Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 01:22
Behavioral task
behavioral1
Sample
082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe
Resource
win7-20241010-en
General
-
Target
082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe
-
Size
274KB
-
MD5
cc38ca65b4b44a200e6df763acf832ce
-
SHA1
2243c93668f421ac5b9bcf2409afd494833000f7
-
SHA256
082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7
-
SHA512
a73a4e77565e44e7dc8cca24adf4817da0ca61f8177f6b209e95a32c7868833b7514d10d1acd5a1a0d77288b6634578c77b6627060b96963817fafb387937589
-
SSDEEP
6144:Cf+BLtABPD345GxbeCpwaUsZ3FVafTrNlI1D0Z2cP:y4sZKaUsZ3sg1DfcP
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1268575223754522654/p3kG7TYiNnRJt6AGaKl6yqWSNq4m8D-z5DmsFHvopaDzLbxf2LlN6fYTIX4FWMVt7UOg
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 freegeoip.app 2 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2968 082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe 2968 082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe 2968 082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe 2968 082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2968 082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe"C:\Users\Admin\AppData\Local\Temp\082d09d95fdc1a362078d9374662588dbdc8f8e561199e3c8040059f739f77e7.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733B
MD59bccae7c212370a16c050c8688443baa
SHA1750045efa42467adb11ec52961a42e91388e6517
SHA256083baaf7370156405a8a73ee88853cf1cf72392379606977dbb9dc4672ed3eac
SHA512f55348ac5ac7ddc6d5dbb939ed238b4ce0089097f65dbd43070cf6aec8a9efb5ca3ac7a480aa3c3d6e52d7b7744cb2b066966530b9154b0d6cff7914b1f01afc
-
Filesize
1KB
MD5be7d176a5ff8daefc4a04339f026650e
SHA19a5a7c7e2d34a3775bfc79fd59a8e4c82fc2010f
SHA256eaae79946123626ac9d03387aa8c1703a992ff0085273dbfca74acd5aef30926
SHA51273ace7e7eb09d23d89a19b468956b0dc177f06866e956b5258cff50837b8cd43725fa8d125cc829bddd2bb5bbf5f05e90ba962352cbc321d8c15f2bdfd583231