Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 07:29
Static task
static1
Behavioral task
behavioral1
Sample
bf6a9453af6973a781a7cce63415eb60N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
bf6a9453af6973a781a7cce63415eb60N.exe
Resource
win10v2004-20240802-en
General
-
Target
bf6a9453af6973a781a7cce63415eb60N.exe
-
Size
700KB
-
MD5
bf6a9453af6973a781a7cce63415eb60
-
SHA1
24feef01d2691bff6706c29dd3f5f31e3b1ff171
-
SHA256
7c2e4fc17e215d7c6cda6076d2f4150891b8562d1028e5f83c4757da32ace917
-
SHA512
73995f6da425c890bf122a82840639c73f335887f036ac88a4da589e08a1645f7ea20bde3a466eefb8cd80fab8dacf5e202b374f9cb3c823fc42680b880d72a2
-
SSDEEP
12288:/n8yN0Mr8ZSj63hgD1ZiDJRgSKz7ucH8CA44AP03:vPuZo63iKRjKfuMJR83
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 1016 Isass.exe 2968 Isass.exe 2912 Isass.exe 2676 bf6a9453af6973a781a7cce63415eb60N.exe -
Loads dropped DLL 8 IoCs
pid Process 2500 bf6a9453af6973a781a7cce63415eb60N.exe 2500 bf6a9453af6973a781a7cce63415eb60N.exe 2500 bf6a9453af6973a781a7cce63415eb60N.exe 2500 bf6a9453af6973a781a7cce63415eb60N.exe 2140 bf6a9453af6973a781a7cce63415eb60N.exe 2140 bf6a9453af6973a781a7cce63415eb60N.exe 2912 Isass.exe 1016 Isass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" bf6a9453af6973a781a7cce63415eb60N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" bf6a9453af6973a781a7cce63415eb60N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf6a9453af6973a781a7cce63415eb60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf6a9453af6973a781a7cce63415eb60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf6a9453af6973a781a7cce63415eb60N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2500 bf6a9453af6973a781a7cce63415eb60N.exe 1016 Isass.exe 2968 Isass.exe 2968 Isass.exe 2968 Isass.exe 2140 bf6a9453af6973a781a7cce63415eb60N.exe 2912 Isass.exe 2912 Isass.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2676 bf6a9453af6973a781a7cce63415eb60N.exe 2676 bf6a9453af6973a781a7cce63415eb60N.exe 2676 bf6a9453af6973a781a7cce63415eb60N.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1016 2500 bf6a9453af6973a781a7cce63415eb60N.exe 30 PID 2500 wrote to memory of 1016 2500 bf6a9453af6973a781a7cce63415eb60N.exe 30 PID 2500 wrote to memory of 1016 2500 bf6a9453af6973a781a7cce63415eb60N.exe 30 PID 2500 wrote to memory of 1016 2500 bf6a9453af6973a781a7cce63415eb60N.exe 30 PID 2500 wrote to memory of 2968 2500 bf6a9453af6973a781a7cce63415eb60N.exe 31 PID 2500 wrote to memory of 2968 2500 bf6a9453af6973a781a7cce63415eb60N.exe 31 PID 2500 wrote to memory of 2968 2500 bf6a9453af6973a781a7cce63415eb60N.exe 31 PID 2500 wrote to memory of 2968 2500 bf6a9453af6973a781a7cce63415eb60N.exe 31 PID 2968 wrote to memory of 2140 2968 Isass.exe 32 PID 2968 wrote to memory of 2140 2968 Isass.exe 32 PID 2968 wrote to memory of 2140 2968 Isass.exe 32 PID 2968 wrote to memory of 2140 2968 Isass.exe 32 PID 2140 wrote to memory of 2912 2140 bf6a9453af6973a781a7cce63415eb60N.exe 33 PID 2140 wrote to memory of 2912 2140 bf6a9453af6973a781a7cce63415eb60N.exe 33 PID 2140 wrote to memory of 2912 2140 bf6a9453af6973a781a7cce63415eb60N.exe 33 PID 2140 wrote to memory of 2912 2140 bf6a9453af6973a781a7cce63415eb60N.exe 33 PID 2912 wrote to memory of 2676 2912 Isass.exe 34 PID 2912 wrote to memory of 2676 2912 Isass.exe 34 PID 2912 wrote to memory of 2676 2912 Isass.exe 34 PID 2912 wrote to memory of 2676 2912 Isass.exe 34 PID 2912 wrote to memory of 2676 2912 Isass.exe 34 PID 2912 wrote to memory of 2676 2912 Isass.exe 34 PID 2912 wrote to memory of 2676 2912 Isass.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"C:\Users\Admin\AppData\Local\Temp\bf6a9453af6973a781a7cce63415eb60N.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD5816a6d1102a1a3b4d6d9c3d8dfef7045
SHA1ee440bbc1be28b777f9109d1fd8e3c5fe282e5b5
SHA256da347f6169ee82f755889c1f0079ef2a70e16bb9aacd0147ce7e689bbb4166ca
SHA5123ff95d1bd74302b4e58fe1d05403a584b6f6db87d61213968956a507635668d3ac1ee78494e6228c2b3ac7a530a9e474b4259ca88f1df2b404302cddb09a5e94
-
Filesize
453KB
MD596f7cb9f7481a279bd4bc0681a3b993e
SHA1deaedb5becc6c0bd263d7cf81e0909b912a1afd4
SHA256d2893c55259772b554cb887d3e2e1f9c67f5cd5abac2ab9f4720dec507cdd290
SHA512694d2da36df04db25cc5972f7cc180b77e1cb0c3b5be8b69fe7e2d4e59555efb8aa7e50b1475ad5196ca638dabde2c796ae6faeb4a31f38166838cd1cc028149