Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 21:26
Behavioral task
behavioral1
Sample
1a0a33df99b129a04317cda6f9ee8450N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1a0a33df99b129a04317cda6f9ee8450N.exe
Resource
win10v2004-20240802-en
General
-
Target
1a0a33df99b129a04317cda6f9ee8450N.exe
-
Size
87KB
-
MD5
1a0a33df99b129a04317cda6f9ee8450
-
SHA1
6c24864e71f40523418cb273dd2f647686f524f8
-
SHA256
b32401f4a1ac0bf0a8c81dc6e7ac5a11c2125d2055f2224cafba44df740684fe
-
SHA512
5473aab64e531ffe53352b8c17fc4dda775f79b3fe900624918a60153727a6111a01b9d10a270149b17f4a3b9399c75fd5c4c85f2f82b956710e879cd3115187
-
SSDEEP
1536:MexIYG53x/8XNYK5rJx93o8lg/x/G9apbbp3gITPTFO:MeaYG53x/8Xpx9gZ+spbbp3gIrxO
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/1096-1-0x0000000000050000-0x000000000006C000-memory.dmp family_stormkitty -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes itself 1 IoCs
pid Process 2872 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2700 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2700 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 1096 1a0a33df99b129a04317cda6f9ee8450N.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1096 1a0a33df99b129a04317cda6f9ee8450N.exe Token: SeIncreaseQuotaPrivilege 2892 wmic.exe Token: SeSecurityPrivilege 2892 wmic.exe Token: SeTakeOwnershipPrivilege 2892 wmic.exe Token: SeLoadDriverPrivilege 2892 wmic.exe Token: SeSystemProfilePrivilege 2892 wmic.exe Token: SeSystemtimePrivilege 2892 wmic.exe Token: SeProfSingleProcessPrivilege 2892 wmic.exe Token: SeIncBasePriorityPrivilege 2892 wmic.exe Token: SeCreatePagefilePrivilege 2892 wmic.exe Token: SeBackupPrivilege 2892 wmic.exe Token: SeRestorePrivilege 2892 wmic.exe Token: SeShutdownPrivilege 2892 wmic.exe Token: SeDebugPrivilege 2892 wmic.exe Token: SeSystemEnvironmentPrivilege 2892 wmic.exe Token: SeRemoteShutdownPrivilege 2892 wmic.exe Token: SeUndockPrivilege 2892 wmic.exe Token: SeManageVolumePrivilege 2892 wmic.exe Token: 33 2892 wmic.exe Token: 34 2892 wmic.exe Token: 35 2892 wmic.exe Token: SeIncreaseQuotaPrivilege 2892 wmic.exe Token: SeSecurityPrivilege 2892 wmic.exe Token: SeTakeOwnershipPrivilege 2892 wmic.exe Token: SeLoadDriverPrivilege 2892 wmic.exe Token: SeSystemProfilePrivilege 2892 wmic.exe Token: SeSystemtimePrivilege 2892 wmic.exe Token: SeProfSingleProcessPrivilege 2892 wmic.exe Token: SeIncBasePriorityPrivilege 2892 wmic.exe Token: SeCreatePagefilePrivilege 2892 wmic.exe Token: SeBackupPrivilege 2892 wmic.exe Token: SeRestorePrivilege 2892 wmic.exe Token: SeShutdownPrivilege 2892 wmic.exe Token: SeDebugPrivilege 2892 wmic.exe Token: SeSystemEnvironmentPrivilege 2892 wmic.exe Token: SeRemoteShutdownPrivilege 2892 wmic.exe Token: SeUndockPrivilege 2892 wmic.exe Token: SeManageVolumePrivilege 2892 wmic.exe Token: 33 2892 wmic.exe Token: 34 2892 wmic.exe Token: 35 2892 wmic.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2892 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 30 PID 1096 wrote to memory of 2892 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 30 PID 1096 wrote to memory of 2892 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 30 PID 1096 wrote to memory of 2872 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 33 PID 1096 wrote to memory of 2872 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 33 PID 1096 wrote to memory of 2872 1096 1a0a33df99b129a04317cda6f9ee8450N.exe 33 PID 2872 wrote to memory of 2700 2872 cmd.exe 35 PID 2872 wrote to memory of 2700 2872 cmd.exe 35 PID 2872 wrote to memory of 2700 2872 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a0a33df99b129a04317cda6f9ee8450N.exe"C:\Users\Admin\AppData\Local\Temp\1a0a33df99b129a04317cda6f9ee8450N.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tmp9251.tmp.bat"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170B
MD5f8727fa1fc939a0f629a2f78f7aef501
SHA10abe12adf095b4cbf939aad62138eaf33b0632ed
SHA2563b48fa9e32188f6d72bd2301372ae3640a0a7d2d7c969da92c8e7374d74a45e6
SHA5127d91fbf40c4865f4dcebf14b7cabae331de5917671ff39818871826fcdb509806a9b43750c09176b0c325484fc3656290360306c290f42b23d8d6c0d6d6bc662