Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    86s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    31/07/2022, 13:47 UTC

General

  • Target

    03e81c8df40db6549e905d8832fa1b80.exe

  • Size

    359KB

  • MD5

    03e81c8df40db6549e905d8832fa1b80

  • SHA1

    8653cebf8079fa38d845d12e424bcde4afd625b4

  • SHA256

    d98129981f18ffdf2db5edd0fc09442cc35ac1458971ca0ed14fe58dcd0dd3e0

  • SHA512

    b2999496aa5eb2ca90603a458d96523fc5795365c86e71d5a03cf79b2764ec572d4f1da15207836a78ec0df1b703b0efad46643945ffd5225c607abe5327c9e0

Score
10/10

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03e81c8df40db6549e905d8832fa1b80.exe
    "C:\Users\Admin\AppData\Local\Temp\03e81c8df40db6549e905d8832fa1b80.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\03e81c8df40db6549e905d8832fa1b80.exe
      "C:\Users\Admin\AppData\Local\Temp\03e81c8df40db6549e905d8832fa1b80.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 464
        3⤵
        • Program crash
        PID:828

Network

  • flag-us
    DNS
    moneyd.link
    03e81c8df40db6549e905d8832fa1b80.exe
    Remote address:
    8.8.8.8:53
    Request
    moneyd.link
    IN A
    Response
    moneyd.link
    IN A
    176.53.160.10
  • flag-ru
    GET
    http://moneyd.link/8sd87v7.php
    03e81c8df40db6549e905d8832fa1b80.exe
    Remote address:
    176.53.160.10:80
    Request
    GET /8sd87v7.php HTTP/1.1
    Host: moneyd.link
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 31 Jul 2022 13:48:13 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: PHPSESSID=g8q00j3b2nqtt8bgsgv1qrqubi; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 28
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 176.53.160.10:80
    http://moneyd.link/8sd87v7.php
    http
    03e81c8df40db6549e905d8832fa1b80.exe
    327 B
    495 B
    5
    3

    HTTP Request

    GET http://moneyd.link/8sd87v7.php

    HTTP Response

    200
  • 176.53.160.10:80
    moneyd.link
    03e81c8df40db6549e905d8832fa1b80.exe
    152 B
    3
  • 176.53.160.10:80
    moneyd.link
    03e81c8df40db6549e905d8832fa1b80.exe
    152 B
    3
  • 8.8.8.8:53
    moneyd.link
    dns
    03e81c8df40db6549e905d8832fa1b80.exe
    57 B
    73 B
    1
    1

    DNS Request

    moneyd.link

    DNS Response

    176.53.160.10

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1064-54-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/1064-57-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/1064-60-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/1064-61-0x00000000753E1000-0x00000000753E3000-memory.dmp

    Filesize

    8KB

  • memory/1064-63-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/1220-58-0x000000000051E000-0x000000000053F000-memory.dmp

    Filesize

    132KB

  • memory/1220-59-0x00000000002C0000-0x00000000002EA000-memory.dmp

    Filesize

    168KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.