Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 01:05
Behavioral task
behavioral1
Sample
1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
Resource
win7-20231129-en
General
-
Target
1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe
-
Size
2.2MB
-
MD5
422ad9c53a86f687b230fde951fb5856
-
SHA1
17eb89de5f5a21b3e83497e74145613209bc3a86
-
SHA256
1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5
-
SHA512
d0cfae682aab7a15703b051bc879721d41276b8a22e9f69d9d2a0a40bdfea38cb1634340d3f93e2ce0f8f229798290820b7262e346ab88cf578a34489471c1e6
-
SSDEEP
49152:Tgxqu3RcnLHx7FHNwA5VRp/KQiGH+7W7WFDus/3BcSJir2Vn:EQLVFthRhiY7Cus/3F4qV
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 3 IoCs
resource yara_rule behavioral1/memory/1936-0-0x000000013FC30000-0x0000000140178000-memory.dmp UPX behavioral1/memory/1936-1-0x000000013FC30000-0x0000000140178000-memory.dmp UPX behavioral1/memory/1936-42-0x000000013FC30000-0x0000000140178000-memory.dmp UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1936-0-0x000000013FC30000-0x0000000140178000-memory.dmp upx behavioral1/memory/1936-1-0x000000013FC30000-0x0000000140178000-memory.dmp upx behavioral1/memory/1936-42-0x000000013FC30000-0x0000000140178000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2628 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2628 1936 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 29 PID 1936 wrote to memory of 2628 1936 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 29 PID 1936 wrote to memory of 2628 1936 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 29 PID 1936 wrote to memory of 2864 1936 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 31 PID 1936 wrote to memory of 2864 1936 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 31 PID 1936 wrote to memory of 2864 1936 1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe"C:\Users\Admin\AppData\Local\Temp\1a8023c76e45b0145f1c28753efc1d5409a0ac2a1c6fdbab2022e737dcaa0ab5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1936 -s 5242⤵PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD51d6b61e77e2f95d0ce87723cad7101e5
SHA14adba94761a332f4e0e60129ac97b6ab9a4cdd61
SHA25660b14a71d86ca10de615c388c7b04cd877ce5f4326449c3d1acc05f2521e571c
SHA512d0ece685b2a80d14a2be9062e33efd1f1e311e97a4c5774ae60e2cef24996d1e5230ed57da08c510e1f939256c03a68a483b49dce6cd54b15a61c1e79a97d9ff