Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
25s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/09/2024, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
cd32da2cae57c30b9b3b3b5492c72920N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
cd32da2cae57c30b9b3b3b5492c72920N.exe
Resource
win10v2004-20240802-en
General
-
Target
cd32da2cae57c30b9b3b3b5492c72920N.exe
-
Size
167KB
-
MD5
cd32da2cae57c30b9b3b3b5492c72920
-
SHA1
d16bc032feff8280bf170efe526f3207f40f3443
-
SHA256
e5b02d9b47a711b29e54d8d818c66003e68fe004d4c33d4f80e8ba3340a87e35
-
SHA512
96e0c0a18993a8942cc26230159e1205a421c86d0689c19cfd989b01561c283497d80510c176d32ba76caafb80ca2bc6cab2d08c7bed9175d90c09d4768ad8ec
-
SSDEEP
3072:j7XdyeLiDIG+MrLE69kHpFLw90lfZSeDIRKe0pewIUW1xTBwUQBzbTFr:j7oeLiDIG+MPE6c2Qz0RKTYv1qdRr
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/568-2-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/2952-5-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/2952-7-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/568-14-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/568-68-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/2536-74-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/2536-75-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/568-76-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral1/memory/568-177-0x0000000000400000-0x000000000043D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" cd32da2cae57c30b9b3b3b5492c72920N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd32da2cae57c30b9b3b3b5492c72920N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd32da2cae57c30b9b3b3b5492c72920N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd32da2cae57c30b9b3b3b5492c72920N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 568 wrote to memory of 2952 568 cd32da2cae57c30b9b3b3b5492c72920N.exe 30 PID 568 wrote to memory of 2952 568 cd32da2cae57c30b9b3b3b5492c72920N.exe 30 PID 568 wrote to memory of 2952 568 cd32da2cae57c30b9b3b3b5492c72920N.exe 30 PID 568 wrote to memory of 2952 568 cd32da2cae57c30b9b3b3b5492c72920N.exe 30 PID 568 wrote to memory of 2536 568 cd32da2cae57c30b9b3b3b5492c72920N.exe 32 PID 568 wrote to memory of 2536 568 cd32da2cae57c30b9b3b3b5492c72920N.exe 32 PID 568 wrote to memory of 2536 568 cd32da2cae57c30b9b3b3b5492c72920N.exe 32 PID 568 wrote to memory of 2536 568 cd32da2cae57c30b9b3b3b5492c72920N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd32da2cae57c30b9b3b3b5492c72920N.exe"C:\Users\Admin\AppData\Local\Temp\cd32da2cae57c30b9b3b3b5492c72920N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Local\Temp\cd32da2cae57c30b9b3b3b5492c72920N.exeC:\Users\Admin\AppData\Local\Temp\cd32da2cae57c30b9b3b3b5492c72920N.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\cd32da2cae57c30b9b3b3b5492c72920N.exeC:\Users\Admin\AppData\Local\Temp\cd32da2cae57c30b9b3b3b5492c72920N.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e0e9f65f1da863dbcfc9d353e51edc6f
SHA19495a4d740d5b0cd070cb55c61797d826a868b2a
SHA256ecee89aa64ddba0ec841255e2270101aec7569f1c4bf1ff86aa7aa76653199f7
SHA512561f21dab051b3067afd1d03ef995a0fea9868cde90372e1609292adf534480b0dddcd93275ad4c1ddc16f9763afeb953e956c019db9a235006fd4eae3053000
-
Filesize
600B
MD5c870fe548e97f2f80ba50489d4e9c32e
SHA1ead546910b71e92817005877e004e48462ad9885
SHA25659fc03a31a27d2645d545a18d486996fd4a864b0ed09ab58bc7fc1b12d4cfb87
SHA51216d391fe5c70e5a9b58b141717a748ce6d1eec88aa9360f5e042709694e7a7490a0cb8e1c526286b8e10bcffce30b52ff627f906aec5cdb90d52b4e5e6f4a261
-
Filesize
996B
MD518349916f07dfde3e62f9ec33b410f7c
SHA1bec5fcdae3606d920642a60fe5d2e92b9c38a411
SHA2560772193ee8254698d9ee3d93ce35a220d2d5d023c7b97e6ff5fcf99dc771c121
SHA512c3282d20b3278cae53df71ffbe3853bef1bdde9913358689cb498a79033eec6cd425235c849bedd4314f73ec7e74bb0e6de8c39a1a9e2f0ac99c95cffed5832d