Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

download1.exe

windows7-x64

9

download1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 10:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download1.exe

  • Size

    483KB

  • MD5

    b0b179cb58814287051a3933455c382e

  • SHA1

    23bb06299fe32cc15786f9b79c22e5d7af50802a

  • SHA256

    997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2

  • SHA512

    6c0c6fbd544517b05e17cdd15e64698df5683b51a9fc79dfe51e18c62202d2d45626ba41e6c9b7b7ae507ce474c948f501971815afa6accc81b4268afafb11c9

  • SSDEEP

    6144:RTz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crgWT4:RTlrYw1RUh3NFn+N5WfIQIjbs/ZmgT4

Score
9/10
collectioncredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 8 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\download1.exe
    "C:\Users\Admin\AppData\Local\Temp\download1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Local\Temp\download1.exe
      C:\Users\Admin\AppData\Local\Temp\download1.exe /stext "C:\Users\Admin\AppData\Local\Temp\orxyjrbgzbtabfrzelcmlxkuwior"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2216
    • C:\Users\Admin\AppData\Local\Temp\download1.exe
      C:\Users\Admin\AppData\Local\Temp\download1.exe /stext "C:\Users\Admin\AppData\Local\Temp\qtdrbkuzvjlfetfdnvpgwbfdwpgsgdn"
      2⤵
      • Accesses Microsoft Outlook accounts
      • System Location Discovery: System Language Discovery
      PID:2072
    • C:\Users\Admin\AppData\Local\Temp\download1.exe
      C:\Users\Admin\AppData\Local\Temp\download1.exe /stext "C:\Users\Admin\AppData\Local\Temp\bnijccebjrdkoabhfgbhzoaufwpbhodqih"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2112

Network

  • flag-us
    DNS
    maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
    download1.exe
    Remote address:
    8.8.8.8:53
    Request
    maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
    IN A
    Response
    maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
    IN A
    45.90.89.98
  • flag-us
    DNS
    geoplugin.net
    download1.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    download1.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Fri, 20 Sep 2024 10:31:04 GMT
    server: Apache
    content-length: 955
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • 45.90.89.98:6845
    maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
    tls
    download1.exe
    3.4kB
     1.7kB
     14
    18
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    download1.exe
    669 B
     2.5kB
     13
    4

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 45.90.89.98:6845
    maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
    tls
    download1.exe
    30.6kB
     512.2kB
     217
    381
  • 8.8.8.8:53
    maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro
    dns
    download1.exe
    94 B
     110 B
     1
    1

    DNS Request

    maxert.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro

    DNS Response

    45.90.89.98

  • 8.8.8.8:53
    geoplugin.net
    dns
    download1.exe
    59 B
     75 B
     1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\notpad0\logs.dat
    Filesize

    230B

    MD5

    6b0a7e3f4bc2d6644fffba214cccccf4

    SHA1

    02e5a51635103c9fe24f2b9379960c46bb50cdbe

    SHA256

    2b0888dba6c7bc83eee59efc71411195616e56bc7e4610d78db811fd697b2986

    SHA512

    8a583ace21b45c41fba95bdeeb609e9885aa10bf00e6781ab5832e5dd3dad2289ed9ac85fee3c2e7c4897867e16dfb0ceb7f7bc27b1ec4779a3dcc72845a3636

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\orxyjrbgzbtabfrzelcmlxkuwior
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • memory/2072-12-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2072-9-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2072-28-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2072-6-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2072-2-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2112-11-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2112-15-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2112-14-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2112-16-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2112-8-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2112-19-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2112-17-0x0000000000430000-0x0000000000497000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2216-24-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2216-4-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2216-7-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2216-13-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2216-1-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2512-30-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2512-34-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2512-33-0x0000000010000000-0x0000000010019000-memory.dmp

    Filesize

    100KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.