Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:47
Static task
static1
Behavioral task
behavioral1
Sample
e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
Resource
win10v2004-20240802-en
General
-
Target
e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe
-
Size
171KB
-
MD5
e4bab18853c1124af84cb34830a25940
-
SHA1
077cc65709ffe3b561ab773e1d3a6703e40ab8ba
-
SHA256
e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbf
-
SHA512
3b83848337547eb2394fa8024c84a297384f5e7d95d3e10a91d0269f770c27991eb106fb7496a8f5324ad26cc1dc269e662d225440006449cc97088e7824433e
-
SSDEEP
3072:rZcFmpOW3uUMKH83ECl9Zsows7T+gVTQ4e+9Ec0Daq56UfEvnbi:ln3NM2jC2ows7iuTJe+9E/ai61b
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\883E8\\AC432.exe" e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2848-2-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2776-14-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2848-15-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2848-16-0x0000000000400000-0x000000000048E000-memory.dmp upx behavioral1/memory/1548-123-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/1548-122-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2848-124-0x0000000000400000-0x0000000000491000-memory.dmp upx behavioral1/memory/2848-290-0x0000000000400000-0x0000000000491000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2776 2848 e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe 31 PID 2848 wrote to memory of 2776 2848 e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe 31 PID 2848 wrote to memory of 2776 2848 e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe 31 PID 2848 wrote to memory of 2776 2848 e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe 31 PID 2848 wrote to memory of 1548 2848 e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe 33 PID 2848 wrote to memory of 1548 2848 e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe 33 PID 2848 wrote to memory of 1548 2848 e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe 33 PID 2848 wrote to memory of 1548 2848 e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe"C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe"1⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exeC:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe startC:\Program Files (x86)\LP\32F8\5C6.exe%C:\Program Files (x86)\LP\32F82⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exeC:\Users\Admin\AppData\Local\Temp\e57013c5e4813270b4ca9288512141c2552d177a4969edd1ddf78b1084fd5fbfN.exe startC:\Program Files (x86)\E8C76\lvvm.exe%C:\Program Files (x86)\E8C762⤵
- System Location Discovery: System Language Discovery
PID:1548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD5921f58acb352f39b1132ca47618deb63
SHA104f0343dfbb53c0da5a38ffb038ab4d93766bdd4
SHA25644ef93d43f9900301b332b8e34887e3e78cc504d7a884e5d199b2a38978206d7
SHA512ba5a0f63f4575504fdcc5e9bd45b4f5fb05f03558ad404ac4e86dd91710b8adfd1451faff40ed3788e2301002b3fe67758992048385ea53838383951465e352a
-
Filesize
600B
MD51ff3266642ae813964c15c4e02554a65
SHA103abf819b2c59989f67913a2f6f22f4f8dc4db7c
SHA25605b61ea561b97376a0b208ba2dcac46e5f2435a2992317d395fdd7013e3c0ddd
SHA512297f4b818bd282ae6d4bf86e621c22f15f31c6e228aa5fdea4498f00a4330951309ba4b6fa93d25e7c43e6dc76212162d953c012277a6c3725cb41d35ee6bd4b
-
Filesize
1KB
MD5dc2b437c5c2d41b70e7453fd0885cdf3
SHA18181fbc9760a509525bd0dcc7e5d82d068db9342
SHA256a140a9902cec45934c8d0a213054aa27f3401a54a3608e87d294f3292a96744e
SHA5125f51c57b95f01a96347acf4b054fb198bba8a7ad527833e18f6d04b7ac1b0668761872a62967407d94cfbdf286c1b3687541cc167c6f8fc59a1bf806aceb7c48