Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
62s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2022, 16:54
Static task
static1
Behavioral task
behavioral1
Sample
LIST OF PRODUCTS NEEDED.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
LIST OF PRODUCTS NEEDED.exe
Resource
win10v2004-20220721-en
General
-
Target
LIST OF PRODUCTS NEEDED.exe
-
Size
1.1MB
-
MD5
af517807c4b6160d07314ba228f333de
-
SHA1
9020081ebc00595e57d5d40a742682f4de0b7671
-
SHA256
e97151ce51e9463bd45ad41571141614fc0ffc8a8cbf2c74f36c20028a769f41
-
SHA512
8647a9336ff7e33b60c7f9903d9214de5842bc195f4460870f9dda8205397ef9aaddf0a371ceb90b280e9b26017e53e0c10422844ce0f30fda14b7dccc310b00
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 1 IoCs
resource yara_rule behavioral2/memory/1100-133-0x0000000000400000-0x000000000048C000-memory.dmp family_masslogger -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4228 set thread context of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 1652 dw20.exe Token: SeBackupPrivilege 1652 dw20.exe Token: SeBackupPrivilege 1652 dw20.exe Token: SeBackupPrivilege 1652 dw20.exe Token: SeBackupPrivilege 1652 dw20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4228 wrote to memory of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 PID 4228 wrote to memory of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 PID 4228 wrote to memory of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 PID 4228 wrote to memory of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 PID 4228 wrote to memory of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 PID 4228 wrote to memory of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 PID 4228 wrote to memory of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 PID 4228 wrote to memory of 1100 4228 LIST OF PRODUCTS NEEDED.exe 84 PID 1100 wrote to memory of 1652 1100 RegSvcs.exe 85 PID 1100 wrote to memory of 1652 1100 RegSvcs.exe 85 PID 1100 wrote to memory of 1652 1100 RegSvcs.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\LIST OF PRODUCTS NEEDED.exe"C:\Users\Admin\AppData\Local\Temp\LIST OF PRODUCTS NEEDED.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7603⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-