Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10source_prepared.exe
windows7-x64
7source_prepared.exe
windows10-2004-x64
7discord_to...er.pyc
windows7-x64
3discord_to...er.pyc
windows10-2004-x64
3get_cookies.pyc
windows7-x64
3get_cookies.pyc
windows10-2004-x64
3misc.pyc
windows7-x64
3misc.pyc
windows10-2004-x64
3passwords_grabber.pyc
windows7-x64
3passwords_grabber.pyc
windows10-2004-x64
3source_prepared.pyc
windows7-x64
3source_prepared.pyc
windows10-2004-x64
3Analysis
-
max time kernel
34s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 18:04
Behavioral task
behavioral1
Sample
source_prepared.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
source_prepared.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
discord_token_grabber.pyc
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
discord_token_grabber.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
get_cookies.pyc
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
get_cookies.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
misc.pyc
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
misc.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
passwords_grabber.pyc
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
passwords_grabber.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
source_prepared.pyc
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
source_prepared.pyc
Resource
win10v2004-20241007-en
General
-
Target
source_prepared.pyc
-
Size
63KB
-
MD5
fdc09f129473e524c491ae79f44b8a59
-
SHA1
29f6ae8b3b942f808d0cdc283970ff71e668dbbf
-
SHA256
cc880696781b56da890b2debae0fbad6a9f714ebfefe398d1e56dbdc467bf2d2
-
SHA512
65cea897d4a6285109a4b4dcce85580d69cb9b8cf0cfc85840885fb3b702ca6ed3bec71abc91326f6d0015065c493588b471e5fdb76e99e321d53344d17026f3
-
SSDEEP
768:wbXmUqlPniou3Ti2zXwhdG87YbL7l9FZwDU6jqnWo5bleSCkO579qfikwth9iNdt:wJqlPV6jwK8kZdKEpqan4hogoocOzV78
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2860 AcroRd32.exe 2860 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2828 2936 cmd.exe 31 PID 2936 wrote to memory of 2828 2936 cmd.exe 31 PID 2936 wrote to memory of 2828 2936 cmd.exe 31 PID 2828 wrote to memory of 2860 2828 rundll32.exe 32 PID 2828 wrote to memory of 2860 2828 rundll32.exe 32 PID 2828 wrote to memory of 2860 2828 rundll32.exe 32 PID 2828 wrote to memory of 2860 2828 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55752608dc9f40066d69044680d9b362b
SHA10c0b7f8899eee385be4b996ce2ab1713f88e7018
SHA25605e7cacdd0598f661d4cde7952708808ce3535dc68fe8906bb406b1869285dea
SHA512a633243bf49667dac2c3eb61f2993ff2d1b574cfbf50d7e1d77b45c7151493e5abc2aef3b6b1bcd8eecef72a94ca9579122bc1afe4c06cd974fe443482e49a4d