Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    72s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30/06/2022, 18:04 UTC

General

  • Target

    10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe

  • Size

    1.1MB

  • MD5

    ef826a08ca7e802e0a5a5c61b58b2a80

  • SHA1

    467f33a80dd20e33c0f89ebd69d265cbe109556d

  • SHA256

    10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909

  • SHA512

    cd51bec962ba2aa24ea5747111b9bf292591009cef084facaf56278ab338964b3149a2e6f9d4c2e17ceba15c2095d6af0081c7175ea841a661ca3fe9ef1c3dac

Malware Config

Signatures

  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

  • MassLogger Main Payload 4 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
    "C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
      "C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:608
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1352

Network

  • flag-us
    DNS
    api.ipify.org
    10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api.ipify.org.herokudns.com
    api.ipify.org.herokudns.com
    IN A
    3.232.242.170
    api.ipify.org.herokudns.com
    IN A
    54.91.59.199
    api.ipify.org.herokudns.com
    IN A
    52.20.78.240
    api.ipify.org.herokudns.com
    IN A
    3.220.57.224
  • 3.232.242.170:80
    api.ipify.org
    10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
    104 B
    2
  • 8.8.8.8:53
    api.ipify.org
    dns
    10979f9fbee39c33046e940c5893569a1963d3c82de2627394e940ea070f0909.exe
    59 B
    164 B
    1
    1

    DNS Request

    api.ipify.org

    DNS Response

    3.232.242.170
    54.91.59.199
    52.20.78.240
    3.220.57.224

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/608-59-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

  • memory/608-60-0x0000000001ED0000-0x0000000001F56000-memory.dmp

    Filesize

    536KB

  • memory/608-58-0x0000000001ED0000-0x0000000001F56000-memory.dmp

    Filesize

    536KB

  • memory/608-62-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

  • memory/608-65-0x0000000004C05000-0x0000000004C16000-memory.dmp

    Filesize

    68KB

  • memory/900-54-0x00000000751C1000-0x00000000751C3000-memory.dmp

    Filesize

    8KB

  • memory/900-56-0x00000000003E0000-0x00000000003F0000-memory.dmp

    Filesize

    64KB

  • memory/1352-66-0x000000006E8F0000-0x000000006EE9B000-memory.dmp

    Filesize

    5.7MB

  • memory/1352-67-0x000000006E8F0000-0x000000006EE9B000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.