Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2022, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe
Resource
win10v2004-20220812-en
General
-
Target
70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe
-
Size
1.3MB
-
MD5
20cf6b947841f6ed3546f82ed68c1b7f
-
SHA1
d65463fd21602d678f23678565d1169b3a4a8333
-
SHA256
70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057
-
SHA512
e225529b0e191aa3e5ef6ecc362f6f44b3e81d084a6f0fc2240613af9d15f11fb4ca6291ae3b2815ca6c791a9fd25c5ab0bea835441db92bfe65c223eac6cec5
-
SSDEEP
24576:USeAC7aqFZpthlSTLp6tRgF/3QTJq8vOGxgiNdaeEntTI2IOw:MARqFHthlQp6DIfQfvr5Nct
Malware Config
Extracted
blustealer
Protocol: smtp- Host:
mail.jdaroil.com - Port:
587 - Username:
[email protected] - Password:
JDAR-iraq#@
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Loads dropped DLL 2 IoCs
pid Process 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4928 set thread context of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 5032 set thread context of 3996 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4928 wrote to memory of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 4928 wrote to memory of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 4928 wrote to memory of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 4928 wrote to memory of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 4928 wrote to memory of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 4928 wrote to memory of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 4928 wrote to memory of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 4928 wrote to memory of 5032 4928 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 98 PID 5032 wrote to memory of 3996 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 100 PID 5032 wrote to memory of 3996 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 100 PID 5032 wrote to memory of 3996 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 100 PID 5032 wrote to memory of 3996 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 100 PID 5032 wrote to memory of 3996 5032 70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe"C:\Users\Admin\AppData\Local\Temp\70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe"C:\Users\Admin\AppData\Local\Temp\70fc011e55904f455a12e19e82e3a25fa05a37993bb79f023a5655aabae4b057.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe3⤵PID:3996
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD5d77b227a28a78627c2323cac75948390
SHA1e228c3951f2a9fd0febfe07390633ab4f35727f4
SHA256527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82
SHA5125627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587
-
Filesize
585KB
MD55405413fff79b8d9c747aa900f60f082
SHA171caf8907ddd9a3a25d71356bd2ce09bd293bd78
SHA2563e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb
SHA5122f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66