Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/09/2024, 03:13

General

  • Target

    c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe

  • Size

    1005KB

  • MD5

    1386c886895587d556d849d374f99c00

  • SHA1

    af9a17f5fc3069af875d7e48d77f570f490c035e

  • SHA256

    c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74c

  • SHA512

    46f60d55f0a6b28bd3fbd5846e8e02be1ea469475b90112b7bef058ff70dcffb6b1ad27ea6bb654f9941c9ed7d60ff712a6eb7d74e7d5d2eb505c6283b9cc22f

  • SSDEEP

    24576:T0m7MVyppWwUeY/vnS5QhJfgtwy+dFA0zq:RMwEeY//IQhJowy+Tq

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe
    "C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\eqsB3A6.tmp
      "C:\Users\Admin\AppData\Local\Temp\c0e0b04921939fa617c707b94b555b19ea737d6ee1606293d5b44f88a3ace74cN.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2896
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C0E0B0~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

    Filesize

    2.1MB

    MD5

    dae9fa0746a395d2b42b1eb0c529353a

    SHA1

    78af560084304cbef640424d4a4fb0bfbc1624ca

    SHA256

    8de820c02780d8b3aa28a9391d58d751cb8965560decfa54ba8b7b4da42f3095

    SHA512

    20930938bebc0c90ac52fbc9223bd42d7bfc7ca0a8a9ec93482fe9d38dcaf86c3b799c2412c3198fe53cd2adc5724108d3c8b3a73af2699a9af84ff4f6262453

  • C:\Program Files\7-Zip\RCXB3CC.tmp

    Filesize

    9KB

    MD5

    fc80202a8fc434099a9449b2a14c2d75

    SHA1

    9ca544e9bd5f4bfd84e9b769a9adeea8c86d2555

    SHA256

    d3c794a3f404eb37cbf4038683a85678d04b28fc6f5d98f2a24116738de07b51

    SHA512

    98292dc9a96ff137205a7874d3495eae8baa0b51e968d616257a7e7ae4291fe010f47bef923039002827d0ff115f154aafe11bf321d534e0a7870faa40f6d2d4

  • \Users\Admin\AppData\Local\Temp\eqsB3A6.tmp

    Filesize

    995KB

    MD5

    62db7ffc2db3a1c7d4157807fa62d599

    SHA1

    06ca6e1f814b74708566ce1e258c98d238cc8360

    SHA256

    d9f5f5a886e7b8af87dc34dea9b330fe0243cb481ba518765d7950f1c0aca08a

    SHA512

    aca34b834ee3b622965e928fa1773b5e0de5ad3c4f7591a833c3156bdfba30aca15921fe3697c5fe65b9a69358a2f5c63ea0c81d9062cb1bdfc13ed94732a9a5