Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 22:17

General

  • Target

    6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe

  • Size

    113KB

  • MD5

    580b5cc23aa39cdd0bfbcaa1ed878524

  • SHA1

    122830fe99dc3657e9ee581085f52b949a8f1279

  • SHA256

    6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e

  • SHA512

    d6d6e9fb320ca3e9f5e7b308ed74f0acdeb4fd60e9a822faf0c729845f5fa4237a4140b287c26e899897d5a53f93cf3ab6015972f583e687c3dda10617ae05b1

  • SSDEEP

    3072:wvs4dDXEGCLElS1Tj4mYWR/R4nkPR/1aVuyJrWnTa2LkMtcI:sPDLCL9Io5R4nM/40yJqnO2IM+I

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe
    "C:\Users\Admin\AppData\Local\Temp\6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe
      "C:\Users\Admin\AppData\Local\Temp\6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe
        "C:\Users\Admin\AppData\Local\Temp\6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2940
    • C:\Users\Admin\AppData\Local\Temp\6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe
      "C:\Users\Admin\AppData\Local\Temp\6c2f452c37bd510a856f96bc889df7f8ec4a6306d52b90fb8b0cbc3c998c6b4e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\danish porn fucking sleeping hole .zip.exe

    Filesize

    1.9MB

    MD5

    76c919deec91df22d480ed9270735abe

    SHA1

    7ab6015c641453d3f7fe17c97494396467b0d465

    SHA256

    4465fba80775a20d2e4f50da02ebe853945869d655cc695ac1a3604e1f0d380f

    SHA512

    542c816a49670627c1b6a5759a3d3d15fb66a89a4ca9fe58b0edd71d58b94c168cab3fa87a0b3b4321ba01fd42f19ff3e532f12aec90d8a15429fc9281d00e6c

  • C:\debug.txt

    Filesize

    183B

    MD5

    f4c2d35deba4fef6e2425a6af3f43d36

    SHA1

    f3df8edb8e6d4527fa1486dc203114710c922335

    SHA256

    9509b05f6bf023bab215066f5864a23eeaedddf42e4c89b9872e682d007a99a3

    SHA512

    426c730618c61f73082ceeeb4b34ace760d930d853ae9122dae8224fad6b56f35dda6c3ab7c74e1ebc2b5c36079dc73053ccacff6bfe6225c4edcb7a69138ab1

  • memory/1268-7-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/1268-33-0x0000000000860000-0x000000000087C000-memory.dmp

    Filesize

    112KB

  • memory/2180-0-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2180-5-0x0000000004AC0000-0x0000000004ADC000-memory.dmp

    Filesize

    112KB

  • memory/2180-32-0x0000000004ED0000-0x0000000004EEC000-memory.dmp

    Filesize

    112KB

  • memory/2180-93-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2180-95-0x0000000004AC0000-0x0000000004ADC000-memory.dmp

    Filesize

    112KB

  • memory/2180-99-0x0000000004ED0000-0x0000000004EEC000-memory.dmp

    Filesize

    112KB