Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

beac9e0679...80.exe

windows7-x64

8

beac9e0679...80.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/01/2025, 01:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    beac9e0679a012e96e7675cc53ad4c43e6a2641b7e13ff4a77071a5ba1014180.exe

  • Size

    1.1MB

  • MD5

    281a29904448d897a158c8e1b63b7db0

  • SHA1

    7c414f52719a35fd7c92f53e586218a701ffd70d

  • SHA256

    beac9e0679a012e96e7675cc53ad4c43e6a2641b7e13ff4a77071a5ba1014180

  • SHA512

    0b234be4c59f83557db93aab31f6e79ce5bbaad93a85223daa4c477c53d837f9c8c22286f6e00659a7c7b6ff3885d8203d30066061e3889051c30e53f7516292

  • SSDEEP

    12288:pu0qQnmeElF2PNlJrGrxsVvLQiSAdpfZBLNxXb9F3DcyqwWicE4OIUm6gAG0aSU6:pu0qQnmPl8lKdseU5fiM

Score
8/10
collectioncredential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\beac9e0679a012e96e7675cc53ad4c43e6a2641b7e13ff4a77071a5ba1014180.exe
    "C:\Users\Admin\AppData\Local\Temp\beac9e0679a012e96e7675cc53ad4c43e6a2641b7e13ff4a77071a5ba1014180.exe"
    1⤵
    • Drops file in Drivers directory
    • Accesses Microsoft Outlook profiles
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2096
    • C:\Windows\SysWOW64\netsh.exe
      "netsh" wlan show profile
      2⤵
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Wi-Fi Discovery
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2096-0-0x0000000074461000-0x0000000074462000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2096-1-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-2-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-4-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-5-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-6-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-7-0x0000000074460000-0x0000000074A0B000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.