Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

1b3a4ba95a...18.exe

windows7-x64

10

1b3a4ba95a...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10/12/2024, 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b3a4ba95af464fc222df26f71c5c8c44b4beca002176ae5372471caf2bb2418.exe

  • Size

    187KB

  • MD5

    daad9b133d139f509a2ef348da66c146

  • SHA1

    1f8730c8bc7a0765e2f0983ae88f64838eb7fa84

  • SHA256

    1b3a4ba95af464fc222df26f71c5c8c44b4beca002176ae5372471caf2bb2418

  • SHA512

    a62c92899220125132b5805140d9f43af86e35537ef362e069bd8da592bc925a502e20c7b7d386cef09532667c7d39b1d785e293bdad39deeeba3be531cc62d2

  • SSDEEP

    3072:umpgG33H1u5F79GNgPrnw+fg+UbH8eIA6EfI73VrarwObkeLpp+RuDN4o:mwHobkCbw+fAmdzLparwWLpgSGo

Score
10/10
cycbotbackdoordiscoverypersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 5 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b3a4ba95af464fc222df26f71c5c8c44b4beca002176ae5372471caf2bb2418.exe
    "C:\Users\Admin\AppData\Local\Temp\1b3a4ba95af464fc222df26f71c5c8c44b4beca002176ae5372471caf2bb2418.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Users\Admin\AppData\Local\Temp\1b3a4ba95af464fc222df26f71c5c8c44b4beca002176ae5372471caf2bb2418.exe
      C:\Users\Admin\AppData\Local\Temp\1b3a4ba95af464fc222df26f71c5c8c44b4beca002176ae5372471caf2bb2418.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1720
    • C:\Users\Admin\AppData\Local\Temp\1b3a4ba95af464fc222df26f71c5c8c44b4beca002176ae5372471caf2bb2418.exe
      C:\Users\Admin\AppData\Local\Temp\1b3a4ba95af464fc222df26f71c5c8c44b4beca002176ae5372471caf2bb2418.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\6C2E.BBF
    Filesize

    1KB

    MD5

    17c345b682a1a113a37236bba9b7fffb

    SHA1

    563deb910484ff9f5a801a69f5b3c0ba2e327389

    SHA256

    e36e61292569bea0d0a036dec7eed740542b9dd25d1063a00835818b600d293e

    SHA512

    a9011dd1f5e8e837e4053548cd95b6e98a490ce84f4060ab18b0c3f532c4115b7cc876860725a527a512f7e272606a11403d0ab79edc7a5118c1955dbeba598c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C2E.BBF
    Filesize

    1KB

    MD5

    b95ec2d672b18d0d56f901f864b1544a

    SHA1

    0f21f863195ed2c8f0e73f2caefda4c947bbdc6f

    SHA256

    0894cedd8b612e524b1e3673916f21e8fc3f282dbc2cce924a6cb7ee573f636b

    SHA512

    76a012e53e4891cc165b787ee354f0f83311c7ed7a8336a1698366d446611f2b4abf6aa292771ef80ccd50d31e5c2ade8e48933a5ae1af0adc126e51a9fa8b9b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C2E.BBF
    Filesize

    600B

    MD5

    afab7f5b6c9a94bb8e63026a1c323c9d

    SHA1

    d8b560f8cacaf86600dda1d74777a182fdaf8d30

    SHA256

    fd028cf431b034dde3862480d2d133be6ebf39ddb16a52585c86ceeed783c8d4

    SHA512

    a01191cb1e420e9015c9b25e209e417f1eafe602771736c10b3e8dbde9bedde98e29d2011b89296770dcce41ea094cabb1610d2fc045b990b5e075a8ff6fa7db

    Download Submit

  • C:\Users\Admin\AppData\Roaming\6C2E.BBF
    Filesize

    996B

    MD5

    9498e0d1af76fef170f55e4cce6fe6b6

    SHA1

    4eace48a8869c2737fa120254e72fa47700951b5

    SHA256

    d5d2ea5d8f74e0c9734514595042180f9c73e677ec0a4d75399071c95c5297c9

    SHA512

    140c659aaf8f7f92f37a5394f594b07218148329f3d424da314124cdada1cc52736b690866ad8b527d87b470db8b86882ec11db3aa202580548e4effbeb0858a

    Download Submit

  • memory/1720-6-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1720-8-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1720-5-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2292-16-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2292-80-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2292-1-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2292-2-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2292-186-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2500-78-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2500-79-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download