Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
70s -
max time network
73s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/10/2022, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Express Receipt.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FedEx Express Receipt.exe
Resource
win10v2004-20220901-en
General
-
Target
FedEx Express Receipt.exe
-
Size
864KB
-
MD5
ba34257de8751d02e9af1e05d3a6e93d
-
SHA1
7da2f816cc2f24166f3055affedea306b9287e7c
-
SHA256
7ec5e4f9dca034b760fefc9f0d80c9225ae57d4f6d22bf1bf66dbffb48b5c06d
-
SHA512
e58d9b5b4d42fe92f36342545848eee09c920875109acec6da5aaf8858538604428f6f958382a154d6c64ab27c075a573c6d4d2ee7f0ca22aaded83f8df4e395
-
SSDEEP
12288:hHjk+R3Bxd0VioGAH8IMpIbjBpWZcvviVsZqhA7Kg4ve:51qk9IMpIbdpW+vqV0yXg4ve
Malware Config
Extracted
lokibot
http://162.0.223.13/?05315
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook FedEx Express Receipt.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook FedEx Express Receipt.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook FedEx Express Receipt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2044 set thread context of 1596 2044 FedEx Express Receipt.exe 26 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1596 FedEx Express Receipt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1596 FedEx Express Receipt.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 PID 2044 wrote to memory of 1596 2044 FedEx Express Receipt.exe 26 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook FedEx Express Receipt.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook FedEx Express Receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1596
-