Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01/06/2024, 17:29

General

  • Target

    963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe

  • Size

    17KB

  • MD5

    4aac6eb7cc4e1773555170e98598e3eb

  • SHA1

    edce9398c75bc2ba834dc7e11ecfc791e3b2b667

  • SHA256

    963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9

  • SHA512

    b9c3a6d7d4715923efaefc9e4b5b6ee806f20681bea9efa81fa8d30849fd4a9dcd549b63ebb73fa5f4d873020ecb1c932ded61e1cfe9483f8ef78554b2a94274

  • SSDEEP

    384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/VgT:IMAQ+BzWPEwnE+KHM2/VgT

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe
    "C:\Users\Admin\AppData\Local\Temp\963006ea3a64e9c29c082a9d655d39b1cc8994c79471ab7809b4dc5ae27723b9.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\svhost.exe
      "C:\Windows\svhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5NhMn3MqL1m0LXC.exe

    Filesize

    17KB

    MD5

    65556ba3d60e61790cde33a8b48e3897

    SHA1

    1a60c501cf2730f01db567ed13372496b81c624d

    SHA256

    f68fa8b28fb5c8bd48fe7e3ce194e412dfa1ea78b66bab016708a0e81649561e

    SHA512

    fd0300e86ec82e59982de831d602bc067e016cedf730abcc072fd83e902bfea3c3bf06530694b4915fbd88635b5df81d5b81291dab471eeaf39c59ad97259824

  • C:\Windows\svhost.exe

    Filesize

    16KB

    MD5

    76fd02b48297edb28940bdfa3fa1c48a

    SHA1

    bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce

    SHA256

    07abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c

    SHA512

    28c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0