Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6465e923bf...61.exe

windows7-x64

10

6465e923bf...61.exe

windows10-2004-x64

10

6677fcb62e...50.exe

windows7-x64

3

6677fcb62e...50.exe

windows10-2004-x64

3

691d9802fa...e9.exe

windows7-x64

1

691d9802fa...e9.exe

windows10-2004-x64

1

6a150e7eee...36.exe

windows7-x64

8

6a150e7eee...36.exe

windows10-2004-x64

8

6aa340437e...c2.exe

windows7-x64

10

6aa340437e...c2.exe

windows10-2004-x64

10

6c5bf2ea45...8f.exe

windows7-x64

10

6c5bf2ea45...8f.exe

windows10-2004-x64

10

6e40e3ab02...99.exe

windows7-x64

6e40e3ab02...99.exe

windows10-2004-x64

6f2c23f7e9...78.exe

windows7-x64

7

6f2c23f7e9...78.exe

windows10-2004-x64

7

788cfdaeb7...ed.exe

windows7-x64

7

788cfdaeb7...ed.exe

windows10-2004-x64

7

7cfc40d94f...f2.exe

windows7-x64

3

7cfc40d94f...f2.exe

windows10-2004-x64

3

7f237484f5...1d.exe

windows7-x64

1

7f237484f5...1d.exe

windows10-2004-x64

1

7f8bcaf3c1...5d.exe

windows7-x64

10

7f8bcaf3c1...5d.exe

windows10-2004-x64

10

863385d41f...34.exe

windows7-x64

10

863385d41f...34.exe

windows10-2004-x64

10

89c11885c2...31.exe

windows7-x64

10

89c11885c2...31.exe

windows10-2004-x64

10

8abccfea53...41.exe

windows7-x64

1

8abccfea53...41.exe

windows10-2004-x64

1

8ea7566ef3...44.exe

windows7-x64

10

8ea7566ef3...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2025, 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a150e7eee969746cc6cc4579d13d2fd6cef5bdc77223aa24e9a6c1c6bf7b036.exe

  • Size

    3.6MB

  • MD5

    09e6f988f991b837912b66572c850ef3

  • SHA1

    156d553cdf1ceac2a73053f5a118c3ec6376227e

  • SHA256

    6a150e7eee969746cc6cc4579d13d2fd6cef5bdc77223aa24e9a6c1c6bf7b036

  • SHA512

    78d3656f8b335a116dc33ee1cf8f16f78bf297d4b4c7b88ae78a7bef69e710a5e1dd53c5b59cb36298075a3fd1a2aa448af37f8596ff1f7588916ff0a8f76654

  • SSDEEP

    98304:HRS6nfSOQZOt+CW+7EELhF3gxpNOf2k2Y/YQ2S1QdY:Hkj8NBFwxpNOuk2jq1Qy

Score
8/10
defense_evasionexecutionspywarestealer

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a150e7eee969746cc6cc4579d13d2fd6cef5bdc77223aa24e9a6c1c6bf7b036.exe
    "C:\Users\Admin\AppData\Local\Temp\6a150e7eee969746cc6cc4579d13d2fd6cef5bdc77223aa24e9a6c1c6bf7b036.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\IU598ky2f.exe
      "C:\Users\Admin\AppData\Local\Temp\IU598ky2f.exe" QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxMb2NhbFxUZW1wXDZhMTUwZTdlZWU5Njk3NDZjYzZjYzQ1NzlkMTNkMmZkNmNlZjViZGM3NzIyM2FhMjRlOWE2YzFjNmJmN2IwMzYuZXhl
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C sc stop "SysMain" & sc config "SysMain" start=disabled
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\system32\sc.exe
          sc stop "SysMain"
          4⤵
          • Launches sc.exe
          PID:4532
        • C:\Windows\system32\sc.exe
          sc config "SysMain" start=disabled
          4⤵
          • Launches sc.exe
          PID:1580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IU598ky2f.exe
    Filesize

    3.6MB

    MD5

    f8e3362a40556680fa8f973dcaa82e1c

    SHA1

    ad1be696c388b1a5c28ac20e5789b6fe7f1ef18e

    SHA256

    bb2857d0a8b0b086acf3650c810899b88f0bb799f689aaaf7fa4c7a506ce5d6f

    SHA512

    fff21193ffa40d76cb762834c4775b47765f1e56f0eea38d0bf7688d5040cef39f0016295e7e5ba09ae4596690603ac8198aad77a8732cfdae5f7c63f588220b

    Download Submit

  • memory/2188-12-0x000001BC1CCA0000-0x000001BC1CCD2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2188-7-0x000001BC1B510000-0x000001BC1B516000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2188-3-0x000001BC01360000-0x000001BC01390000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2188-4-0x00007FFFC03A0000-0x00007FFFC0E61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2188-5-0x000001BC1C690000-0x000001BC1CAC8000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2188-6-0x000001BC01320000-0x000001BC01324000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2188-0-0x00007FFFC03A3000-0x00007FFFC03A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2188-8-0x000001BC1CBC0000-0x000001BC1CC5C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2188-9-0x000001BC1B520000-0x000001BC1B526000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2188-10-0x000001BC1CC70000-0x000001BC1CC78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2188-2-0x000001BC1B540000-0x000001BC1B830000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2188-11-0x000001BC1CD40000-0x000001BC1CDFA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2188-30-0x00007FFFC03A0000-0x00007FFFC0E61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2188-1-0x000001BC00C70000-0x000001BC00F94000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2188-13-0x000001BC1CCD0000-0x000001BC1CCD4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2304-27-0x000002087CDE0000-0x000002087D104000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2304-28-0x00007FFFC03A0000-0x00007FFFC0E61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2304-31-0x00007FFFC03A0000-0x00007FFFC0E61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2304-32-0x00000208196F0000-0x0000020819762000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2304-33-0x0000020819760000-0x0000020819766000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2304-34-0x000002087D560000-0x000002087D598000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2304-35-0x000002087D4F0000-0x000002087D4FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2304-36-0x00007FFFC03A0000-0x00007FFFC0E61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2304-37-0x00007FFFC03A0000-0x00007FFFC0E61000-memory.dmp

    Filesize

    10.8MB

    Download