Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

7a39459b24...6N.exe

windows7-x64

10

7a39459b24...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    88s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe

  • Size

    278KB

  • MD5

    063c7d5dccfda3e0b0ad858820e32060

  • SHA1

    4aae1fc23e48804b98a778f1b2786ffa05e3a689

  • SHA256

    7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026

  • SHA512

    f04bff72be28e76e729a8cadfa726f45803847899f58b6dccdf1853b647520be9cc80b4ab6c409f6f0db589b8f78d2ccf7d6fc6ea639d7bfbe7e1f3ffc7f17ef

  • SSDEEP

    6144:lgRqbGn6NH+qcEDlCC/R4eilAZ88K8snV7mv+Juo:l+qbGceGlD/yeLZV4A2Ju

Score
10/10
cycbotponybackdoorcredential_accessdiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Cycbot

    Cycbot is a backdoor and trojan written in C++..

    backdoorratcycbot
  • Cycbot family
    cycbot
  • Detects Cycbot payload 8 IoCs

    Cycbot is a backdoor and trojan written in C++.

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe
    "C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe"
    1⤵
    • Modifies security service
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe
      C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe startC:\Users\Admin\AppData\Roaming\30656\3CD43.exe%C:\Users\Admin\AppData\Roaming\30656
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1676
    • C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe
      C:\Users\Admin\AppData\Local\Temp\7a39459b2468d6f0dabd92d0ca72ffb58cf468792d075d6f75acd58732aef026N.exe startC:\Program Files (x86)\56BE0\lvvm.exe%C:\Program Files (x86)\56BE0
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2308
    • C:\Program Files (x86)\LP\43C3\7FC.tmp
      "C:\Program Files (x86)\LP\43C3\7FC.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1468
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2428
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

2
T1012

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\30656\6BE0.065
    Filesize

    996B

    MD5

    d577758ec1422cd8f7d7aa179b80acf2

    SHA1

    f88c5e68a6a0a90d9359a4ff5f48675e84b723ed

    SHA256

    13fc4074052ee15ced087afe6c335ee5e83a4a543ec0c5dc706b9d533dc37c54

    SHA512

    b1e709f872a424502e518264bee78273e231f405c916ad42379fb5da14dfe0b8735ba8d7c7f449f299b2a11637f171df05f05fd0032698a6748f2ea8e99afa7b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\30656\6BE0.065
    Filesize

    1KB

    MD5

    f4d25e40a264eba99a7861ae9811fa21

    SHA1

    8d9292e8425e6f6c7f35e5a428d967b750d867bd

    SHA256

    246674b02765f12f74492c68759b32f78a09e998a27112bf43e2729eae3d513b

    SHA512

    05d6dbe099b368b21a10ebcfdcf0bfb040ff2e21624ee5bd833d4be0aa7705efc3e5a50bbbc1225e278519126837849720f2022c5729698a1e3622b8038f8c11

    Download Submit

  • C:\Users\Admin\AppData\Roaming\30656\6BE0.065
    Filesize

    600B

    MD5

    30a1b693e209ac5c3107ae3c9f456fa1

    SHA1

    24744cc3e373429d3624f732e2247d480228c5c3

    SHA256

    3d550829abb63fe3653b226c56567059599f969de78ae0e14995629b08ca145c

    SHA512

    d0a686f2cbb9a2bfde2f16c77bc841462ca1b01bc0c9a7ec9aa5597239fea877eab8f7ac67b463ef2adc6661d8e4709d53c1c02b13c49988e3ab7fc98c6f8862

    Download Submit

  • C:\Users\Admin\AppData\Roaming\30656\6BE0.065
    Filesize

    300B

    MD5

    af46816e45876db18a7e853c3a64144f

    SHA1

    f2f39bdfff9295466aa27c06d52b27b65dcb2aa5

    SHA256

    96bee65fcca0a99e897d302bf511d31daddc029a646de369773d94920a3e9560

    SHA512

    74eef2098d3344f4f554f300ba5b8fd8838048050aac83d5163f12a15e537f57ba83895c50098547358f47ed105287af7b2d3e03a6209f0f7c864b36206b90b2

    Download Submit

  • \Program Files (x86)\LP\43C3\7FC.tmp
    Filesize

    99KB

    MD5

    55ce0a78d2d9f3b77a707191cbb289cc

    SHA1

    a45bfce1c2de0de0f3222f9e388a1d19a84c0c07

    SHA256

    1cd3bf36ce50f03435f912f72092a561a9106f92f1a94b6028db3012960c5c2a

    SHA512

    50727fd305ef36f6dc28a8a1a7f12df2e82e024a89be0d51e79e034c8de99fbf3a0c71b5578a0c1171296724e7c39121443d2568b62edc4ef5a75da626e7b319

    Download Submit

  • memory/1468-208-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1676-41-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1676-40-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/1676-42-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2308-98-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2524-96-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2524-37-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2524-2-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2524-1-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2524-207-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2524-39-0x0000000000400000-0x0000000000468000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2524-211-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download