Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

aaca1d0a68...cf.exe

windows7-x64

10

aaca1d0a68...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/12/2024, 02:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aaca1d0a684091ceb9367a917719e5593de9337ec857afeb51719bf8994834cf.exe

  • Size

    768KB

  • MD5

    f9026db46d3aba99ae513ebad80bbb6c

  • SHA1

    fba300cffc1b94f5e95fde5b92b1616ff9e91808

  • SHA256

    aaca1d0a684091ceb9367a917719e5593de9337ec857afeb51719bf8994834cf

  • SHA512

    b864349a78c59e9646f0431245be4f0070f6af84369788b551b2fbc20eee6bd8a4897df9190fc420b5bfe1d1407814b324245039443329e723b7172210c3f0a4

  • SSDEEP

    12288:uvsXZv8km0OHcbGbvzWHz0HnquwQU+S0ssFWylkkoAbtEhTwfNqbYS2VbICKMIUr:ZfPz0HbdS0ssFlSjtMR

Score
10/10
sectopratdiscoveryratspywarestealertrojan

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aaca1d0a684091ceb9367a917719e5593de9337ec857afeb51719bf8994834cf.exe
    "C:\Users\Admin\AppData\Local\Temp\aaca1d0a684091ceb9367a917719e5593de9337ec857afeb51719bf8994834cf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1620

Network

  • flag-ru
    GET
    http://185.147.124.236:9000/wbinjget?q=12AD253B75514BEFDFC9A2F2A630A8F2
    aaca1d0a684091ceb9367a917719e5593de9337ec857afeb51719bf8994834cf.exe
    Remote address:
    185.147.124.236:9000
    Request
    GET /wbinjget?q=12AD253B75514BEFDFC9A2F2A630A8F2 HTTP/1.1
    Host: 185.147.124.236:9000
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Content-Length: 0
    Server: Microsoft-HTTPAPI/2.0
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH
    Access-Control-Allow-Headers: *
    Access-Control-Expose-Headers:
    Accept: */*
    Accept-Language: en-US, en
    Accept-Charset: ISO-8859-1, utf-8
    Host: *:9000
    Date: Fri, 13 Dec 2024 02:54:22 GMT
    Connection: close
  • 185.147.124.236:15647
    aaca1d0a684091ceb9367a917719e5593de9337ec857afeb51719bf8994834cf.exe
    1.0kB
     802 B
     14
    8
  • 185.147.124.236:9000
    http://185.147.124.236:9000/wbinjget?q=12AD253B75514BEFDFC9A2F2A630A8F2
    http
    aaca1d0a684091ceb9367a917719e5593de9337ec857afeb51719bf8994834cf.exe
    343 B
     546 B
     5
    3

    HTTP Request

    GET http://185.147.124.236:9000/wbinjget?q=12AD253B75514BEFDFC9A2F2A630A8F2

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9DD7.tmp
    Filesize

    20KB

    MD5

    c9ff7748d8fcef4cf84a5501e996a641

    SHA1

    02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

    SHA256

    4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

    SHA512

    d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

    Download Submit

  • memory/1620-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1620-1-0x0000000000B90000-0x0000000000C56000-memory.dmp

    Filesize

    792KB

    Download

  • memory/1620-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1620-12-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1620-13-0x0000000073FF0000-0x00000000746DE000-memory.dmp

    Filesize

    6.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.