Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    16/06/2024, 23:53

General

  • Target

    913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe

  • Size

    471KB

  • MD5

    d973614d4cac301358263701ff674963

  • SHA1

    9126bdac6de090d1f4d9c1cde85daa933345eb45

  • SHA256

    913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42

  • SHA512

    4129b75063ca45c6f8c4153c6ca92f556dfd3d860510b63aa80a3704b9d97e4aaa5b118eca1a24f03126848ec7fd713af0a81183cd348ac8e6fc3f951a0e21b8

  • SSDEEP

    12288:JXCNi9BVcvXy6sPPyo45dZqNwlG7MEYTUso9nWp489+:sWCvkPPyX58w6M6sQnWp489+

Malware Config

Signatures

  • Detects executables containing possible sandbox analysis VM usernames 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
    "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
      "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
        "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1944
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 364
      2⤵
      • Program crash
      PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\american action sperm catfight hole hotel .mpg.exe

    Filesize

    1.1MB

    MD5

    e56f809785b1942b0de2989ab2625253

    SHA1

    12e4f5c1cf7fa44d853a09ed8d062500e7e9c46c

    SHA256

    d8c012a63114bdd4a5fa2eee93599312ee712f525af8cef0adfd024967739669

    SHA512

    28c9c70baed9df37c014eaddb992cf68b6cf1b8d55f8f1b021a464cb745f87bf6371f014b51e7db9c15247526e22508d8dd38bc8ee8be3e504a04b2bb50e9690

  • C:\debug.txt

    Filesize

    183B

    MD5

    4ba7633c98d8685d983668b3fb0407e3

    SHA1

    5629e9d210d6c696562e3f506a23b159c499cfeb

    SHA256

    68fb80ac60bdfc8bbecde74b4d9df7e3fef20b01750b9ea7b0d85e8b4693c80f

    SHA512

    580942927cb3dec8ad428a36b52231fd275a65943da122bd7f2319edbb0ca0b1018e1f989ab4b6e292e2cdbb174f265d34e205333a77af2ba6105bcd73727ac8