Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10pornhub.rar
windows7-x64
7pornhub.rar
windows10-2004-x64
1source_prepared.exe
windows7-x64
7source_prepared.exe
windows10-2004-x64
9discord_to...er.pyc
windows7-x64
3discord_to...er.pyc
windows10-2004-x64
3get_cookies.pyc
windows7-x64
3get_cookies.pyc
windows10-2004-x64
3misc.pyc
windows7-x64
3misc.pyc
windows10-2004-x64
3passwords_grabber.pyc
windows7-x64
3passwords_grabber.pyc
windows10-2004-x64
3source_prepared.pyc
windows7-x64
3source_prepared.pyc
windows10-2004-x64
3Analysis
-
max time kernel
1558s -
max time network
1559s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 22:14
Behavioral task
behavioral1
Sample
pornhub.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
pornhub.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
source_prepared.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
source_prepared.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
discord_token_grabber.pyc
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
discord_token_grabber.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
get_cookies.pyc
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
get_cookies.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
misc.pyc
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
misc.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
passwords_grabber.pyc
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
passwords_grabber.pyc
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
source_prepared.pyc
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
source_prepared.pyc
Resource
win10v2004-20241007-en
General
-
Target
source_prepared.pyc
-
Size
65KB
-
MD5
440043df3d3a8d8f789454040f101b5b
-
SHA1
ff70ac70be4931aa739ddf7945e02b2e1adaae33
-
SHA256
1a1d9b9a09ef44aafffb192dc6418f524e78d1f182c507bacc876818d8aa47d2
-
SHA512
6193763ec204754627b6ca59b7658bc890f0028d92cde429c72d74559f109990974c74bf4b263f929fda065836e8435141720921b7ec8490f2a0b0706d369e98
-
SSDEEP
1536:IacgVgJPkBBj1uYCFjUIOihdBsoGwjRQ53:gg2FkBkFwIOCsoD0
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2224 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2224 AcroRd32.exe 2224 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1984 wrote to memory of 3068 1984 cmd.exe 31 PID 1984 wrote to memory of 3068 1984 cmd.exe 31 PID 1984 wrote to memory of 3068 1984 cmd.exe 31 PID 3068 wrote to memory of 2224 3068 rundll32.exe 32 PID 3068 wrote to memory of 2224 3068 rundll32.exe 32 PID 3068 wrote to memory of 2224 3068 rundll32.exe 32 PID 3068 wrote to memory of 2224 3068 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\source_prepared.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5cd594a95729e71d4f8d8471ba3803e7d
SHA180b83d5b68e2b46ffb08b077136ff204208b4a38
SHA2568c8ca1dee15a3d325e43dc260708f3b020ac17a8334fff6176383586e7258cf7
SHA5122addf3ddf59e43c2dd825beec522672761153c0ecba1eef17bc3c3d27556a2291674d656f44e96e158f0d8e68da608577e8b0d5d17af7b4d5097377f98d29b06