Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31/08/2024, 11:51
Behavioral task
behavioral1
Sample
0125adef6e9eed738ebac6e35c21c5ea.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0125adef6e9eed738ebac6e35c21c5ea.exe
Resource
win10v2004-20240802-en
General
-
Target
0125adef6e9eed738ebac6e35c21c5ea.exe
-
Size
482KB
-
MD5
0125adef6e9eed738ebac6e35c21c5ea
-
SHA1
ea37d0d7f4b5f9d8577ade5c1a2f9c6558c2ca2d
-
SHA256
847f0f5e71d536638fbd6c3141b0508c9f3ae1e1e4e9619ebc4e65b627a7c5d4
-
SHA512
49e6134cf459de8c9a778a511b03bd514b222c9c98849ffb1dffd315911eb095677ae4787132ec32a7cdaafffb68d44696ee2db55348c3c106b90a5a507549f7
-
SSDEEP
6144:STz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZBAXccrnT4:STlrYw1RUh3NFn+N5WfIQIjbs/ZBsT4
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 9 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2936-8-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2860-16-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2208-15-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2860-14-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2936-10-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2208-9-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/2860-18-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2936-23-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2208-27-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2208-15-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/2208-9-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView behavioral1/memory/2208-27-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/2936-8-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2936-10-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2936-23-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 0125adef6e9eed738ebac6e35c21c5ea.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 588 set thread context of 2936 588 0125adef6e9eed738ebac6e35c21c5ea.exe 30 PID 588 set thread context of 2208 588 0125adef6e9eed738ebac6e35c21c5ea.exe 31 PID 588 set thread context of 2860 588 0125adef6e9eed738ebac6e35c21c5ea.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0125adef6e9eed738ebac6e35c21c5ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0125adef6e9eed738ebac6e35c21c5ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0125adef6e9eed738ebac6e35c21c5ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0125adef6e9eed738ebac6e35c21c5ea.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2936 0125adef6e9eed738ebac6e35c21c5ea.exe 2936 0125adef6e9eed738ebac6e35c21c5ea.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 588 0125adef6e9eed738ebac6e35c21c5ea.exe 588 0125adef6e9eed738ebac6e35c21c5ea.exe 588 0125adef6e9eed738ebac6e35c21c5ea.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 0125adef6e9eed738ebac6e35c21c5ea.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 588 0125adef6e9eed738ebac6e35c21c5ea.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 588 wrote to memory of 2936 588 0125adef6e9eed738ebac6e35c21c5ea.exe 30 PID 588 wrote to memory of 2936 588 0125adef6e9eed738ebac6e35c21c5ea.exe 30 PID 588 wrote to memory of 2936 588 0125adef6e9eed738ebac6e35c21c5ea.exe 30 PID 588 wrote to memory of 2936 588 0125adef6e9eed738ebac6e35c21c5ea.exe 30 PID 588 wrote to memory of 2208 588 0125adef6e9eed738ebac6e35c21c5ea.exe 31 PID 588 wrote to memory of 2208 588 0125adef6e9eed738ebac6e35c21c5ea.exe 31 PID 588 wrote to memory of 2208 588 0125adef6e9eed738ebac6e35c21c5ea.exe 31 PID 588 wrote to memory of 2208 588 0125adef6e9eed738ebac6e35c21c5ea.exe 31 PID 588 wrote to memory of 2860 588 0125adef6e9eed738ebac6e35c21c5ea.exe 32 PID 588 wrote to memory of 2860 588 0125adef6e9eed738ebac6e35c21c5ea.exe 32 PID 588 wrote to memory of 2860 588 0125adef6e9eed738ebac6e35c21c5ea.exe 32 PID 588 wrote to memory of 2860 588 0125adef6e9eed738ebac6e35c21c5ea.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe"C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exeC:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe /stext "C:\Users\Admin\AppData\Local\Temp\wpkljyyetk"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exeC:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe /stext "C:\Users\Admin\AppData\Local\Temp\yjpdjrighsnaxj"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exeC:\Users\Admin\AppData\Local\Temp\0125adef6e9eed738ebac6e35c21c5ea.exe /stext "C:\Users\Admin\AppData\Local\Temp\jmuokjtzvaffhprtl"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD582a6aa4eb2ec491327a384c3c754c02c
SHA12bea54e2b208fb18d4189570d2b6e100426ab19a
SHA256c579b9d5ca1798ff428d77d480e6be25deac3b60b8885ab7acb7cf043beb93ac
SHA5126f6d6572575ecec8adc01d3e3f7122b0ffe4c01316469cbac4cd972406289cc21a21b0fad4364285fd4d2865e9375604929098807b726c4c12ae3ef59ea2d022
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84