Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

cleaner.exe

windows7_x64

10

cleaner.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    64s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06/03/2022, 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cleaner.exe

  • Size

    2.6MB

  • MD5

    38892c681fbfba55e79f825cad8b0674

  • SHA1

    ee1e86add82844c30c003899ea819d5edcd07df3

  • SHA256

    76b90299713b5d4ffd3c92b2cd66b3de68148c3133f927dfa385b075fd00d5b1

  • SHA512

    4f013a16318f6b16cc1b1c38e0911d073752e1081a7f8f799cf2b192282d408a1a423eb8b11438685221e988b3c8e3f9be3d2e13b1e3d424a051691dbbe70b1c

Score
10/10
blackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1840568117:AAGlvKQeSfXkObSE7__yYc5jM9o8qSrkFUw/sendMessage?chat_id=1039923904

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cleaner.exe
    "C:\Users\Admin\AppData\Local\Temp\cleaner.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1784
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1784 -s 2272
      2⤵
      • Program crash
      PID:2804
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 424 -p 1784 -ip 1784
    1⤵
      PID:2904

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1784-130-0x000001F3C7700000-0x000001F3C79A4000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/1784-131-0x00007FFC4F680000-0x00007FFC50141000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1784-132-0x000001F3E3440000-0x000001F3E3442000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1784-133-0x000001F3E5750000-0x000001F3E57A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1784-134-0x000001F3E57A0000-0x000001F3E57C2000-memory.dmp

      Filesize

      136KB

      Download