Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 01:05

General

  • Target

    1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe

  • Size

    2.2MB

  • MD5

    422ad9c53a86f687b230fde951fb5856

  • SHA1

    17eb89de5f5a21b3e83497e74145613209bc3a86

  • SHA256

    1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5

  • SHA512

    d0cfae682aab7a15703b051bc879721d41276b8a22e9f69d9d2a0a40bdfea38cb1634340d3f93e2ce0f8f229798290820b7262e346ab88cf578a34489471c1e6

  • SSDEEP

    49152:Tgxqu3RcnLHx7FHNwA5VRp/KQiGH+7W7WFDus/3BcSJir2Vn:EQLVFthRhiY7Cus/3F4qV

Score
9/10

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
    "C:\Users\Admin\AppData\Local\Temp\1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1936 -s 524
      2⤵
        PID:2864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\qzj5UFAQv7oDeWRPEgAUCxZYkFnH69\sensitive-files.zip

      Filesize

      2.6MB

      MD5

      1d6b61e77e2f95d0ce87723cad7101e5

      SHA1

      4adba94761a332f4e0e60129ac97b6ab9a4cdd61

      SHA256

      60b14a71d86ca10de615c388c7b04cd877ce5f4326449c3d1acc05f2521e571c

      SHA512

      d0ece685b2a80d14a2be9062e33efd1f1e311e97a4c5774ae60e2cef24996d1e5230ed57da08c510e1f939256c03a68a483b49dce6cd54b15a61c1e79a97d9ff

    • memory/1936-0-0x000000013FC30000-0x0000000140178000-memory.dmp

      Filesize

      5.3MB

    • memory/1936-1-0x000000013FC30000-0x0000000140178000-memory.dmp

      Filesize

      5.3MB

    • memory/1936-42-0x000000013FC30000-0x0000000140178000-memory.dmp

      Filesize

      5.3MB

    • memory/2628-8-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

    • memory/2628-10-0x000007FEF4F00000-0x000007FEF589D000-memory.dmp

      Filesize

      9.6MB

    • memory/2628-9-0x0000000002310000-0x0000000002318000-memory.dmp

      Filesize

      32KB

    • memory/2628-11-0x00000000028C0000-0x0000000002940000-memory.dmp

      Filesize

      512KB

    • memory/2628-12-0x00000000028C0000-0x0000000002940000-memory.dmp

      Filesize

      512KB

    • memory/2628-13-0x000007FEF4F00000-0x000007FEF589D000-memory.dmp

      Filesize

      9.6MB

    • memory/2628-14-0x00000000028C0000-0x0000000002940000-memory.dmp

      Filesize

      512KB

    • memory/2628-15-0x000007FEF4F00000-0x000007FEF589D000-memory.dmp

      Filesize

      9.6MB