Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10326fcf4806...79.exe
windows7-x64
10326fcf4806...79.exe
windows10-2004-x64
103293f41661...16.exe
windows7-x64
103293f41661...16.exe
windows10-2004-x64
1032af824687...29.exe
windows7-x64
1032af824687...29.exe
windows10-2004-x64
10332a07ad96...b5.exe
windows7-x64
7332a07ad96...b5.exe
windows10-2004-x64
7337f25a258...51.exe
windows7-x64
10337f25a258...51.exe
windows10-2004-x64
1033a6af7047...7b.exe
windows7-x64
1033a6af7047...7b.exe
windows10-2004-x64
10342f2b5aa4...75.exe
windows7-x64
10342f2b5aa4...75.exe
windows10-2004-x64
10344b47e81e...0c.exe
windows7-x64
10344b47e81e...0c.exe
windows10-2004-x64
10345db905b1...8a.exe
windows7-x64
3345db905b1...8a.exe
windows10-2004-x64
134655ac11b...76.exe
windows7-x64
1034655ac11b...76.exe
windows10-2004-x64
1034a292bd76...b7.exe
windows7-x64
1034a292bd76...b7.exe
windows10-2004-x64
1034d765717a...e4.exe
windows7-x64
734d765717a...e4.exe
windows10-2004-x64
634f76de826...a9.exe
windows7-x64
1034f76de826...a9.exe
windows10-2004-x64
10350eba0e7b...2b.exe
windows7-x64
10350eba0e7b...2b.exe
windows10-2004-x64
10353233e5a4...ec.exe
windows7-x64
5353233e5a4...ec.exe
windows10-2004-x64
535459ca752...7b.exe
windows7-x64
1035459ca752...7b.exe
windows10-2004-x64
10Analysis
-
max time kernel
101s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:25
Behavioral task
behavioral1
Sample
326fcf48062cbb0bacf4663fee8a51c740e810ee0477fcf6eb3e8c5420909e79.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
326fcf48062cbb0bacf4663fee8a51c740e810ee0477fcf6eb3e8c5420909e79.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
3293f41661f096b9d6839d0389f94416.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
3293f41661f096b9d6839d0389f94416.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
32af824687697346da2d415bfb80fa29.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
32af824687697346da2d415bfb80fa29.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
332a07ad965316c83984ac70dfcf9e0fea793b235afe69e8054b2bc6501827b5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
337f25a258012c5c5802696b2f2b1a51.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
337f25a258012c5c5802696b2f2b1a51.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
33a6af7047ae75162c1c9ed55ba0fd301b22f1eb5a59d6a9fcb7d727ff8bb97b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
342f2b5aa4fb4c3d9bfa18f7ff3e96ac5a21db19b8635b92ca789dfcb4e55875.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
342f2b5aa4fb4c3d9bfa18f7ff3e96ac5a21db19b8635b92ca789dfcb4e55875.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
344b47e81ef94c8f7a3a1c229f4c167bcb516900647d82936084677320a4960c.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
344b47e81ef94c8f7a3a1c229f4c167bcb516900647d82936084677320a4960c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
345db905b17d371d0355419841ad7d8a.exe
Resource
win7-20241023-en
Behavioral task
behavioral18
Sample
345db905b17d371d0355419841ad7d8a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Resource
win7-20250207-en
Behavioral task
behavioral20
Sample
34655ac11b4f6a8d6f1ea8e2fbbe0676.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
34a292bd76e629b9fd512f94ba2f6bea582de6e9f7cdc0129c233fa4df357ab7.exe
Resource
win7-20250207-en
Behavioral task
behavioral22
Sample
34a292bd76e629b9fd512f94ba2f6bea582de6e9f7cdc0129c233fa4df357ab7.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral23
Sample
34d765717a065c8984c1663ed6d88c18ce58ea3a1780da7947d9686ff01f1ee4.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
34d765717a065c8984c1663ed6d88c18ce58ea3a1780da7947d9686ff01f1ee4.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral25
Sample
34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
350eba0e7b89b10b4b0f886f34ddc62dec985f55ef6ee0f9f5a7e93da5cdac2b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
350eba0e7b89b10b4b0f886f34ddc62dec985f55ef6ee0f9f5a7e93da5cdac2b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
353233e5a415519357daf1258d66e8ec.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
353233e5a415519357daf1258d66e8ec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
35459ca7521a8565cf4acaadd346537b.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
35459ca7521a8565cf4acaadd346537b.exe
Resource
win10v2004-20250314-en
General
-
Target
34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe
-
Size
211KB
-
MD5
dfc95dfdc917270aedadb22238d7cae8
-
SHA1
91c80164d7411805c86fa014536fb7d74cab616d
-
SHA256
34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9
-
SHA512
fd97d703d4d57f5bfb38426fec2d343234258c5c8c5559662d6917a8770a7001b8011cfae812cc7aa9ccc5947d4b37db610f459ec58d7602ef55884334e79745
-
SSDEEP
3072:Zp8Lc70UkL/JHt6RpkBzEhE0faKQAc7lGZPHb/5FVuBJ+U53TXbYwEKXFR:ILTr5t6Rpk8E0CZSb1gpEKX
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral26/memory/1184-1-0x0000000000200000-0x000000000023C000-memory.dmp family_stormkitty -
Stormkitty family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ipinfo.io 8 ipinfo.io -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4800 1184 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4860 netsh.exe 1516 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1184 wrote to memory of 1516 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe 87 PID 1184 wrote to memory of 1516 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe 87 PID 1184 wrote to memory of 1516 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe 87 PID 1516 wrote to memory of 4604 1516 cmd.exe 90 PID 1516 wrote to memory of 4604 1516 cmd.exe 90 PID 1516 wrote to memory of 4604 1516 cmd.exe 90 PID 1516 wrote to memory of 4860 1516 cmd.exe 91 PID 1516 wrote to memory of 4860 1516 cmd.exe 91 PID 1516 wrote to memory of 4860 1516 cmd.exe 91 PID 1516 wrote to memory of 5092 1516 cmd.exe 92 PID 1516 wrote to memory of 5092 1516 cmd.exe 92 PID 1516 wrote to memory of 5092 1516 cmd.exe 92 PID 1184 wrote to memory of 3576 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe 96 PID 1184 wrote to memory of 3576 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe 96 PID 1184 wrote to memory of 3576 1184 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe 96 PID 3576 wrote to memory of 5704 3576 cmd.exe 98 PID 3576 wrote to memory of 5704 3576 cmd.exe 98 PID 3576 wrote to memory of 5704 3576 cmd.exe 98 PID 3576 wrote to memory of 5868 3576 cmd.exe 99 PID 3576 wrote to memory of 5868 3576 cmd.exe 99 PID 3576 wrote to memory of 5868 3576 cmd.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe"C:\Users\Admin\AppData\Local\Temp\34f76de8267d9a91d17434be5e65ffd3cc33a92188faa235c895b63e154356a9.exe"1⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1184 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:4604
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4860
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:5092
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 24402⤵
- Program crash
PID:4800
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:5704
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5868
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1184 -ip 11841⤵PID:1836
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1