Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 13:23
Behavioral task
behavioral1
Sample
d617cfaf2f5cfcb5c50ecc28d0d02582.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d617cfaf2f5cfcb5c50ecc28d0d02582.exe
Resource
win10v2004-20220812-en
General
-
Target
d617cfaf2f5cfcb5c50ecc28d0d02582.exe
-
Size
406KB
-
MD5
d617cfaf2f5cfcb5c50ecc28d0d02582
-
SHA1
63a2d370a2c0ef547cc7a78e220e0d9021e2b4a1
-
SHA256
4a4d5455c9e941082c8c08a96102afc9d33abc40985bfcc00b6bee8c098066fd
-
SHA512
857a130effc4aca8d5cebaaa78eace06242e7f96332553f5676f4670fdfdab45eed3306475d8e3a9ad7facf4e3b5cceac9aeb7e25c394a82324499e0b78fe8f0
Malware Config
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/2596-142-0x0000000000570000-0x000000000058A000-memory.dmp family_stormkitty -
Executes dropped EXE 6 IoCs
pid Process 1580 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 4840 icsys.icn.exe 32 explorer.exe 4140 spoolsv.exe 4040 svchost.exe 4652 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1580 set thread context of 2596 1580 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 83 -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4840 icsys.icn.exe 4840 icsys.icn.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe 4040 svchost.exe 4040 svchost.exe 32 explorer.exe 32 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 32 explorer.exe 4040 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2596 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 5044 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 5044 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 1580 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 4840 icsys.icn.exe 4840 icsys.icn.exe 32 explorer.exe 32 explorer.exe 4140 spoolsv.exe 4140 spoolsv.exe 4040 svchost.exe 4040 svchost.exe 4652 spoolsv.exe 4652 spoolsv.exe 32 explorer.exe 32 explorer.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 5044 wrote to memory of 1580 5044 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 82 PID 5044 wrote to memory of 1580 5044 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 82 PID 5044 wrote to memory of 1580 5044 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 82 PID 1580 wrote to memory of 2596 1580 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 83 PID 1580 wrote to memory of 2596 1580 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 83 PID 1580 wrote to memory of 2596 1580 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 83 PID 1580 wrote to memory of 2596 1580 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 83 PID 1580 wrote to memory of 2596 1580 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 83 PID 5044 wrote to memory of 4840 5044 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 84 PID 5044 wrote to memory of 4840 5044 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 84 PID 5044 wrote to memory of 4840 5044 d617cfaf2f5cfcb5c50ecc28d0d02582.exe 84 PID 4840 wrote to memory of 32 4840 icsys.icn.exe 85 PID 4840 wrote to memory of 32 4840 icsys.icn.exe 85 PID 4840 wrote to memory of 32 4840 icsys.icn.exe 85 PID 32 wrote to memory of 4140 32 explorer.exe 86 PID 32 wrote to memory of 4140 32 explorer.exe 86 PID 32 wrote to memory of 4140 32 explorer.exe 86 PID 4140 wrote to memory of 4040 4140 spoolsv.exe 87 PID 4140 wrote to memory of 4040 4140 spoolsv.exe 87 PID 4140 wrote to memory of 4040 4140 spoolsv.exe 87 PID 4040 wrote to memory of 4652 4040 svchost.exe 88 PID 4040 wrote to memory of 4652 4040 svchost.exe 88 PID 4040 wrote to memory of 4652 4040 svchost.exe 88 PID 4040 wrote to memory of 2272 4040 svchost.exe 89 PID 4040 wrote to memory of 2272 4040 svchost.exe 89 PID 4040 wrote to memory of 2272 4040 svchost.exe 89 PID 4040 wrote to memory of 2016 4040 svchost.exe 93 PID 4040 wrote to memory of 2016 4040 svchost.exe 93 PID 4040 wrote to memory of 2016 4040 svchost.exe 93 PID 4040 wrote to memory of 4324 4040 svchost.exe 95 PID 4040 wrote to memory of 4324 4040 svchost.exe 95 PID 4040 wrote to memory of 4324 4040 svchost.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe"C:\Users\Admin\AppData\Local\Temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\users\admin\appdata\local\temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exec:\users\admin\appdata\local\temp\d617cfaf2f5cfcb5c50ecc28d0d02582.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2596
