Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

15/09/2022, 17:59

220915-wkw3padgb3 3

15/09/2022, 17:56

220915-wh3gpadga8 3

22/07/2022, 19:25

220722-x4ylashdfl 10

22/07/2022, 17:20

220722-vwqvdaggfl 10

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    22/07/2022, 17:20

General

  • Target

    ORDER3763873.exe

  • Size

    13KB

  • MD5

    fcf1a0e7b406505e0aaa094393d45d72

  • SHA1

    cde2a1b3ef89f2b4c7a2048fa2d959e02c29008e

  • SHA256

    352dd25fbf999c5e12526187390be9af7019db7c165f2e9e76fe7d1cd4bece3b

  • SHA512

    5db78c6c157174cac8f010e8cf00d412a10703dd543ad224c7d81cb9b65b0a03891be95615dc57165761d433a673f316495e825e7a615d57b08b846fb3e52304

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5432809476:AAHtE5EDW3VQZZBLnEbEZpHEIJz5LbF0no/sendMessage?chat_id=5571556378

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Downloads MZ/PE file
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe
      "C:\Users\Admin\AppData\Local\Temp\ORDER3763873.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:1912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1604-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

    Filesize

    8KB

  • memory/1604-56-0x0000000000460000-0x0000000000472000-memory.dmp

    Filesize

    72KB

  • memory/1604-54-0x0000000000F40000-0x0000000000F4A000-memory.dmp

    Filesize

    40KB

  • memory/1912-70-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1912-79-0x0000000000E80000-0x0000000000F3C000-memory.dmp

    Filesize

    752KB

  • memory/1912-77-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1912-75-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1912-72-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1980-58-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1980-69-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1980-65-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1980-62-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1980-60-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1980-57-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1980-80-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB