Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    123s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19/10/2022, 17:39

General

  • Target

    REMITTANCE SLIP ADVISE_pdf.exe

  • Size

    209KB

  • MD5

    1be9bac6394ecf58c82ff9cfdb17beb7

  • SHA1

    586d42863e3866230a13c2d753e94aa5991f665e

  • SHA256

    5f4e853dec8fb25a1bf395fadd55a4a90ac7754e1339d17d3c602bb3c66dc6af

  • SHA512

    e5645dde55795a16287eab52c0ad45adefa9c2ec91d40ce49b486f7e9baaab52dd29d6170e381c4cc917adac1db8da27bf8fc81a8b58fcad7c8bcb33fd43ec2c

  • SSDEEP

    6144:mbE/HUbt040+3ZQ7qazA4V8rPYqFzak0BqrUe:mb/tiiIqa89P3FqsX

Malware Config

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\REMITTANCE SLIP ADVISE_pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
      "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
        "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
        3⤵
        • Executes dropped EXE
        PID:1708
      • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe
        "C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe"
        3⤵
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1592

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

    Filesize

    133KB

    MD5

    4f55952b6403887ac5f6892b87e7d704

    SHA1

    b9a2cb36197806c79c1c62aa610b4b010e20d104

    SHA256

    38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

    SHA512

    d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

  • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

    Filesize

    133KB

    MD5

    4f55952b6403887ac5f6892b87e7d704

    SHA1

    b9a2cb36197806c79c1c62aa610b4b010e20d104

    SHA256

    38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

    SHA512

    d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

  • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

    Filesize

    133KB

    MD5

    4f55952b6403887ac5f6892b87e7d704

    SHA1

    b9a2cb36197806c79c1c62aa610b4b010e20d104

    SHA256

    38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

    SHA512

    d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

  • C:\Users\Admin\AppData\Local\Temp\hcpyulw.exe

    Filesize

    133KB

    MD5

    4f55952b6403887ac5f6892b87e7d704

    SHA1

    b9a2cb36197806c79c1c62aa610b4b010e20d104

    SHA256

    38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

    SHA512

    d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

  • C:\Users\Admin\AppData\Local\Temp\ndfpbbxx.i

    Filesize

    104KB

    MD5

    d1c8d9bf46a1165e80e3b59635bf2884

    SHA1

    f704bc41a4930a4859420423f404cac43de8e527

    SHA256

    59d386110a90dd8fc51c3a602c5624b2456b6f2fdf371fac8540c2dba62f4d23

    SHA512

    b9db300d11b5472791585e4bece00ab1477b0a9a8454674f62c7ea9afe0be691f3c50e6a642ae44ea5f8cc7cf004997e7428e6d1ac865051c1b4f2d6a61aa36d

  • C:\Users\Admin\AppData\Local\Temp\uwngs.f

    Filesize

    4KB

    MD5

    cd49ab3b45660b0472efda650f1c3480

    SHA1

    b5686c548f951ed51dd20f0454e75720fb4c6f05

    SHA256

    fd5997ddb1a6b2bea0ddde2b531a5e1c76f8300c475ee2cbe95c89e576fb2161

    SHA512

    d7e82adab1334b6553bd30a79d0750581d5c5d8a07e1fee3cb0624a44b9837687c8e7a9a24d667c9ac51a7ff1d02c8a13bc95f5749eaadea8b22dde347707731

  • \Users\Admin\AppData\Local\Temp\hcpyulw.exe

    Filesize

    133KB

    MD5

    4f55952b6403887ac5f6892b87e7d704

    SHA1

    b9a2cb36197806c79c1c62aa610b4b010e20d104

    SHA256

    38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

    SHA512

    d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

  • \Users\Admin\AppData\Local\Temp\hcpyulw.exe

    Filesize

    133KB

    MD5

    4f55952b6403887ac5f6892b87e7d704

    SHA1

    b9a2cb36197806c79c1c62aa610b4b010e20d104

    SHA256

    38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

    SHA512

    d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

  • \Users\Admin\AppData\Local\Temp\hcpyulw.exe

    Filesize

    133KB

    MD5

    4f55952b6403887ac5f6892b87e7d704

    SHA1

    b9a2cb36197806c79c1c62aa610b4b010e20d104

    SHA256

    38064fdd6148729db554335f9fe660e6da067b17c5a4e6acb6defb102ac6e606

    SHA512

    d2c279da8a56f680b75ce46df050361164abef3a1b89f6075a8e93eb0e4903cf98b71b0f0d00fbff6bed6ddad0804cff848d19456f7fa5bfc13c063018efee11

  • memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

    Filesize

    8KB