Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 19:56
Static task
static1
Behavioral task
behavioral1
Sample
f11c7bce06ba3ffcb49c370e81607da0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f11c7bce06ba3ffcb49c370e81607da0N.exe
Resource
win10v2004-20240802-en
General
-
Target
f11c7bce06ba3ffcb49c370e81607da0N.exe
-
Size
538KB
-
MD5
f11c7bce06ba3ffcb49c370e81607da0
-
SHA1
43c21f0230ed183d9da37d68411dff6002bc8907
-
SHA256
86e32debc724ab505081f11fd3fc8088cdf26654411053deb76a4aec3d7e665a
-
SHA512
e59b0ba543ca9fa6b457f578481072745a4571f2cd3f351226ecaa513b6260e189cc5af9811d6f0c7373e3c9902b3ef632d8b6c9cae18663932697f4ec20f453
-
SSDEEP
12288:/n8yN0Mr8ZJJw1jm0Uq+pnWHDiZPWho5hWcrIm+xM/EWGKWYuaP:vPuZJK1Kbgq+h2rdjWYb
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2688 Isass.exe 2364 Isass.exe 2708 f11c7bce06ba3ffcb49c370e81607da0N.exe -
Loads dropped DLL 6 IoCs
pid Process 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 2364 Isass.exe 2688 Isass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" f11c7bce06ba3ffcb49c370e81607da0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" f11c7bce06ba3ffcb49c370e81607da0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f11c7bce06ba3ffcb49c370e81607da0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f11c7bce06ba3ffcb49c370e81607da0N.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 2688 Isass.exe 2364 Isass.exe 2364 Isass.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2688 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 30 PID 2640 wrote to memory of 2688 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 30 PID 2640 wrote to memory of 2688 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 30 PID 2640 wrote to memory of 2688 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 30 PID 2640 wrote to memory of 2364 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 31 PID 2640 wrote to memory of 2364 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 31 PID 2640 wrote to memory of 2364 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 31 PID 2640 wrote to memory of 2364 2640 f11c7bce06ba3ffcb49c370e81607da0N.exe 31 PID 2364 wrote to memory of 2708 2364 Isass.exe 32 PID 2364 wrote to memory of 2708 2364 Isass.exe 32 PID 2364 wrote to memory of 2708 2364 Isass.exe 32 PID 2364 wrote to memory of 2708 2364 Isass.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe"C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe"C:\Users\Admin\AppData\Local\Temp\f11c7bce06ba3ffcb49c370e81607da0N.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216KB
MD50609171772ed1682bd6adb41673f32b2
SHA175456deb7fe05cc2a5806623b6b216bc4fc47243
SHA256de84bb36c0b33b5ddc3f6d54c8b087649b51e8cf8a80bace4fd92258d46443e3
SHA512693c912a8253c62a446f072035f9775dfce0c45b0160710ee4bf8a0c296af0f9fcda24b22bc24050d837338b22371bc6eecd6f3e8ed7e0bde8b13b56e83ce778
-
Filesize
284KB
MD5a42b35f975d88c1370a7aff084ee57a7
SHA1bee1408fe0b15f6f719f003e46aee5ec424cf608
SHA25656cc9e7e3767c0cffae8161bf0ad13457487c1b422e2879b897dbd4bab115776
SHA512b92d05515e18277db660118934e70678ee2a3bb66005bad19bb417ffaedb22a63727a5a697ca3ac0f6c48f6f5593ba45ab80f4ebdc0eaed10d80b7af04d45b23