Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
13/07/2020, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe
Resource
win7
Behavioral task
behavioral2
Sample
2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe
Resource
win10v200430
General
-
Target
2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe
-
Size
151KB
-
MD5
2f69495e576c580e33a3e9ab700691ac
-
SHA1
1dbac603d3d19785afea7f6910a960bf8ec23aad
-
SHA256
2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee
-
SHA512
25619211997c998d2b36682be8d9b7684e35b3c6331f6155fe09f161831d78f760dc8c8a48699a093c54ec806c784f889946f07202eb7490af955f4e147ea4ae
Malware Config
Extracted
lokibot
http://emirate-net.me/ig1/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 796 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1512 schtasks.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1164 wrote to memory of 1512 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 24 PID 1164 wrote to memory of 1512 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 24 PID 1164 wrote to memory of 1512 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 24 PID 1164 wrote to memory of 1512 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 24 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 PID 1164 wrote to memory of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1164 set thread context of 796 1164 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe 26 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 796 2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe"C:\Users\Admin\AppData\Local\Temp\2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1164 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cHwvvlaFUVIeYy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F43.tmp"2⤵
- Creates scheduled task(s)
PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\2ecc8d956dcef4f753a79989e5741210cc50b9f369e0f76145cd3e1e5144c4ee.exe"{path}"2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:796
-