Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2022, 18:07
Behavioral task
behavioral1
Sample
56b6e17006b25ce5586d1441a2db7cc8.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
56b6e17006b25ce5586d1441a2db7cc8.exe
Resource
win10v2004-20220721-en
General
-
Target
56b6e17006b25ce5586d1441a2db7cc8.exe
-
Size
2.8MB
-
MD5
56b6e17006b25ce5586d1441a2db7cc8
-
SHA1
65163f385f5180a1dee189044d1df296af61ce70
-
SHA256
31f20e519939289560661eb6fe04be9f73bbf17c3c22a9b8087c59e60bae8873
-
SHA512
171fb597dcffe783024452460fad8e37af7fd87ab003674917085a468fddba9e1a9436d2a8b318420602705d44061153a8f18c79380a9df5f360f150af1d77f5
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5449766717:AAHzRorvKI5URgvleGHlq6ZvqElY68-XL18/sendMessage?chat_id=1293496579
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 56b6e17006b25ce5586d1441a2db7cc8.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 56b6e17006b25ce5586d1441a2db7cc8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 56b6e17006b25ce5586d1441a2db7cc8.exe -
resource yara_rule behavioral2/memory/4568-130-0x0000000000400000-0x0000000000AB0000-memory.dmp themida behavioral2/memory/4568-133-0x0000000000400000-0x0000000000AB0000-memory.dmp themida behavioral2/memory/4568-139-0x0000000000400000-0x0000000000AB0000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 56b6e17006b25ce5586d1441a2db7cc8.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4568 56b6e17006b25ce5586d1441a2db7cc8.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4568 set thread context of 2572 4568 56b6e17006b25ce5586d1441a2db7cc8.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4568 56b6e17006b25ce5586d1441a2db7cc8.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4568 wrote to memory of 2572 4568 56b6e17006b25ce5586d1441a2db7cc8.exe 85 PID 4568 wrote to memory of 2572 4568 56b6e17006b25ce5586d1441a2db7cc8.exe 85 PID 4568 wrote to memory of 2572 4568 56b6e17006b25ce5586d1441a2db7cc8.exe 85 PID 4568 wrote to memory of 2572 4568 56b6e17006b25ce5586d1441a2db7cc8.exe 85 PID 4568 wrote to memory of 2572 4568 56b6e17006b25ce5586d1441a2db7cc8.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56b6e17006b25ce5586d1441a2db7cc8.exe"C:\Users\Admin\AppData\Local\Temp\56b6e17006b25ce5586d1441a2db7cc8.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2572
-