Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    74s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2025, 01:22

General

  • Target

    082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe

  • Size

    274KB

  • MD5

    cc38ca65b4b44a200e6df763acf832ce

  • SHA1

    2243c93668f421ac5b9bcf2409afd494833000f7

  • SHA256

    082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7

  • SHA512

    a73a4e77565e44e7dc8cca24adf4817da0ca61f8177f6b209e95a32c7868833b7514d10d1acd5a1a0d77288b6634578c77b6627060b96963817fafb387937589

  • SSDEEP

    6144:Cf+BLtABPD345GxbeCpwaUsZ3FVafTrNlI1D0Z2cP:y4sZKaUsZ3sg1DfcP

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1268575223754522654/p3kG7TYiNnRJt6AGaKl6yqWSNq4m8D-z5DmsFHvopaDzLbxf2LlN6fYTIX4FWMVt7UOg

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • 44Caliber family
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe
    "C:\Users\Admin\AppData\Local\Temp\082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2860-0-0x000007FEF6403000-0x000007FEF6404000-memory.dmp

    Filesize

    4KB

  • memory/2860-1-0x0000000000F90000-0x0000000000FDA000-memory.dmp

    Filesize

    296KB

  • memory/2860-19-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

    Filesize

    9.9MB

  • memory/2860-51-0x000007FEF6400000-0x000007FEF6DEC000-memory.dmp

    Filesize

    9.9MB