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4652
-
-
C:\Windows\SysWOW64\at.exeat 13:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2272
-
-
C:\Windows\SysWOW64\at.exeat 13:26 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2016
-
-
C:\Windows\SysWOW64\at.exeat 13:27 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:4324
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD5bee47439c4960e2728594ece9ad95ba7
SHA143f4b6f607dec5bec2a33e2fb4148c38de832490
SHA2568a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4
SHA512ad84d419d61b63e36a6766ba90773b39270bf9c8e72373b52c1979097e73110f749fad0cfed5c4f233304ad0af4b6e753666911ff7db83475c16c38976c46382
-
Filesize
274KB
MD57f9ebd4ed2db0d66c4be272c681bad48
SHA1cefdff7b1cb786ff84458e6e16b1e2ead35f9c34
SHA256d4fdf7e61db35ab2f6cbaaa4c02a9336b29d653e7249247a74c4f6fa787768b0
SHA512627d9ae1a7cce0d4f3859034bd2224ea27ad1cd0d2d7592886e147ea7806de31d9bfd7a0aa4d955eb2854247b2029bd835e5b420d275f0616803efe3eec60997
-
Filesize
274KB
MD57f9ebd4ed2db0d66c4be272c681bad48
SHA1cefdff7b1cb786ff84458e6e16b1e2ead35f9c34
SHA256d4fdf7e61db35ab2f6cbaaa4c02a9336b29d653e7249247a74c4f6fa787768b0
SHA512627d9ae1a7cce0d4f3859034bd2224ea27ad1cd0d2d7592886e147ea7806de31d9bfd7a0aa4d955eb2854247b2029bd835e5b420d275f0616803efe3eec60997
-
Filesize
274KB
MD5b52b4c1f903702ac8827b54b5895b85e
SHA1f651b831e085031fbc3879947c6207ae1986945b
SHA256b23f99a60ecaa8552a374ee7703fce697bb411fb5db606c9701ead842564c9c5
SHA51249c029ef40edcb61c9347acefbfd8e19c19ef4dbf286d89b419df480b18aeba2039a7d46b5aa7c45cba5b6cff304204a4ff5b1634559566510eb0cd77ce29dd7
-
Filesize
274KB
MD56e70ec78f2ea0344436dc44ea90b8184
SHA1aa0a52d19268b5f241b7e6f286fd24575bd571b6
SHA2561d1a8f48382eb2e5dc2a5fb17e01a1de7c9a3ba7e74dfd7e13b1d1f093262200
SHA512d6c4deb867dd55611e5918766701d09c02c127dc9ea97523e4a60f17f7f44a461b1feb2cf5a33edfbd7059aaa4f261ab9970647d352b2bff22cf5dbfeb867044
-
Filesize
274KB
MD5994d669de9b537c4b35af599c830965a
SHA1a55bbff445ab2066720e1a2d2addc6ba3a96b27c
SHA256c57f7888ee4b8d7d1c8ab60f71e77762d546a484d7824c11104ec1250e54a638
SHA512d847ae90892377572aa046b65ee7dfaff7a37181088235b16a7f8b2b940e88480dd4857c327ea09485de4d068bc3ed7cc815e479ea2981d351055f0839e833b7
-
Filesize
274KB
MD5994d669de9b537c4b35af599c830965a
SHA1a55bbff445ab2066720e1a2d2addc6ba3a96b27c
SHA256c57f7888ee4b8d7d1c8ab60f71e77762d546a484d7824c11104ec1250e54a638
SHA512d847ae90892377572aa046b65ee7dfaff7a37181088235b16a7f8b2b940e88480dd4857c327ea09485de4d068bc3ed7cc815e479ea2981d351055f0839e833b7
-
Filesize
274KB
MD5f25dbd987cff7aec20dd641bf1c2b5d8
SHA164abc14e4362f6b97fe3057c45e61ad913a4be52
SHA25671f4b0adc1a5dc5cdb3086364cf9abc6c4a9a13a53721df64027ff6cd5f1c276
SHA51260e467cdd62bef5f26baf85a4c8352adb3eae902636fce74dd79a2c693e67643138fd8ffe6f33e5c45032662d96428cbca39cd749eb5f35911833b8a5d82f483
-
Filesize
132KB
MD5bee47439c4960e2728594ece9ad95ba7
SHA143f4b6f607dec5bec2a33e2fb4148c38de832490
SHA2568a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4
SHA512ad84d419d61b63e36a6766ba90773b39270bf9c8e72373b52c1979097e73110f749fad0cfed5c4f233304ad0af4b6e753666911ff7db83475c16c38976c46382
-
Filesize
274KB
MD56e70ec78f2ea0344436dc44ea90b8184
SHA1aa0a52d19268b5f241b7e6f286fd24575bd571b6
SHA2561d1a8f48382eb2e5dc2a5fb17e01a1de7c9a3ba7e74dfd7e13b1d1f093262200
SHA512d6c4deb867dd55611e5918766701d09c02c127dc9ea97523e4a60f17f7f44a461b1feb2cf5a33edfbd7059aaa4f261ab9970647d352b2bff22cf5dbfeb867044
-
Filesize
274KB
MD5994d669de9b537c4b35af599c830965a
SHA1a55bbff445ab2066720e1a2d2addc6ba3a96b27c
SHA256c57f7888ee4b8d7d1c8ab60f71e77762d546a484d7824c11104ec1250e54a638
SHA512d847ae90892377572aa046b65ee7dfaff7a37181088235b16a7f8b2b940e88480dd4857c327ea09485de4d068bc3ed7cc815e479ea2981d351055f0839e833b7
-
Filesize
274KB
MD5f25dbd987cff7aec20dd641bf1c2b5d8
SHA164abc14e4362f6b97fe3057c45e61ad913a4be52
SHA25671f4b0adc1a5dc5cdb3086364cf9abc6c4a9a13a53721df64027ff6cd5f1c276
SHA51260e467cdd62bef5f26baf85a4c8352adb3eae902636fce74dd79a2c693e67643138fd8ffe6f33e5c45032662d96428cbca39cd749eb5f35911833b8a5d82f483