Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
18/06/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
qwerty.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
qwerty.exe
Resource
win10-20240404-en
General
-
Target
qwerty.exe
-
Size
960KB
-
MD5
6539c93ba82b568ecc558ae1d18f5228
-
SHA1
ba820679e051c87b939c2888cd8e9e24f529173a
-
SHA256
5ca3f43e97cfbcb135804e430fc88f7d26287d924514b34b8ec11159e1c36fcf
-
SHA512
27efe64e1065b4814fc20b4b994762f80ed327ded1c4a65cfde1627b54322792c640e4e71b61afb2e32163b24acb7516911c861439224ca6c1d01ad22453aa17
-
SSDEEP
24576:TkFRNLc8wW4TW29vShuXBSZrlwCC/36sG28Eod7/nuKNAlz:TqR4TzvSh8SZlXs22iTNcz
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2976 qwerty.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2284 2976 WerFault.exe 27 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2976 qwerty.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2284 2976 qwerty.exe 28 PID 2976 wrote to memory of 2284 2976 qwerty.exe 28 PID 2976 wrote to memory of 2284 2976 qwerty.exe 28 PID 2976 wrote to memory of 2284 2976 qwerty.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\qwerty.exe"C:\Users\Admin\AppData\Local\Temp\qwerty.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 8322⤵
- Program crash
PID:2284
-