Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
13s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/09/2024, 14:19
Static task
static1
Behavioral task
behavioral1
Sample
dbae7789d8691768e858795b66aaa050N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dbae7789d8691768e858795b66aaa050N.exe
Resource
win10v2004-20240802-en
General
-
Target
dbae7789d8691768e858795b66aaa050N.exe
-
Size
485KB
-
MD5
dbae7789d8691768e858795b66aaa050
-
SHA1
e819a7aa96755b1a1be8f15d66d1fb7792849756
-
SHA256
2be6d9a6475fe4682237475de862c858040a11431c4327e1c141ef955f3cfaf8
-
SHA512
065af143db2aacf5b590525ef7a74fa03fc6d45a06bb789dc48f8b659aaf136abc8b68ebc2ca9a4dbd1b365fe44ae6b1647de56b38d717357276e5676dcf2a42
-
SSDEEP
12288:y+P0Rhc9iHfc1MUNheqhhRtzCUxIPeLBV9:y+PLo/+rHFxCUxI6
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/files/0x00290000000150a7-26.dat Nirsoft -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x00290000000150a7-26.dat WebBrowserPassView -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2396 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2700 F9LlD.exe -
Loads dropped DLL 2 IoCs
pid Process 2964 dbae7789d8691768e858795b66aaa050N.exe 2964 dbae7789d8691768e858795b66aaa050N.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbae7789d8691768e858795b66aaa050N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F9LlD.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2700 F9LlD.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2964 dbae7789d8691768e858795b66aaa050N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2700 2964 dbae7789d8691768e858795b66aaa050N.exe 30 PID 2964 wrote to memory of 2700 2964 dbae7789d8691768e858795b66aaa050N.exe 30 PID 2964 wrote to memory of 2700 2964 dbae7789d8691768e858795b66aaa050N.exe 30 PID 2964 wrote to memory of 2700 2964 dbae7789d8691768e858795b66aaa050N.exe 30 PID 2964 wrote to memory of 2396 2964 dbae7789d8691768e858795b66aaa050N.exe 32 PID 2964 wrote to memory of 2396 2964 dbae7789d8691768e858795b66aaa050N.exe 32 PID 2964 wrote to memory of 2396 2964 dbae7789d8691768e858795b66aaa050N.exe 32 PID 2964 wrote to memory of 2396 2964 dbae7789d8691768e858795b66aaa050N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbae7789d8691768e858795b66aaa050N.exe"C:\Users\Admin\AppData\Local\Temp\dbae7789d8691768e858795b66aaa050N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\F9LlD.exeC:\Users\Admin\AppData\Local\Temp\F9LlD.exe /stext C:\Users\Admin\AppData\Local\Temp\pass.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
-
C:\Windows\SysWOW64\netsh.exe"netsh.exe" firewall set opmode disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2396
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
485KB
MD5dbae7789d8691768e858795b66aaa050
SHA1e819a7aa96755b1a1be8f15d66d1fb7792849756
SHA2562be6d9a6475fe4682237475de862c858040a11431c4327e1c141ef955f3cfaf8
SHA512065af143db2aacf5b590525ef7a74fa03fc6d45a06bb789dc48f8b659aaf136abc8b68ebc2ca9a4dbd1b365fe44ae6b1647de56b38d717357276e5676dcf2a42
-
Filesize
344KB
MD532f555e1fa671e364f5fde77c3fd1847
SHA1b2c669e3b128f98de31275a4e5c926de65bb0622
SHA2567d3db6ca664c29c75272c2f1254e2d20ae2572e072b2fc178c0874bec00e9ab2
SHA5120520afca2d9116b895cda6bff30e4d35d431e79950d0384f6d4ad4fc7e6089ff374301f6a30e3fb27f108ecdcaf80d92a218d13ed226cb8352f7c6803db2f556