Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05/07/2024, 18:05
Static task
static1
Behavioral task
behavioral1
Sample
06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe
Resource
win10v2004-20240704-en
General
-
Target
06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe
-
Size
17KB
-
MD5
90d47e2e5f4706b817082b4f3e2d7c68
-
SHA1
d3fc7d6ec08417522eebe4b87dab4a1f5be94c5c
-
SHA256
06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf
-
SHA512
31c4d096eacd3b038892a7fd0dc406e40514e15cd18b1ef375daa7292f97706df8d361a99de9a76ea60c73dcaf9352b5d6ab119acbf21b41a9a1c64ea09aa538
-
SSDEEP
384:x+uPfoQ+DfYMzKdPEsOuubuEG3KHM2/wku+4i:IMAQ+BzWPEwnE+KHM2/wku+P
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2712 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" 06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winhost = "C:\\Windows\\svhost.exe" svhost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe 06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe File created C:\Windows\svhost.exe svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2864 06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe Token: SeDebugPrivilege 2712 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2712 2864 06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe 30 PID 2864 wrote to memory of 2712 2864 06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe 30 PID 2864 wrote to memory of 2712 2864 06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe 30 PID 2864 wrote to memory of 2712 2864 06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe"C:\Users\Admin\AppData\Local\Temp\06eb63c2c1c340458210f4686c15033955499311f9f2477434e4a2bb38983ccf.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\svhost.exe"C:\Windows\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD51081074a59a3ddd91d89be77ef0fa8d7
SHA18d48aaa94c63861cafbc0c564e97f43b89e29058
SHA2565563ccb132026426c007710f5425e78696fbaaefe3b152e5a98bc7b9b9f2cd1e
SHA512259c14931f6a7e82101ae7faa560c47a5023655b323dacfcafa1b144a478d32544207134e7400a0887252e15f2bf065e2918c15b317296b948a93edb20e7005a
-
Filesize
16KB
MD576fd02b48297edb28940bdfa3fa1c48a
SHA1bf5cae1057a0aca8bf3aab8b121fe77ebb0788ce
SHA25607abd35f09b954eba7011ce18b225017c50168e039732680df58ae703324825c
SHA51228c7bf4785547f6df9d678699a55cfb24c429a2bac5375733ff2f760c92933190517d8acd740bdf69c3ecc799635279af5d7ebd848c5b471318d1f330c441ff0