Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6b8ac9a539...5b.exe

windows7-x64

9

6b8ac9a539...5b.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21/04/2024, 22:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b8ac9a539bb87d4fb8c0dcc57108d07604b4ec9d218674913d0e1af2234095b.exe

  • Size

    1.6MB

  • MD5

    234fd296293a5bb3add0229b6b3d427f

  • SHA1

    f6c06912045a08a0760bdd3a1955b30ee27f8a45

  • SHA256

    6b8ac9a539bb87d4fb8c0dcc57108d07604b4ec9d218674913d0e1af2234095b

  • SHA512

    6590a8eea3ae4328a2e90812b8a0b04daca72f025ad40855241165051ee43eab4a0ffd090da4afa989367b071118964811877f3bb9800626ecd8571504a4307a

  • SSDEEP

    24576:bH48zGvXJJUoOnaZqQ0rQXuKxBfYybAWeiCtdoIOI0A3tZwXxY2yqhrG7U6u:jDSEaZqUXvBfAWgtqI0A9ZwXxd+Fu

Score
9/10
persistencespywarestealerupx

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 2 IoCs
  • UPX dump on OEP (original entry point) 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b8ac9a539bb87d4fb8c0dcc57108d07604b4ec9d218674913d0e1af2234095b.exe
    "C:\Users\Admin\AppData\Local\Temp\6b8ac9a539bb87d4fb8c0dcc57108d07604b4ec9d218674913d0e1af2234095b.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\6b8ac9a539bb87d4fb8c0dcc57108d07604b4ec9d218674913d0e1af2234095b.exe
      "C:\Users\Admin\AppData\Local\Temp\6b8ac9a539bb87d4fb8c0dcc57108d07604b4ec9d218674913d0e1af2234095b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Users\Admin\AppData\Local\Temp\6b8ac9a539bb87d4fb8c0dcc57108d07604b4ec9d218674913d0e1af2234095b.exe
        "C:\Users\Admin\AppData\Local\Temp\6b8ac9a539bb87d4fb8c0dcc57108d07604b4ec9d218674913d0e1af2234095b.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\nude kicking voyeur .zip.exe
    Filesize

    2.0MB

    MD5

    c98fe7a4fa805967bb9a4c1786c04141

    SHA1

    21f8cf339f1eb71dd7fffea49d1fd544671de6e0

    SHA256

    2dea4fbc3c0fa0d0ae97637f8eda81323d517bcae5c6565a5bcf8607607f370d

    SHA512

    b833a081063a77c7fb75cee336a54c4c8714ceaad8b1a9db3844967fdb504d17067439486f238eab333277d19140678e891892fb3794522d8aeaa7c555fc022f

    Download Submit

  • C:\debug.txt
    Filesize

    183B

    MD5

    75a2873d4d406e9e5bd1c88446a8c6a9

    SHA1

    a8412114d65fbe57917fff69c3ce7f960092a6f2

    SHA256

    9d8f362e3e942784f3d62b3dd286c13ecd49f10c0fdc465613368bd7059672e5

    SHA512

    5aa45a7174de26ddff72f2a5a1cf3f71c8cce130d853a3c9c2fb8d97f0209f62647e248be1057c677eaad9c1272cb33bca943c27ce0cc9981b00b563dd5b0d4f

    Download Submit

  • memory/2304-90-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2436-66-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2436-89-0x0000000004CE0000-0x0000000004D09000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2848-0-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2848-65-0x0000000006070000-0x0000000006099000-memory.dmp

    Filesize

    164KB

    Download