Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 02:10
Static task
static1
Behavioral task
behavioral1
Sample
e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe
Resource
win7-20240708-en
General
-
Target
e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe
-
Size
534KB
-
MD5
e2fdb6d289db0d8c4a63ed3fd819f9b0
-
SHA1
e505b8b547d9ea3a5310a58deb9246759b209f2b
-
SHA256
87cffd53d64ae9caf17af8f4e3dc7af6d5e93a717420f51f6f2c378f708c35fb
-
SHA512
5ba498a908b98e1c2c4a6b4f1d4b38e20464d66a7afc7b35f59968a462661349b9a6ce40473052771e30d99b6d8695bbc1e1aeae896e6c66701d0690be9e4ea5
-
SSDEEP
6144:dB3ULOJQSfbzDRU5DJqj2uUZARbHwFynJjtK3d7t:P3ULO2oiSBwFynJ5KN7t
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3040 2360 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2360 e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2360 wrote to memory of 3040 2360 e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe 31 PID 2360 wrote to memory of 3040 2360 e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe 31 PID 2360 wrote to memory of 3040 2360 e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe 31 PID 2360 wrote to memory of 3040 2360 e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe"C:\Users\Admin\AppData\Local\Temp\e2fdb6d289db0d8c4a63ed3fd819f9b0N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1562⤵
- Program crash
PID:3040
-