Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe
Resource
win7-20240903-en
General
-
Target
bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe
-
Size
5.9MB
-
MD5
32ef4bbb07795ee84acb6f390a27ccdb
-
SHA1
359a77f6c235e4b53d96243ded6cdbfdab16e15c
-
SHA256
bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d
-
SHA512
b5b9c28f3b6342050a87809b56189dc3eb78671a58727a6f953e1ed4c5f910ae94709322fcfab7649da6faa17f4dbfd20b0efb69dacf3af95a9f3e39e0fd5556
-
SSDEEP
49152:ahZhoxngRhjFM0NpSASlN6J8RyfW8vWOL:a6tKJM0vSAeSXfWGL
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2568 service123.exe 1664 service123.exe -
Loads dropped DLL 4 IoCs
pid Process 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 2568 service123.exe 1664 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2856 schtasks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2568 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 31 PID 2248 wrote to memory of 2568 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 31 PID 2248 wrote to memory of 2568 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 31 PID 2248 wrote to memory of 2568 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 31 PID 2248 wrote to memory of 2856 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 32 PID 2248 wrote to memory of 2856 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 32 PID 2248 wrote to memory of 2856 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 32 PID 2248 wrote to memory of 2856 2248 bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe 32 PID 536 wrote to memory of 1664 536 taskeng.exe 35 PID 536 wrote to memory of 1664 536 taskeng.exe 35 PID 536 wrote to memory of 1664 536 taskeng.exe 35 PID 536 wrote to memory of 1664 536 taskeng.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe"C:\Users\Admin\AppData\Local\Temp\bbb94d8f62a597fececf878c85e3f39decad2a1a6426e3ea7483db99e1c3496d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2856
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0647CA10-7F78-48D1-97F6-A3AE778429B3} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664
-