Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 23:29
Static task
static1
Behavioral task
behavioral1
Sample
d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe
Resource
win10v2004-20240426-en
General
-
Target
d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe
-
Size
17KB
-
MD5
5e85098f6c51b95bce6e43034c9cfeee
-
SHA1
3795421fb2d194b5efabc725547abe41de41369e
-
SHA256
d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f
-
SHA512
32e681990358b3f9d17ce36c9dc0a22d4b0260f9104cc62d0a4cb1b5ade41f56bd3cbc1561ae2fd740db42a7b0095c0d5edbaa03d3a961bb948e9dae6e5d0485
-
SSDEEP
384:WWjjfoQ+DfYMzKdPEsOuubuEG3KHM2/wo:ljjAQ+BzWPEwnE+KHM2/V
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3064 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1728 d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe Token: SeDebugPrivilege 3064 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1728 wrote to memory of 3064 1728 d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe 28 PID 1728 wrote to memory of 3064 1728 d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe 28 PID 1728 wrote to memory of 3064 1728 d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe 28 PID 1728 wrote to memory of 3064 1728 d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe"C:\Users\Admin\AppData\Local\Temp\d055e064dea25697b95c6f87ed8bb4f45d5c3c9ffc9119db2f08bca6a70bd20f.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD547ecf82179be6c85c5bc6fd5dff48c2e
SHA17faad744d93b10062362c1d98219186122ae4625
SHA256855ab5f820e5d635efb39c84b54a3e8f0b68aafd5157b4931cae01dc6794cdb1
SHA51223002f968f16e3881d38d73fe2aca0f24067eb857ae5a4c1b139ab1319b444b727e9e069a05379f8c6dc7d3ac4cfc0eae2f7f6110c4635291adbb709ddf2d0f0
-
Filesize
16KB
MD55e7c375139b7453abd0b91a8a220f8e5
SHA188a3d645fab0f4129c1e485c90b593ab60e469ae
SHA25636ec99991653fa54be6f638d0b95eeac3e3f5e3006e4320318c4aa6fc2e330a8
SHA5120805763fe788e0edeb69747d2f419842dc093c2d871d39f25afe2cd27867d54f90fa15892ff5e8c7148280c1ca9b90a0a375f56c277e5d442257c9e77295f1b2