Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 01:03
Static task
static1
Behavioral task
behavioral1
Sample
4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe
Resource
win7-20240729-en
General
-
Target
4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe
-
Size
186KB
-
MD5
7911b3c2b5597bade8af33b64cbead69
-
SHA1
ba3b3b48152c7387481d637d76535b1490f97185
-
SHA256
4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1
-
SHA512
391e0216a05ab95fad3adf936accc8770a2238bfa5363f7f178ec0a55063aa93e5eb2460f5cab2399d8c11e98cd07d3397c79d5912846f2341052ec37468501a
-
SSDEEP
3072:Jz+yYdb/Rs7U5MKTK3jNpp83Jh31+sJcmPmGXxE6E2pfbS1oB0VZhW:pWts7/KTkjNpwJp1vmGXxg2hwoB0
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2740-13-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot behavioral1/memory/2232-14-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot behavioral1/memory/1624-74-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot behavioral1/memory/2232-141-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot behavioral1/memory/2232-168-0x0000000000400000-0x0000000000453000-memory.dmp family_cycbot -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2232-2-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2740-12-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2740-11-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2740-13-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2232-14-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1624-73-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1624-74-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2232-141-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2232-168-0x0000000000400000-0x0000000000453000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2740 2232 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe 31 PID 2232 wrote to memory of 2740 2232 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe 31 PID 2232 wrote to memory of 2740 2232 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe 31 PID 2232 wrote to memory of 2740 2232 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe 31 PID 2232 wrote to memory of 1624 2232 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe 33 PID 2232 wrote to memory of 1624 2232 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe 33 PID 2232 wrote to memory of 1624 2232 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe 33 PID 2232 wrote to memory of 1624 2232 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe"C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exeC:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe startC:\Program Files (x86)\Internet Explorer\D3A0\77D.exe%C:\Program Files (x86)\Internet Explorer\D3A02⤵
- System Location Discovery: System Language Discovery
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exeC:\Users\Admin\AppData\Local\Temp\4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1.exe startC:\Users\Admin\AppData\Roaming\0D119\48ED3.exe%C:\Users\Admin\AppData\Roaming\0D1192⤵
- System Location Discovery: System Language Discovery
PID:1624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52a89b572b63f19d7deef022d9f98ec64
SHA142764e81bfec32d417076b26280142143d091671
SHA256b9835cc4923376e2fe18cfafaa2904e9f4d3cebd6029df9d073d4fd163f86b31
SHA5129e3d97aff34e43ff96f3ef322a5c2fc4b0a1be9a3f3f01f932dfc257640948bb7579f0d3c0e13b20d12713296a2c697eba25d399c34a910e4753d77dd011275b
-
Filesize
600B
MD587520a950a79d8340a0c9b778d02cc92
SHA11362dd3f51e37c927a93ce08273b2bfcb5d570b8
SHA256931eab586ca039c89586a26a3620352d7b33a81e1feb13e6aaa3cdaae9741349
SHA5127ee718fcae74f35aaf2a017f6dc97a5e931a44b7cf7a16dd8513fc60ab840bc97b74b1c06781a4b3f8f0f2089972f203533ccbffa5758b9202487ee20d2f35b2
-
Filesize
996B
MD54ef3d9fd2553cd94b767acfda1b1862d
SHA1b5ea790cdbd506878ed39d9e240d26ca0aac4674
SHA2560d0d5f9c5e4accaa65a2377a5d84d2b86afbdc7294aee29fa39b5924207d14d7
SHA512f640dd85b05e104158b05e17ba08a1eb54828ca88bf316e67f6e3c59b2cd2509e86a83845534712b4821329b06aa0f3fd97178f93c4d7b8a66cab84c48a4c11c