
-
Filesize
249KB
MD55a63e5f4324ae966ef09547f48a158d9
SHA1461cb15043282d8f12f1a042ed773ee9e008a7fd
SHA256dd8e0644d19a193fcfdfc7dfa6f55e5e9dca7b38041f03727e730dc76bd6de83
SHA5125474a325eaa8a65f7042a40bb89709fdc937b227ebb78e118ba3c52f5a85ec88a420ad8cfff41351bc54385e689be06e77631e65cc55a66ce3dc01803ff8b555
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0