Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

45061e4da8...42.exe

windows7-x64

10

45061e4da8...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/08/2022, 06:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45061e4da841c2587d0890148705a142.exe

  • Size

    406KB

  • MD5

    45061e4da841c2587d0890148705a142

  • SHA1

    eb68218c1d70f3ba00f8190c8171ad1cfa2fb42a

  • SHA256

    6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf

  • SHA512

    01a561bbb8418364078e4751e69a5d61075220cfbaa7582a0b664ccc1fd45b6dd1accc4ef3dd2b2e6b0dc1a99d9e5f5605ee453eb6c1010c28a189109a51c294

Score
10/10
blustealerstormkittycollectionevasionpersistencestealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45061e4da841c2587d0890148705a142.exe
    "C:\Users\Admin\AppData\Local\Temp\45061e4da841c2587d0890148705a142.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5072
    • \??\c:\users\admin\appdata\local\temp\45061e4da841c2587d0890148705a142.exe 
      c:\users\admin\appdata\local\temp\45061e4da841c2587d0890148705a142.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4244
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4344
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4124
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2284
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3828
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3732
            • C:\Windows\SysWOW64\at.exe
              at 08:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:4800
              • C:\Windows\SysWOW64\at.exe
                at 08:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:1872
                • C:\Windows\SysWOW64\at.exe
                  at 08:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:4924

        Network

        • flag-us
          DNS
          icanhazip.com
          AppLaunch.exe
          Remote address:
          8.8.8.8:53
          Request
          icanhazip.com
          IN A
          Response
          icanhazip.com
          IN A
          104.18.114.97
          icanhazip.com
          IN A
          104.18.115.97
        • flag-us
          GET
          http://icanhazip.com/
          AppLaunch.exe
          Remote address:
          104.18.114.97:80
          Request
          GET / HTTP/1.1
          Host: icanhazip.com
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Date: Fri, 05 Aug 2022 06:54:31 GMT
          Content-Type: text/plain
          Content-Length: 13
          Connection: keep-alive
          Access-Control-Allow-Origin: *
          Access-Control-Allow-Methods: GET
          Set-Cookie: __cf_bm=sVqX3_1ml2y6wuKmquNBLxou5deREB6ASUERRrYJmfQ-1659682471-0-Aa++uNjC+NgNClLdXrqcXpjm1lzAbojew/dSH5oNv8xBSVS28om01FP7goF/vTKgWTaffGxLuBEH7g11ZquuzvA=; path=/; expires=Fri, 05-Aug-22 07:24:31 GMT; domain=.icanhazip.com; HttpOnly
          Server: cloudflare
          CF-RAY: 735d9f378881b754-AMS
          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
        • 104.18.114.97:80
          http://icanhazip.com/
          http
          AppLaunch.exe
          293 B
           687 B
           5
          3

          HTTP Request

          GET http://icanhazip.com/

          HTTP Response

          200
        • 8.8.8.8:53
          icanhazip.com
          dns
          AppLaunch.exe
          59 B
           91 B
           1
          1

          DNS Request

          icanhazip.com

          DNS Response

          104.18.114.97
          104.18.115.97

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\45061e4da841c2587d0890148705a142.exe 
          Filesize

          132KB

          MD5

          bee47439c4960e2728594ece9ad95ba7

          SHA1

          43f4b6f607dec5bec2a33e2fb4148c38de832490

          SHA256

          8a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4

          SHA512

          ad84d419d61b63e36a6766ba90773b39270bf9c8e72373b52c1979097e73110f749fad0cfed5c4f233304ad0af4b6e753666911ff7db83475c16c38976c46382

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          4223968da579570e05813854a134397b

          SHA1

          07bdaa69105cae6467337d965eb968b6765fe28e

          SHA256

          85ce1f5747ce26adf8191236668b87796ed45b1e15a9b87fa8a2f3c80b9b65fc

          SHA512

          c62411e35db1940412bf5d8132c1a9a4346ec179b23ec57945be7ea64c5640850cfff94b122ca980293653b270a0c968c48e0b27af0af0bd5bfe177ed72e6beb

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          4223968da579570e05813854a134397b

          SHA1

          07bdaa69105cae6467337d965eb968b6765fe28e

          SHA256

          85ce1f5747ce26adf8191236668b87796ed45b1e15a9b87fa8a2f3c80b9b65fc

          SHA512

          c62411e35db1940412bf5d8132c1a9a4346ec179b23ec57945be7ea64c5640850cfff94b122ca980293653b270a0c968c48e0b27af0af0bd5bfe177ed72e6beb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          274KB

          MD5

          58f87a78ca72b1dd89d086867302dc2e

          SHA1

          d1c3259e374c1b6dda612ead5b5c82018a10f31d

          SHA256

          a3b34c262d1071450c79ecb9cdc254dba49a8095d898aae02f8dc609ce82b435

          SHA512

          06c0a508d8c1d964d2ca0e2ee216425f5686042a88c7d455eb470b3bc57e504305458554a840186bbc58f47cec60f3d23d59e9e7b13d0cdd82ee47036f1d8d6b

