Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe
Resource
win10v2004-20240802-en
General
-
Target
11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe
-
Size
4.1MB
-
MD5
87842c44385a9c22e2d47b4fe85566dc
-
SHA1
10e5c0d68e885843ce2ba5ca1cf44b47668d8e85
-
SHA256
11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49
-
SHA512
6e73439c4d93630d098f36139888aecb8f04666739cad81d8493115caf7876c21f8180d92fdf95b101802a4ca822679ee0ba16866e695c9a53b968d636c680de
-
SSDEEP
49152:RYb8pEkg/hv5VZtZ81CxBss47oBTQfjTajnoFzJjss+exivznT7b5dRjy8v1jlxh:RQQfgJ7lxSEOjhFtj5ALvFzyAjXh
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2028 set thread context of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2940 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2940 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe Token: SeBackupPrivilege 2940 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe Token: SeSecurityPrivilege 2940 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe Token: SeSecurityPrivilege 2940 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe Token: SeSecurityPrivilege 2940 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe Token: SeSecurityPrivilege 2940 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30 PID 2028 wrote to memory of 2940 2028 11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe"C:\Users\Admin\AppData\Local\Temp\11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe"C:\Users\Admin\AppData\Local\Temp\11be78b744d48be7f5c1438c93fa28fc0b66ddc5fad50d091149a951f3002c49.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b