Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2022, 04:29 UTC

General

  • Target

    c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe

  • Size

    986KB

  • MD5

    bed6f2b8bafe032b960236c89f41a550

  • SHA1

    a525078808532982d705dec0f4cf45575c0806c2

  • SHA256

    c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21

  • SHA512

    1db1a5dc53002e35bb32c7635eaea60546c5df09f44ea42f4b249c01798254d18a421ac9d3e337bd5e922bf7a03eb18478df003bdfc6d6fc53ad87b0ef68081c

Score
9/10

Malware Config

Signatures

  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe
    "C:\Users\Admin\AppData\Local\Temp\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mpyqjbreTDGRch" /XML "C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4020
    • C:\Users\Admin\AppData\Local\Temp\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe
      "C:\Users\Admin\AppData\Local\Temp\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9579.tmp"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2712
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp9991.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:3412

Network

  • flag-us
    DNS
    bot.whatismyipaddress.com
    c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe
    Remote address:
    8.8.8.8:53
    Request
    bot.whatismyipaddress.com
    IN A
    Response
  • 20.50.73.9:443
    322 B
    7
  • 8.8.8.8:53
    bot.whatismyipaddress.com
    dns
    c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe
    71 B
    130 B
    1
    1

    DNS Request

    bot.whatismyipaddress.com

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\c80d5c154d99500876c36371ac28e77d5c4b48584c3447ad795dd4db51132f21.exe.log

    Filesize

    500B

    MD5

    f3bfbe5958adfc86cc0ea0a8317ea113

    SHA1

    3bf76848af2edafcacee5f9fb6a06b35a6724015

    SHA256

    598715cafd950c881e4fe318430b5830e95781f2093baa22f124cfad03320874

    SHA512

    873fb9861d615ec3298ccba8231ea3f2a22f2050fe68fea1a6948987942c04f6b40f0b92d5e59f6971cdb429b67877ac2e3cfc953949a0140e03c6cdb8a1139d

  • C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp

    Filesize

    1KB

    MD5

    7f505e98d413c4ec12f381897231ae31

    SHA1

    35ae25353d36c332b374e8a7c3ec2044161f3a53

    SHA256

    036de86ca06b90c354e29ef6b197b6cf187f034e81a03671fb3681cf302a7b8a

    SHA512

    e8b6351139dd9bd8d78b79ba8b0419e5abcfca5cffb0cc758fb2d5b20b01caca5db54a40da197819500cf10ef9aaf06d9710b6cd981eb911fe69496034b9ec57

  • C:\Users\Admin\AppData\Local\Temp\tmp9579.tmp

    Filesize

    4KB

    MD5

    a64ef19cb7924d0ef7b27699e0237041

    SHA1

    b6392aa8451f0721fcadff793808f8630182e66e

    SHA256

    66635dcdbf3439d7e09ac3f043c0ff6792f1ec281070fea4618d9b5fb287cb56

    SHA512

    66f6ae0b27227cfaf57a28e8f592a899375f763d0dc1e4f0199444b52e026f04243761bb20af127a7815a5c59db3c9fe1c1ff2a3ef069b8eccff3eef68da284b

  • memory/2088-137-0x0000000074D30000-0x00000000752E1000-memory.dmp

    Filesize

    5.7MB

  • memory/2088-131-0x0000000074D30000-0x00000000752E1000-memory.dmp

    Filesize

    5.7MB

  • memory/2088-130-0x0000000074D30000-0x00000000752E1000-memory.dmp

    Filesize

    5.7MB

  • memory/2712-144-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2712-140-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2712-142-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/2712-145-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

  • memory/3412-148-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/3412-150-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/3412-151-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/4804-138-0x0000000074D30000-0x00000000752E1000-memory.dmp

    Filesize

    5.7MB

  • memory/4804-143-0x0000000074D30000-0x00000000752E1000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.