Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/09/2022, 23:31

General

  • Target

    6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe

  • Size

    5.1MB

  • MD5

    0727f10acffae1a2fbad5bdee8606d77

  • SHA1

    25a2190e389051017b0b512c0caa0e56d185d80a

  • SHA256

    6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad

  • SHA512

    f5fdd04b5dd1882b99dcff66e21ee2eb6efe5032f25130f3ca67fc089c841fbdd48e495fdf370e0460833e6f8848c48069174298181db45e8857bdb4c5bed781

  • SSDEEP

    98304:pAI+7WP8CGcEUNHnorSJwvvGBrHBHA8Fn6KhPpXjX2oPIn23U4jKuK5rQjKg0OFB:itM8C9EUN96viBHFn6Uhr/I23UEKuK58

Malware Config

Extracted

Family

privateloader

C2

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Signatures

  • Detects Smokeloader packer 5 IoCs
  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

  • FFDroider payload 8 IoCs
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
    "C:\Users\Admin\AppData\Local\Temp\6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Program Files (x86)\Company\NewProduct\inst2.exe
      "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
      2⤵
      • Executes dropped EXE
      PID:1932
    • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
      "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Users\Admin\AppData\Local\Temp\11111.exe
        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1120
    • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
      "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      PID:828
    • C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
      "C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Program Files (x86)\Company\NewProduct\toolspab2.exe
        "C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1692
    • C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe
      "C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe"
      2⤵
      • Executes dropped EXE
      PID:2028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe

    Filesize

    137KB

    MD5

    e88a59876ea9ad978cadc4fe3105f23f

    SHA1

    aa3a48f01218b9d0e55c3629bb689b05d135d508

    SHA256

    764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03

    SHA512

    9fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419

  • C:\Program Files (x86)\Company\NewProduct\inst2.exe

    Filesize

    201KB

    MD5

    0aa9f08b7bc4d4bb3ce7d578f7b6005b

    SHA1

    c0b0f1ebfb84d3b571281e5adfbe0ad5b071a1c5

    SHA256

    a7536ca66bf434d6c9a5d1e56aa2c82e84c54dea530d0a4eabc3a30385d5ddcb

    SHA512

    7f8b6d0c4fb63dff3e7dd3c289d603c7ce253bd77ca35e87962a53aea7869a37410bf4a51e7bff95f859bbe207e00f36d9cdf0b4646406773a27daebc325c7fc

  • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

    Filesize

    4.1MB

    MD5

    03c055e021d1f56cfe74badffe93e7bc

    SHA1

    84493871e54d877a4aedf64f56c41ce3be8305c5

    SHA256

    8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

    SHA512

    5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

  • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe

    Filesize

    4.1MB

    MD5

    03c055e021d1f56cfe74badffe93e7bc

    SHA1

    84493871e54d877a4aedf64f56c41ce3be8305c5

    SHA256

    8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

    SHA512

    5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

  • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe

    Filesize

    2.0MB

    MD5

    fe18d0f0f56abf84f421f7961206d5d1

    SHA1

    6685e8c651d2b2342b7a6f717360cb05d5455fe7

    SHA256

    efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80

    SHA512

    74c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669

  • C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

    Filesize

    300KB

    MD5

    8c23cc666860658e657dc4652a48ff91

    SHA1

    deebc6a7e00db0b79c52f1d922efa05dbca3333e

    SHA256

    a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

    SHA512

    0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

  • C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

    Filesize

    300KB

    MD5

    8c23cc666860658e657dc4652a48ff91

    SHA1

    deebc6a7e00db0b79c52f1d922efa05dbca3333e

    SHA256

    a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

    SHA512

    0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

  • C:\Program Files (x86)\Company\NewProduct\toolspab2.exe

    Filesize

    300KB

    MD5

    8c23cc666860658e657dc4652a48ff91

    SHA1

    deebc6a7e00db0b79c52f1d922efa05dbca3333e

    SHA256

    a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

    SHA512

    0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

  • C:\Users\Admin\AppData\Local\Temp\11111.exe

    Filesize

    391KB

    MD5

    7165e9d7456520d1f1644aa26da7c423

    SHA1

    177f9116229a021e24f80c4059999c4c52f9e830

    SHA256

    40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

    SHA512

    fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

  • C:\Users\Admin\AppData\Local\Temp\11111.exe

    Filesize

    391KB

    MD5

    7165e9d7456520d1f1644aa26da7c423

    SHA1

    177f9116229a021e24f80c4059999c4c52f9e830

    SHA256

    40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

    SHA512

    fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

    Filesize

    246B

    MD5

    46183ada973d3bfaab7be726c800e96e

    SHA1

    7fcb7272b04d8b1caaf1343ec720461ca79f45c2

    SHA256

    0cba483c4b5eeb5d275d2a54db9f7c3c213615628b4ac79044980347930e7a1f

    SHA512

    338c4ccf7cde74e3aa5c9bb27672797ab8b4c8aa6e99fbcf61a2dc8caecdd871b747e4bcc654391479bc4df5a1e72257da9957f9768c67b2846dd9435b950926

  • \Program Files (x86)\Company\NewProduct\Cube_WW9.exe

    Filesize

    137KB

    MD5

    e88a59876ea9ad978cadc4fe3105f23f

    SHA1

    aa3a48f01218b9d0e55c3629bb689b05d135d508

    SHA256

    764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03

    SHA512

    9fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419

  • \Program Files (x86)\Company\NewProduct\inst2.exe

    Filesize

    201KB

    MD5

    0aa9f08b7bc4d4bb3ce7d578f7b6005b

    SHA1

    c0b0f1ebfb84d3b571281e5adfbe0ad5b071a1c5

    SHA256

    a7536ca66bf434d6c9a5d1e56aa2c82e84c54dea530d0a4eabc3a30385d5ddcb

    SHA512

    7f8b6d0c4fb63dff3e7dd3c289d603c7ce253bd77ca35e87962a53aea7869a37410bf4a51e7bff95f859bbe207e00f36d9cdf0b4646406773a27daebc325c7fc

  • \Program Files (x86)\Company\NewProduct\jg1_1faf.exe

    Filesize

    4.1MB

    MD5

    03c055e021d1f56cfe74badffe93e7bc

    SHA1

    84493871e54d877a4aedf64f56c41ce3be8305c5

    SHA256

    8ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319

    SHA512

    5379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae

  • \Program Files (x86)\Company\NewProduct\rtst1039.exe

    Filesize

    2.0MB

    MD5

    fe18d0f0f56abf84f421f7961206d5d1

    SHA1

    6685e8c651d2b2342b7a6f717360cb05d5455fe7

    SHA256

    efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80

    SHA512

    74c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669

  • \Program Files (x86)\Company\NewProduct\toolspab2.exe

    Filesize

    300KB

    MD5

    8c23cc666860658e657dc4652a48ff91

    SHA1

    deebc6a7e00db0b79c52f1d922efa05dbca3333e

    SHA256

    a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

    SHA512

    0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

  • \Program Files (x86)\Company\NewProduct\toolspab2.exe

    Filesize

    300KB

    MD5

    8c23cc666860658e657dc4652a48ff91

    SHA1

    deebc6a7e00db0b79c52f1d922efa05dbca3333e

    SHA256

    a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333

    SHA512

    0cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942

  • memory/828-86-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/828-100-0x0000000003C00000-0x0000000003C10000-memory.dmp

    Filesize

    64KB

  • memory/828-75-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/828-114-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/828-113-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/828-94-0x0000000003AA0000-0x0000000003AB0000-memory.dmp

    Filesize

    64KB

  • memory/828-93-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/828-84-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/828-91-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/828-88-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/828-87-0x0000000000400000-0x0000000000AF0000-memory.dmp

    Filesize

    6.9MB

  • memory/1120-110-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

  • memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

    Filesize

    8KB

  • memory/1692-106-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1692-89-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1692-79-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/1932-62-0x0000000000260000-0x0000000000273000-memory.dmp

    Filesize

    76KB

  • memory/1932-61-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

  • memory/2024-85-0x0000000000020000-0x0000000000029000-memory.dmp

    Filesize

    36KB

  • memory/2024-82-0x0000000000308000-0x0000000000319000-memory.dmp

    Filesize

    68KB

  • memory/2024-77-0x0000000000308000-0x0000000000319000-memory.dmp

    Filesize

    68KB