Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
26/02/2025, 04:28
General
-
Target
Insidious.exe
-
Size
274KB
-
MD5
7a083b21373fd2434499809259fde79b
-
SHA1
76a4435b5d6962ac5075ab5f6da961c3ec8b69c9
-
SHA256
14a1264513387d0de5b2ff845e9f87281c541454f3602195bd4722071c9cd993
-
SHA512
bc1ccfa81f536f05870030b681a090b867bdb2ac557bd136590566a7c1b0487f9360d59d765dddc017ed0a1b611df8bdc08ad3e50c167a968b3a7168f38056b0
-
SSDEEP
6144:Sf+BLtABPDtFxzerToNZrOGy4xlc41V6GIeyXsRA1D0F+t:AFfNZrOR4EY69eyXd1DXt
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/882489630065319956/VC0YwvBy87naF4ORGT57s3TAJyA-YLmF9HH8KTWMAMdx5J5HhF5egYZOK_c3-xXSTcUg
Signatures
-
44Caliber
An open source infostealer written in C#.
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops desktop.ini file(s) 11 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 15 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\EnterSave.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
C:\Windows\eHome\ehshell.exe"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\StepExport.DVR"1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /SkipFUE /RemoteOCXLaunch /SuppressDialogs2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Program Files\Microsoft Games\solitaire\solitaire.exe"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
632KB
-
Filesize
736KB
-
Filesize
1.5MB
-
Filesize
6.0MB