Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

2b5155b6e8...dc.exe

windows7-x64

8

2b5155b6e8...dc.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    65s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2022, 14:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe

  • Size

    390KB

  • MD5

    6b990e2a7cdf89f93d4f7fc977224f1c

  • SHA1

    3b5b87866f0b73f465763ebf7c7f49c7f026758c

  • SHA256

    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc

  • SHA512

    db40969d543cfc009e27f26744617e995d738d30abc6f1f7a61d31a4cca5fbd6a29db8ffa8b65ed81a0c3efcc9b8f397da25a9529ad765ce7cae71d49d7873d8

  • SSDEEP

    6144:ebDJSegYiFS3rBkr7IlcssWLrfqKTmDFmUr4H0JXJHtgxOZ9Em9Evl:e7gN0r+0DsCqVvkH0JXJHEOZ1Wvl

Score
8/10
discoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe
    "C:\Users\Admin\AppData\Local\Temp\2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\SO-MoneyHack v2.0.exe
      "C:\Users\Admin\AppData\Local\Temp\SO-MoneyHack v2.0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1980

Network

  • flag-us
    DNS
    whatismyip.akamai.com
    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe
    Remote address:
    8.8.8.8:53
    Request
    whatismyip.akamai.com
    IN A
    Response
    whatismyip.akamai.com
    IN CNAME
    whatismyip.akamai.com.edgesuite.net
    whatismyip.akamai.com.edgesuite.net
    IN CNAME
    a1524.g.akamai.net
    a1524.g.akamai.net
    IN A
    104.109.143.6
    a1524.g.akamai.net
    IN A
    104.109.143.21
  • flag-nl
    GET
    http://whatismyip.akamai.com/
    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe
    Remote address:
    104.109.143.6:80
    Request
    GET / HTTP/1.1
    User-Agent: Trololo
    Host: whatismyip.akamai.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html
    Content-Length: 12
    Expires: Mon, 03 Oct 2022 15:29:17 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Mon, 03 Oct 2022 15:29:17 GMT
    Connection: keep-alive
  • flag-us
    DNS
    smtp.mail.ru
    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.mail.ru
    IN A
    Response
    smtp.mail.ru
    IN A
    217.69.139.160
    smtp.mail.ru
    IN A
    94.100.180.160
  • 104.109.143.6:80
    http://whatismyip.akamai.com/
    http
    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe
    304 B
     654 B
     5
    4

    HTTP Request

    GET http://whatismyip.akamai.com/

    HTTP Response

    200
  • 217.69.139.160:25
    smtp.mail.ru
    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe
    152 B
     3
  • 8.8.8.8:53
    whatismyip.akamai.com
    dns
    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe
    67 B
     177 B
     1
    1

    DNS Request

    whatismyip.akamai.com

    DNS Response

    104.109.143.6
    104.109.143.21

  • 8.8.8.8:53
    smtp.mail.ru
    dns
    2b5155b6e823a0dc5e01d86e2773cc2b7bcc02a5c3ab8ed496297b7fb0ca04dc.exe
    58 B
     90 B
     1
    1

    DNS Request

    smtp.mail.ru

    DNS Response

    217.69.139.160
    94.100.180.160

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SO-MoneyHack v2.0.exe
    Filesize

    300KB

    MD5

    68f0dbc20c592161fad427c472f4e61f

    SHA1

    e0119274e1f14d136324bb6b3e5bde87bf999b3f

    SHA256

    479a30d7ee0286c2742dcc38422dc192b5bc0b60afa91ab51d7933060f41bb66

    SHA512

    b7e5cd20cda2266e710e948cf832f799949dab9421098cff78adf1f6f296903bd2a0833c4eae24729173a6275c0434cd13ad682f0056086f2c89a4ae3042bd38

    Download Submit

  • \Users\Admin\AppData\Local\Temp\SO-MoneyHack v2.0.exe
    Filesize

    300KB

    MD5

    68f0dbc20c592161fad427c472f4e61f

    SHA1

    e0119274e1f14d136324bb6b3e5bde87bf999b3f

    SHA256

    479a30d7ee0286c2742dcc38422dc192b5bc0b60afa91ab51d7933060f41bb66

    SHA512

    b7e5cd20cda2266e710e948cf832f799949dab9421098cff78adf1f6f296903bd2a0833c4eae24729173a6275c0434cd13ad682f0056086f2c89a4ae3042bd38

    Download Submit

  • memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1672-55-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/1672-60-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/1672-63-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/1980-59-0x0000000002050000-0x000000000208A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1980-61-0x0000000002090000-0x00000000020CA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/1980-64-0x0000000004780000-0x000000000479E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1980-65-0x00000000047FA000-0x000000000480B000-memory.dmp

    Filesize

    68KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.