Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

17c6f4e45d...3f.exe

windows7_x64

10

17c6f4e45d...3f.exe

windows10-2004_x64

10

Resubmissions

19/01/2022, 16:33

220119-t2qacsbeh6 10

25/11/2021, 12:35

211125-pskw3aaee2 8

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19/01/2022, 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe

  • Size

    6.5MB

  • MD5

    b16e827ee8db29cb90c85570f41b9409

  • SHA1

    ae319c1b25eebe9b6256d9efce5da495e7483c77

  • SHA256

    17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f

  • SHA512

    496e5e096ca6dde20dbe220cd7a628fdee4803a0ba82b961e322b206cf65f7b0b5748ff51f5fd2dec26e3329ae6208f12d570ea7158cbe08d8ddf2ed4e7684c1

Score
10/10
arkeibabadedadefaultcrypterloaderstealer

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

http://185.215.113.39/7vlcKuayFx.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Arkei Stealer Payload 1 IoCs
    stealer
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe
    "C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11 0.0.1.7\install\AC3E5AF\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1642350649 " AI_EUIMSI=""
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:804
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7115A5FCC253D0D9855E89B64D0E1C99 C
      2⤵
      • Loads dropped DLL
      PID:1464
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9656DB17B242F37427DFE924F46B91AD
      2⤵
      • Loads dropped DLL
      PID:1164
    • C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11\evreporter.exe
      "C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11\evreporter.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1460

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1228-56-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1460-123-0x0000000000400000-0x0000000000BBD000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1712-53-0x0000000076911000-0x0000000076913000-memory.dmp

    Filesize

    8KB

    Download