Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/10/2022, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Express Receipt.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FedEx Express Receipt.exe
Resource
win10v2004-20220901-en
General
-
Target
FedEx Express Receipt.exe
-
Size
864KB
-
MD5
ba34257de8751d02e9af1e05d3a6e93d
-
SHA1
7da2f816cc2f24166f3055affedea306b9287e7c
-
SHA256
7ec5e4f9dca034b760fefc9f0d80c9225ae57d4f6d22bf1bf66dbffb48b5c06d
-
SHA512
e58d9b5b4d42fe92f36342545848eee09c920875109acec6da5aaf8858538604428f6f958382a154d6c64ab27c075a573c6d4d2ee7f0ca22aaded83f8df4e395
-
SSDEEP
12288:hHjk+R3Bxd0VioGAH8IMpIbjBpWZcvviVsZqhA7Kg4ve:51qk9IMpIbdpW+vqV0yXg4ve
Malware Config
Extracted
lokibot
http://162.0.223.13/?05315
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook FedEx Express Receipt.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook FedEx Express Receipt.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook FedEx Express Receipt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4904 set thread context of 2884 4904 FedEx Express Receipt.exe 91 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4904 FedEx Express Receipt.exe 4904 FedEx Express Receipt.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2884 FedEx Express Receipt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4904 FedEx Express Receipt.exe Token: SeDebugPrivilege 2884 FedEx Express Receipt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4904 wrote to memory of 1064 4904 FedEx Express Receipt.exe 90 PID 4904 wrote to memory of 1064 4904 FedEx Express Receipt.exe 90 PID 4904 wrote to memory of 1064 4904 FedEx Express Receipt.exe 90 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 PID 4904 wrote to memory of 2884 4904 FedEx Express Receipt.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook FedEx Express Receipt.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook FedEx Express Receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"2⤵PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Express Receipt.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2884
-