Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

13/01/2022, 13:19

220113-qkhx6sade2 4

12/09/2021, 07:40

210912-jhysaacbd3 10

12/09/2021, 07:40

210912-jhp55sfbbr 10

12/09/2021, 07:39

210912-jhc6kscbd2 10

12/09/2021, 07:39

210912-jg161sfbbp 10

12/09/2021, 07:38

210912-jgmnmafbbn 10

Analysis

  • max time kernel
    1443s
  • max time network
    1447s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    12/09/2021, 07:39

General

  • Target

    Dot.Tk.123.ticket.keygen.by.CORE.bin.exe

  • Size

    6.2MB

  • MD5

    0cb3efeb5d9312e068c57e7e55affed7

  • SHA1

    aad1c65d257c7d2929ffb916114bc532feba0a16

  • SHA256

    a974231d8889e05fedfbe73b5cc58e414de6fd5031765c998a24ac326f35b0b2

  • SHA512

    236ce9aa9e71f279e7833c4f0afbad15a2de4aaf62e78a82f1132224951f25f0a184aacfe5c963a20481c20cdb12e1a56e6aaf662f4a07c756abe0c539488898

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

redline

Botnet

newmixnew

C2

94.140.115.194:31858

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3

    suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3

  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dot.Tk.123.ticket.keygen.by.CORE.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Dot.Tk.123.ticket.keygen.by.CORE.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:428
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
          keygen-step-6.exe
          3⤵
          • Executes dropped EXE
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:1320
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe" >> NUL
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:948
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • Runs ping.exe
              PID:272
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:512
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1680
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\KiffAppE2.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\KiffAppE2.exe"
            4⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Users\Admin\Documents\PlsWnEU2.exe
              "C:\Users\Admin\Documents\PlsWnEU2.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:972
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          PID:1632

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/972-121-0x00000000022D2000-0x00000000022D3000-memory.dmp

      Filesize

      4KB

    • memory/972-120-0x00000000020F0000-0x0000000002110000-memory.dmp

      Filesize

      128KB

    • memory/972-122-0x00000000022D3000-0x00000000022D4000-memory.dmp

      Filesize

      4KB

    • memory/972-119-0x0000000002040000-0x0000000002062000-memory.dmp

      Filesize

      136KB

    • memory/972-118-0x00000000022D1000-0x00000000022D2000-memory.dmp

      Filesize

      4KB

    • memory/972-117-0x0000000000400000-0x0000000000459000-memory.dmp

      Filesize

      356KB

    • memory/972-123-0x00000000022D4000-0x00000000022D6000-memory.dmp

      Filesize

      8KB

    • memory/972-116-0x0000000000270000-0x00000000002BE000-memory.dmp

      Filesize

      312KB

    • memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmp

      Filesize

      8KB

    • memory/1320-87-0x0000000000080000-0x0000000000098000-memory.dmp

      Filesize

      96KB

    • memory/1608-109-0x00000000023C0000-0x000000000255C000-memory.dmp

      Filesize

      1.6MB

    • memory/1964-112-0x000000001B8E0000-0x000000001B8E2000-memory.dmp

      Filesize

      8KB

    • memory/1964-107-0x00000000010D0000-0x00000000010D1000-memory.dmp

      Filesize

      4KB

    • memory/1964-124-0x000000001B8E6000-0x000000001B905000-memory.dmp

      Filesize

      124KB