Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

19/01/2022, 16:33

220119-t2qacsbeh6 10

25/11/2021, 12:35

211125-pskw3aaee2 8

Analysis

  • max time kernel
    116s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19/01/2022, 16:33

General

  • Target

    17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe

  • Size

    6.5MB

  • MD5

    b16e827ee8db29cb90c85570f41b9409

  • SHA1

    ae319c1b25eebe9b6256d9efce5da495e7483c77

  • SHA256

    17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f

  • SHA512

    496e5e096ca6dde20dbe220cd7a628fdee4803a0ba82b961e322b206cf65f7b0b5748ff51f5fd2dec26e3329ae6208f12d570ea7158cbe08d8ddf2ed4e7684c1

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

http://185.215.113.39/7vlcKuayFx.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • Arkei Stealer Payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe
    "C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11 0.0.1.7\install\AC3E5AF\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1642583361 " AI_EUIMSI=""
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:3568
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6D70C2EE388F4E6BB23A96561B9B96D2 C
      2⤵
      • Loads dropped DLL
      PID:220
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 44D50668F87EDE119406E57C3F64F75F
      2⤵
      • Loads dropped DLL
      PID:2808
    • C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11\evreporter.exe
      "C:\Users\Admin\AppData\Roaming\AdoptOpenJDK\OpenJDK Security 11\evreporter.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3172

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3172-220-0x0000000000400000-0x0000000000BBD000-memory.dmp

    Filesize

    7.7MB