Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 19:31

General

  • Target

    1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe

  • Size

    1.1MB

  • MD5

    772bfdeac4d23e9c9c2bf22426e9e2a2

  • SHA1

    f769e12bd1cd1a6754f829c1ada839f2fd2b1d6b

  • SHA256

    1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3

  • SHA512

    01a97d0b1a224879f1508682a51dc03cc67c1b40e84df61b6b04e1d39054ef4c2e70ccbaa3203e8a0cf842cf1c8d88d0595a44a48702809c17c38b788fed8b01

  • SSDEEP

    24576:oW0oVP1vZlrhH3x/qLNO5j3hotYuarJEuPob3V27LctAfKR:VBXdHB/qLNEjiOJEc+3odKR

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
    "C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
      "C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
        "C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Windows Sidebar\Shared Gadgets\beast public mistress .avi.exe

    Filesize

    957KB

    MD5

    d42a6dfe9a96772cbded5754e57ac2ef

    SHA1

    29fc18fe2745aeaa49ad927f88edab5ce72069ba

    SHA256

    d24de8bf42de562baf86714c802f431a717aab3489b3c5b89d7121c7852ff4b4

    SHA512

    254da5d5dadf671342adc1f7325126e938b661a16c156cc3d43d695ad4e8134fccad62c52fa29d8170f5408fb8c14d3fcf309d0f4acff6f6d239039ee06d82bc

  • C:\debug.txt

    Filesize

    183B

    MD5

    516cb686d0bc95d3dfdffa5f2e113917

    SHA1

    1b484e90785155c823275578df08295c91437589

    SHA256

    043bbcd2d737cedbbf217527fed3779c7802fa521ad8b1d91ac8d22b6e114b6a

    SHA512

    313376eaa2d6ecd0963be432a0bc5ed66820c34bc319a1b7a44130a650e4031c66b1a66f7f33cc98e0ad4463b8fb7a8cedb4d82a855ba6079b21c04d28744608