Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 15:03
Behavioral task
behavioral1
Sample
OkEgjVmQ0rPYTjBDwBy70NyH.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
OkEgjVmQ0rPYTjBDwBy70NyH.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Osz8mRDYP0laXozOTuxyUiiF.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
Osz8mRDYP0laXozOTuxyUiiF.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
rUtfalBbvXy6eEmMrseqpFHx.exe
Resource
win7-20240903-en
General
-
Target
rUtfalBbvXy6eEmMrseqpFHx.exe
-
Size
2.0MB
-
MD5
93156ea35c0014003d9e87bf82a79b33
-
SHA1
1eacd5ec484996a4dab233cd569c54d1594fb3a9
-
SHA256
c6ac7d4850131a5422da8170ed1a51f939c4b3b1f312478498e8aa7df374e840
-
SHA512
024611682daf2ca96112253d1b2cf8afed22639363c9684353a89e396a89e032a4f7ce8236557416e27dd635e3ee82b332aa3e0bfeba0affc439bdd28a3ea322
-
SSDEEP
49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb
Malware Config
Signatures
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral5/files/0x0007000000012117-4.dat Nirsoft behavioral5/files/0x0008000000012117-13.dat Nirsoft behavioral5/memory/2328-15-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral5/files/0x0008000000012117-13.dat WebBrowserPassView behavioral5/memory/2328-15-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Executes dropped EXE 2 IoCs
pid Process 2984 11111.exe 2328 11111.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11111.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2328 11111.exe 2328 11111.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2984 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 30 PID 3020 wrote to memory of 2984 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 30 PID 3020 wrote to memory of 2984 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 30 PID 3020 wrote to memory of 2984 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 30 PID 3020 wrote to memory of 2328 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 31 PID 3020 wrote to memory of 2328 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 31 PID 3020 wrote to memory of 2328 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 31 PID 3020 wrote to memory of 2328 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 31 PID 3020 wrote to memory of 2444 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 33 PID 3020 wrote to memory of 2444 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 33 PID 3020 wrote to memory of 2444 3020 rUtfalBbvXy6eEmMrseqpFHx.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\rUtfalBbvXy6eEmMrseqpFHx.exe"C:\Users\Admin\AppData\Local\Temp\rUtfalBbvXy6eEmMrseqpFHx.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2328
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3020 -s 4762⤵PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
458KB
MD5ba3a98e2a1faacf0ad668b4e9582a109
SHA11160c029a6257f776a6ed1cfdc09ae158d613ae3
SHA2568165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5
SHA512d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825
-
Filesize
391KB
MD57165e9d7456520d1f1644aa26da7c423
SHA1177f9116229a021e24f80c4059999c4c52f9e830
SHA25640ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb
-
Filesize
246B
MD546183ada973d3bfaab7be726c800e96e
SHA17fcb7272b04d8b1caaf1343ec720461ca79f45c2
SHA2560cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f
SHA512338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926
-
Filesize
31B
MD5b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680