Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
125s -
platform
windows7_x64 -
resource
win7 -
submitted
11/07/2020, 06:25
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7
General
-
Target
gunzipped.exe
-
Size
572KB
-
MD5
f031a2ff8a6c1c0779d0b990a98178ec
-
SHA1
830c8b2ff1032eec57844184070a03d1bc36f062
-
SHA256
fba45ffb9e02ccd6ad4f23b32623b1972492c7909ea1a8e39b7186e8a73ce12a
-
SHA512
3b9d7eb9fa04ece0b2a0455a8be6c0393e7d82fd36167f590099ab047ae1a40c68e69a79b080e9f616382c45b288c8c88060947c0cf6444fedbe32d6c5628b02
Malware Config
Extracted
lokibot
https://airmanselectiontest.com/dest/Panel/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1124 set thread context of 1108 1124 gunzipped.exe 24 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1108 gunzipped.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1108 gunzipped.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1124 gunzipped.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1124 wrote to memory of 1108 1124 gunzipped.exe 24 PID 1124 wrote to memory of 1108 1124 gunzipped.exe 24 PID 1124 wrote to memory of 1108 1124 gunzipped.exe 24 PID 1124 wrote to memory of 1108 1124 gunzipped.exe 24 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1124 gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: RenamesItself
PID:1108
-