Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
15/09/2022, 17:59
220915-wkw3padgb3 315/09/2022, 17:56
220915-wh3gpadga8 322/07/2022, 19:25
220722-x4ylashdfl 1022/07/2022, 17:20
220722-vwqvdaggfl 10Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
22/07/2022, 17:20
Static task
static1
Behavioral task
behavioral1
Sample
ORDER3763873.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ORDER3763873.exe
Resource
win10v2004-20220721-en
General
-
Target
ORDER3763873.exe
-
Size
13KB
-
MD5
fcf1a0e7b406505e0aaa094393d45d72
-
SHA1
cde2a1b3ef89f2b4c7a2048fa2d959e02c29008e
-
SHA256
352dd25fbf999c5e12526187390be9af7019db7c165f2e9e76fe7d1cd4bece3b
-
SHA512
5db78c6c157174cac8f010e8cf00d412a10703dd543ad224c7d81cb9b65b0a03891be95615dc57165761d433a673f316495e825e7a615d57b08b846fb3e52304
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnEbEZpHEIJz5LbF0no/sendMessage?chat_id=5571556378
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Downloads MZ/PE file
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1604 set thread context of 1980 1604 ORDER3763873.exe 28 PID 1980 set thread context of 1912 1980 ORDER3763873.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1604 ORDER3763873.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1980 ORDER3763873.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1604 wrote to memory of 1980 1604 ORDER3763873.exe 28 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 PID 1980 wrote to memory of 1912 1980 ORDER3763873.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1912
-
-