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          274KB

          MD5

          431c365527ae0d2494570393abfc88a4

          SHA1

          a73df7ab559ec39fa8bd8f55272d9cd04f1ff8c2

          SHA256

          ccdbe9663003251963a1c961ba782a3104872516e70390a3805ccc719628dfc4

          SHA512

          67bcbffa7bafdd302a2f9aa5fe28bd4b4b5783b6875c1db4268d82feba6c903ca80f16fa4dcb6318233c1af0b81ca41c8d44f9fdf1863629686c70ccda04cb78

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          31b3d56c0d304cf1344a4216102a21ee

          SHA1

          dc38c5542c3f02a11253231f68ccd4ce6811ffda

          SHA256

          0654d23d2b91f7fa7a41781ea738a31a9e9cb0d36811ab48e47abad52d09e2d3

          SHA512

          692e1077a7fb01cfb284964ce86738a601b07bbd5645072371007b48bc80851d80b8a4485112b955131169a015ce94411f47e413f402ed13d39a9109b6b213ee

          Download Submit

        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          31b3d56c0d304cf1344a4216102a21ee

          SHA1

          dc38c5542c3f02a11253231f68ccd4ce6811ffda

          SHA256

          0654d23d2b91f7fa7a41781ea738a31a9e9cb0d36811ab48e47abad52d09e2d3

          SHA512

          692e1077a7fb01cfb284964ce86738a601b07bbd5645072371007b48bc80851d80b8a4485112b955131169a015ce94411f47e413f402ed13d39a9109b6b213ee

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          274KB

          MD5

          715639fe4d4c19ed9fc7597787367716

          SHA1

          fd9cf9b00b4e83b1f954664107f1c75ed09584f8

          SHA256

          5514ab8d072282bed9faddc7d11dd3fbd0b73a524bab03971159be304df7451f

          SHA512

          cbb106d6bd2e26ed38e7cf7da4794f6c4193b1310fbb74fd8549ee7f92d49613b7b3a5dd027eb81f67259a91e14342d92f835d1b58c723cfc1b261b83e432cb4

          Download Submit

        • \??\c:\users\admin\appdata\local\temp\45061e4da841c2587d0890148705a142.exe 
          Filesize

          132KB

          MD5

          bee47439c4960e2728594ece9ad95ba7

          SHA1

          43f4b6f607dec5bec2a33e2fb4148c38de832490

          SHA256

          8a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4

          SHA512

          ad84d419d61b63e36a6766ba90773b39270bf9c8e72373b52c1979097e73110f749fad0cfed5c4f233304ad0af4b6e753666911ff7db83475c16c38976c46382

          Download Submit

        • \??\c:\windows\system\explorer.exe
          Filesize

          274KB

          MD5

          431c365527ae0d2494570393abfc88a4

          SHA1

          a73df7ab559ec39fa8bd8f55272d9cd04f1ff8c2

          SHA256

          ccdbe9663003251963a1c961ba782a3104872516e70390a3805ccc719628dfc4

          SHA512

          67bcbffa7bafdd302a2f9aa5fe28bd4b4b5783b6875c1db4268d82feba6c903ca80f16fa4dcb6318233c1af0b81ca41c8d44f9fdf1863629686c70ccda04cb78

          Download Submit

        • \??\c:\windows\system\spoolsv.exe
          Filesize

          274KB

          MD5

          31b3d56c0d304cf1344a4216102a21ee

          SHA1

          dc38c5542c3f02a11253231f68ccd4ce6811ffda

          SHA256

          0654d23d2b91f7fa7a41781ea738a31a9e9cb0d36811ab48e47abad52d09e2d3

          SHA512

          692e1077a7fb01cfb284964ce86738a601b07bbd5645072371007b48bc80851d80b8a4485112b955131169a015ce94411f47e413f402ed13d39a9109b6b213ee

          Download Submit

        • \??\c:\windows\system\svchost.exe
          Filesize

          274KB

          MD5

          715639fe4d4c19ed9fc7597787367716

          SHA1

          fd9cf9b00b4e83b1f954664107f1c75ed09584f8

          SHA256

          5514ab8d072282bed9faddc7d11dd3fbd0b73a524bab03971159be304df7451f

          SHA512

          cbb106d6bd2e26ed38e7cf7da4794f6c4193b1310fbb74fd8549ee7f92d49613b7b3a5dd027eb81f67259a91e14342d92f835d1b58c723cfc1b261b83e432cb4

          Download Submit

        • memory/2284-178-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2284-163-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3732-175-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3828-182-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/3828-186-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4124-162-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4124-185-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4244-183-0x00000000058B0000-0x000000000594C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4244-176-0x0000000004F90000-0x0000000004FF6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4244-142-0x00000000009A0000-0x00000000009BA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4344-160-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4344-179-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/5072-132-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/5072-177-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.