Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

5a87a704d0...9d.exe

windows7-x64

8

5a87a704d0...9d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a87a704d0e2e7bc2213db0e6298f125c080c468ed8ea3680d7d7e2ecf626a9d.exe

  • Size

    1.4MB

  • MD5

    8b56e049371d0ad4667839b19abad608

  • SHA1

    3b1f8dd9568dd6a905d2b0aa65f6886970649cde

  • SHA256

    5a87a704d0e2e7bc2213db0e6298f125c080c468ed8ea3680d7d7e2ecf626a9d

  • SHA512

    ca59335f0cd508c201011e61a8ae653aec989922afe4c85e403ea77d56608fecc1b7e0727be2c06fed0ad95477aace7d1a3dfc813f8285de0ce1bd6be0b1a191

  • SSDEEP

    24576:h+SFQyRru2P6TW+/OMiFhTCRQwG6F5/xsSSBl76xPbdHURIcNTKarBI:NZubTWLb33s/xkl76FZUKaKarB

Score
8/10
discoverypersistencespywarestealerupx

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 9 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1192
      • C:\Users\Admin\AppData\Local\Temp\5a87a704d0e2e7bc2213db0e6298f125c080c468ed8ea3680d7d7e2ecf626a9d.exe
        "C:\Users\Admin\AppData\Local\Temp\5a87a704d0e2e7bc2213db0e6298f125c080c468ed8ea3680d7d7e2ecf626a9d.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Local\eFtBIJL\5a87a704d0e2e7bc2213db0e698f125c080c468ed8ea3680d7d7e2ecf626a9d.exe
          "C:\Users\Admin\AppData\Local\eFtBIJL\5a87a704d0e2e7bc2213db0e698f125c080c468ed8ea3680d7d7e2ecf626a9d.exe"
          3⤵
          • Sets service image path in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2860

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\eFtBIJL\5a87a704d0e2e7bc2213db0e698f125c080c468ed8ea3680d7d7e2ecf626a9d.exe
      Filesize

      1.4MB

      MD5

      4575be35ccaa6af66b5cf6152edfc3c7

      SHA1

      901db5770299a4c2a17696596bf482d2d1af9af8

      SHA256

      d02b817f1bd72f424c458cf7188435670d2cfb0f5e3e7a5af3d2eaa342a6eb6a

      SHA512

      e5c48f860846e8923e92da9d9fdc671e6cbdca526a06b595ccd7ccbc219b7d9f65e9637de79dff141ccd778941bc0968b9bb498e28e16ce21e63dc3587a6ea19

      Download Submit

    • \Windows\SysWOW64\dQUVhOX\AfYWIRYN.dll
      Filesize

      866KB

      MD5

      036a3acea0dc31d58c41f6f8c312b086

      SHA1

      52164e5f60de837c50368b65e5bfad5c7947c162

      SHA256

      b8a0ce3d7700ccba6bc187c11f8186ab169e0652b8e7fa4437c8ebb61c5c4aec

      SHA512

      72167c01033f2b19a6a4349d2c28aec0a85c8fa847b3d176bfe2471ed968f57239eca2250710b3ceaa7f10f3cf0c84273d1192c323d1fa0472c4b7b7b075aba8

      Download Submit

    • \Windows\SysWOW64\dQUVhOX\jSIambXmH.dll
      Filesize

      483KB

      MD5

      88c4820aa1ecfa3017963db6a60952a0

      SHA1

      95aeaa84e38c62059a703c6a8ce8712df9c990f9

      SHA256

      bb3c682d5bbe59a63dd8fad19466f8c9f770df15acdbed580012be7cea62acbd

      SHA512

      bde8c85f4232f24f415289e1aab61ce090cbd06442d774908a86ede135e74834e4c964c1a584df7a8d37fb56559126de24ff42c8497df7602534cb5d6100f5ee

      Download Submit

    • memory/1192-85-0x00000000021D0000-0x00000000021D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2304-10-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2304-0-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2304-8-0x0000000002750000-0x0000000002885000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2860-11-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2860-48-0x0000000001FF0000-0x0000000001FF3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2860-53-0x0000000002E90000-0x0000000003018000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2860-72-0x00000000746B0000-0x0000000074739000-memory.dmp

      Filesize

      548KB

      Download

    • memory/2860-47-0x0000000002E90000-0x0000000003018000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2860-73-0x0000000002E90000-0x0000000003018000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2860-74-0x0000000001FF0000-0x0000000001FF3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2860-15-0x0000000000400000-0x0000000000535000-memory.dmp

      Filesize

      1.2MB

      Download