Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
13s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11/09/2024, 14:19
General
-
Target
dbae7789d8691768e858795b66aaa050N.exe
-
Size
485KB
-
MD5
dbae7789d8691768e858795b66aaa050
-
SHA1
e819a7aa96755b1a1be8f15d66d1fb7792849756
-
SHA256
2be6d9a6475fe4682237475de862c858040a11431c4327e1c141ef955f3cfaf8
-
SHA512
065af143db2aacf5b590525ef7a74fa03fc6d45a06bb789dc48f8b659aaf136abc8b68ebc2ca9a4dbd1b365fe44ae6b1647de56b38d717357276e5676dcf2a42
-
SSDEEP
12288:y+P0Rhc9iHfc1MUNheqhhRtzCUxIPeLBV9:y+PLo/+rHFxCUxI6
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbae7789d8691768e858795b66aaa050N.exe"C:\Users\Admin\AppData\Local\Temp\dbae7789d8691768e858795b66aaa050N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F9LlD.exeC:\Users\Admin\AppData\Local\Temp\F9LlD.exe /stext C:\Users\Admin\AppData\Local\Temp\pass.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\netsh.exe"netsh.exe" firewall set opmode disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
485KB
MD5dbae7789d8691768e858795b66aaa050
SHA1e819a7aa96755b1a1be8f15d66d1fb7792849756
SHA2562be6d9a6475fe4682237475de862c858040a11431c4327e1c141ef955f3cfaf8
SHA512065af143db2aacf5b590525ef7a74fa03fc6d45a06bb789dc48f8b659aaf136abc8b68ebc2ca9a4dbd1b365fe44ae6b1647de56b38d717357276e5676dcf2a42
-
Filesize
344KB
MD532f555e1fa671e364f5fde77c3fd1847
SHA1b2c669e3b128f98de31275a4e5c926de65bb0622
SHA2567d3db6ca664c29c75272c2f1254e2d20ae2572e072b2fc178c0874bec00e9ab2
SHA5120520afca2d9116b895cda6bff30e4d35d431e79950d0384f6d4ad4fc7e6089ff374301f6a30e3fb27f108ecdcaf80d92a218d13ed226cb8352f7c6803db2f556
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB