Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24/05/2022, 22:39
General
-
Target
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
-
Size
3.1MB
-
MD5
143d0f36308fd6d510f611f37b9f0cb8
-
SHA1
0ef800088a40ccea4126512037e7326594bbabb4
-
SHA256
cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131
-
SHA512
9c628fd049dcd8e88b7433b16f2b59cf251ea1e384878aba2196ff0c97474bcfc03ab4f56cdccb11b141ede4950d3a40c4b5f945c3d1927ce7941d5277a2f9b9
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
raccoon
180d3985eb74eacf2de83c771fbf30a60f670ec0
-
url4cnc
https://telete.in/jrikitiki
Extracted
oski
levitt.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 13124⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3984 -ip 39841⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD510a1fc9651aab1b4e9c3a2419519d65a
SHA14b7b9b6900ce5233b76eaedbb6159c89fd5c0a22
SHA25649b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda
SHA512582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e
-
Filesize
1.1MB
MD510a1fc9651aab1b4e9c3a2419519d65a
SHA14b7b9b6900ce5233b76eaedbb6159c89fd5c0a22
SHA25649b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda
SHA512582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e
-
Filesize
1.1MB
MD510a1fc9651aab1b4e9c3a2419519d65a
SHA14b7b9b6900ce5233b76eaedbb6159c89fd5c0a22
SHA25649b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda
SHA512582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e
-
Filesize
956KB
MD57103d3b5536ccc75545f75ff1fcc1917
SHA16699646eab39a42befdcf6bd17c814294f0c70c8
SHA256b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1
SHA512a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c
-
Filesize
956KB
MD57103d3b5536ccc75545f75ff1fcc1917
SHA16699646eab39a42befdcf6bd17c814294f0c70c8
SHA256b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1
SHA512a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c
-
Filesize
956KB
MD57103d3b5536ccc75545f75ff1fcc1917
SHA16699646eab39a42befdcf6bd17c814294f0c70c8
SHA256b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1
SHA512a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c
-
Filesize
128KB
-
Filesize
588KB
-
Filesize
24KB
-
Filesize
208KB
-
Filesize
24KB
-
Filesize
32KB