Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2022, 08:34
Static task
static1
Behavioral task
behavioral1
Sample
_220926_.EXE.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
_220926_.EXE.exe
Resource
win10v2004-20220812-en
General
-
Target
_220926_.EXE.exe
-
Size
204KB
-
MD5
1a6cd2ff652a3c9c909682a62fa6e25a
-
SHA1
54a16855a8a48f4f847a0a8ca66a2f26b333b2cd
-
SHA256
00bcf28771526c2f876a4135520a4eb5a373f6671ea6c94eea36ce2cccbc8e43
-
SHA512
316d788ef92ee882d39dce5f8a61b34c783b61466b6f1682f1fcf055bdc2c290990abd1a93cdf9774616d32968e23acd8dfb609d6a4b8880110a8ef4f1298385
-
SSDEEP
3072:8I42jI06VSyw9rPdTlYpw3BC/3MYxLXVnSCLr/nEayyGq:8z7yywlPdhYqxm3H5SC
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5641602090:AAFgkXeQEDF1Zq8nmUMQJA2TjfP0wsTJyeM/sendMessage?chat_id=1755939698
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral2/memory/2968-142-0x0000000000D60000-0x0000000000D7A000-memory.dmp family_stormkitty -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4436 set thread context of 5032 4436 _220926_.EXE.exe 80 PID 5032 set thread context of 2968 5032 cvtres.exe 85 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4436 _220926_.EXE.exe 4436 _220926_.EXE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4436 _220926_.EXE.exe Token: SeDebugPrivilege 2968 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5032 cvtres.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4436 wrote to memory of 4976 4436 _220926_.EXE.exe 79 PID 4436 wrote to memory of 4976 4436 _220926_.EXE.exe 79 PID 4436 wrote to memory of 4976 4436 _220926_.EXE.exe 79 PID 4436 wrote to memory of 5032 4436 _220926_.EXE.exe 80 PID 4436 wrote to memory of 5032 4436 _220926_.EXE.exe 80 PID 4436 wrote to memory of 5032 4436 _220926_.EXE.exe 80 PID 4436 wrote to memory of 5032 4436 _220926_.EXE.exe 80 PID 4436 wrote to memory of 5032 4436 _220926_.EXE.exe 80 PID 4436 wrote to memory of 5032 4436 _220926_.EXE.exe 80 PID 4436 wrote to memory of 5032 4436 _220926_.EXE.exe 80 PID 4436 wrote to memory of 5032 4436 _220926_.EXE.exe 80 PID 5032 wrote to memory of 2968 5032 cvtres.exe 85 PID 5032 wrote to memory of 2968 5032 cvtres.exe 85 PID 5032 wrote to memory of 2968 5032 cvtres.exe 85 PID 5032 wrote to memory of 2968 5032 cvtres.exe 85 PID 5032 wrote to memory of 2968 5032 cvtres.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\_220926_.EXE.exe"C:\Users\Admin\AppData\Local\Temp\_220926_.EXE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵PID:4976
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2968
-
-