Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 10:50
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20220901-en
General
-
Target
sample.exe
-
Size
1.0MB
-
MD5
82a1be67742da347df519c0c0b75ed87
-
SHA1
163e5d1758c7be66a6a3a35d2f9973d209383567
-
SHA256
02a1835ea805bb1a6ca8d1706fa5a811279ec3fcb1524eb83cfa60f0314cf0dd
-
SHA512
d2051aa0284e0ab9151417d05eafc037695c32d6bf67512b2c8155ecc303774bdc950c24a658fb88787c4f1c3f6ae8bb0bba2017d90129afcbf484f40baaa4a7
-
SSDEEP
12288:I5bIINzS9JAJgapke+yoaYRy6Wrq2vElGv9W:qbNzoJ0gakNy9cjWm2UGv
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5415235188:AAGqakDD6FZcw5LLX6hH5qVayV-1OGURlEo/sendMessage?chat_id=1372472614
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/1500-158-0x00000000005B0000-0x00000000005CA000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation sample.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 72 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 628 set thread context of 764 628 sample.exe 101 PID 764 set thread context of 1500 764 sample.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2460 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 628 sample.exe 628 sample.exe 628 sample.exe 628 sample.exe 628 sample.exe 628 sample.exe 628 sample.exe 2256 powershell.exe 2256 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 764 sample.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 628 sample.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 1500 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 764 sample.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 628 wrote to memory of 2256 628 sample.exe 97 PID 628 wrote to memory of 2256 628 sample.exe 97 PID 628 wrote to memory of 2256 628 sample.exe 97 PID 628 wrote to memory of 2460 628 sample.exe 99 PID 628 wrote to memory of 2460 628 sample.exe 99 PID 628 wrote to memory of 2460 628 sample.exe 99 PID 628 wrote to memory of 764 628 sample.exe 101 PID 628 wrote to memory of 764 628 sample.exe 101 PID 628 wrote to memory of 764 628 sample.exe 101 PID 628 wrote to memory of 764 628 sample.exe 101 PID 628 wrote to memory of 764 628 sample.exe 101 PID 628 wrote to memory of 764 628 sample.exe 101 PID 628 wrote to memory of 764 628 sample.exe 101 PID 628 wrote to memory of 764 628 sample.exe 101 PID 764 wrote to memory of 1500 764 sample.exe 102 PID 764 wrote to memory of 1500 764 sample.exe 102 PID 764 wrote to memory of 1500 764 sample.exe 102 PID 764 wrote to memory of 1500 764 sample.exe 102 PID 764 wrote to memory of 1500 764 sample.exe 102 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fjuIjtcpvLma.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fjuIjtcpvLma" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBFD.tmp"2⤵
- Creates scheduled task(s)
PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1500
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c94f62ce2e7a2b7d1e86d06235530c94
SHA1f3e8865709d028052062677528f1a3f41c3bfcf6
SHA256ee67e67421115016a376bb60d3ee9960940210089f755d87f679bed6c5477541
SHA51221ee8f3ea83a6cf3901344b28a70880b6aeac9af91d89175f99cc8cd25f993ab251db846920ec6e78286b225b06c8d8314cef55a3bf20d743349325ad1d614d6