Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
101s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14/08/2024, 02:20
Static task
static1
Behavioral task
behavioral1
Sample
8e56525f13bc18c4c84e461f04f957f0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8e56525f13bc18c4c84e461f04f957f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
8e56525f13bc18c4c84e461f04f957f0N.exe
-
Size
910KB
-
MD5
8e56525f13bc18c4c84e461f04f957f0
-
SHA1
0c2b3d3c65151314cf025b46b988486b9326eeb1
-
SHA256
b0368ec19dad6310577ab0b937dc9f78fcff79b2b6fa649f2cbb4e45c1e8bdc8
-
SHA512
cc894436ce7fbb036688936c56a4015a061690376fc0fc4360a25d9583a54c2871df071cae43b3fc92bd4ebf5f1aeebb1bf4ba32220230268e33991f13d0fb8f
-
SSDEEP
12288:/n8yN0Mr8Zmk7aVs7IypwXK4Qzh+jMlWCEh/E8kj2fPWadHduXhus/REQpVCW:vPuZmkQIfpwiz0wy/E8c0sp5YW
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 3060 Isass.exe 2948 Isass.exe 1476 Isass.exe 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 2968 8e56525f13bc18c4c84e461f04f957f0N.exe -
Loads dropped DLL 9 IoCs
pid Process 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 2392 8e56525f13bc18c4c84e461f04f957f0N.exe 1476 Isass.exe 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 2968 8e56525f13bc18c4c84e461f04f957f0N.exe 3060 Isass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 8e56525f13bc18c4c84e461f04f957f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 8e56525f13bc18c4c84e461f04f957f0N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e56525f13bc18c4c84e461f04f957f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e56525f13bc18c4c84e461f04f957f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e56525f13bc18c4c84e461f04f957f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e56525f13bc18c4c84e461f04f957f0N.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 3060 Isass.exe 2948 Isass.exe 2948 Isass.exe 2948 Isass.exe 2392 8e56525f13bc18c4c84e461f04f957f0N.exe 1476 Isass.exe 1476 Isass.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3008 wrote to memory of 3060 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 29 PID 3008 wrote to memory of 3060 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 29 PID 3008 wrote to memory of 3060 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 29 PID 3008 wrote to memory of 3060 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 29 PID 3008 wrote to memory of 2948 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 30 PID 3008 wrote to memory of 2948 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 30 PID 3008 wrote to memory of 2948 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 30 PID 3008 wrote to memory of 2948 3008 8e56525f13bc18c4c84e461f04f957f0N.exe 30 PID 2948 wrote to memory of 2392 2948 Isass.exe 31 PID 2948 wrote to memory of 2392 2948 Isass.exe 31 PID 2948 wrote to memory of 2392 2948 Isass.exe 31 PID 2948 wrote to memory of 2392 2948 Isass.exe 31 PID 2392 wrote to memory of 1476 2392 8e56525f13bc18c4c84e461f04f957f0N.exe 32 PID 2392 wrote to memory of 1476 2392 8e56525f13bc18c4c84e461f04f957f0N.exe 32 PID 2392 wrote to memory of 1476 2392 8e56525f13bc18c4c84e461f04f957f0N.exe 32 PID 2392 wrote to memory of 1476 2392 8e56525f13bc18c4c84e461f04f957f0N.exe 32 PID 1476 wrote to memory of 2456 1476 Isass.exe 33 PID 1476 wrote to memory of 2456 1476 Isass.exe 33 PID 1476 wrote to memory of 2456 1476 Isass.exe 33 PID 1476 wrote to memory of 2456 1476 Isass.exe 33 PID 1476 wrote to memory of 2456 1476 Isass.exe 33 PID 1476 wrote to memory of 2456 1476 Isass.exe 33 PID 1476 wrote to memory of 2456 1476 Isass.exe 33 PID 2456 wrote to memory of 2968 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 34 PID 2456 wrote to memory of 2968 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 34 PID 2456 wrote to memory of 2968 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 34 PID 2456 wrote to memory of 2968 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 34 PID 2456 wrote to memory of 2968 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 34 PID 2456 wrote to memory of 2968 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 34 PID 2456 wrote to memory of 2968 2456 8e56525f13bc18c4c84e461f04f957f0N.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe"C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3060
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe"C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe"C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\Temp\{78B1654A-33E2-45CA-9CA0-F232C10AF268}\.cr\8e56525f13bc18c4c84e461f04f957f0N.exe"C:\Windows\Temp\{78B1654A-33E2-45CA-9CA0-F232C10AF268}\.cr\8e56525f13bc18c4c84e461f04f957f0N.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\8e56525f13bc18c4c84e461f04f957f0N.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1886⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2968
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5ff50b5d0f14788a29b1339dcd91a0900
SHA1f78f7c8dd81d27cd9a1fd6ef295b2d42ff3bed85
SHA25652c5071ede287e89c3d8518c075ad507264b030bd50b5c01488b9aeccac4b6d0
SHA51217b32f0376e1f3fb919131b823881d7d512cddfa3eba9db2a2b0d8e2deb76f587b4f97a43c58b55f5ac937adfcee86916054c2f74539fcae642ab6987c6b627c
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
632KB
MD5c27046bd35c5717084bb40c7305b941a
SHA151510a7753dd2a1236b34b495db21ef18a74c25c
SHA256e0bc82c13bcd1ade084a0421dab88e23e9cc5499323449e585e7dd2116951bd3
SHA512df9dc98043ea5b86c671e769a75e569366223c5a291f5eed22f68af9783a0aa295d8bb0ee0b510767cce7961f2e501124d9fe656044766644e18682f21446214
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2