Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30/10/2022, 16:52
Static task
static1
Behavioral task
behavioral1
Sample
81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe
Resource
win10v2004-20220812-en
General
-
Target
81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe
-
Size
113KB
-
MD5
822d18994728a28b7fe9fee8f5728c00
-
SHA1
9a3f82751f5b693c3e17b5af44d7ab2e73355367
-
SHA256
81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6
-
SHA512
38056784323c73774d12e28752212d139f87c1f30f0e6329d070dfe7bbc6c6f618e9dc3a3f9eb84fec5d07258dda72a4fc7a1fd9788a39d02b64fd29cac69e99
-
SSDEEP
3072:RHTE0OuIfuenAbCRdmrqJ6HDQrlIE6HjSgl6J/9WD:RzWLGeK20qoH2D6DtgJ/9
Malware Config
Extracted
pony
http://guttersupply.mobi/ponyb/gate.php
http://iguttersupply.com/ponyb/gate.php
http://micromeshleafguard.com/ponyb/gate.php
http://ornamentalgutters.com/ponyb/gate.php
-
payload_url
http://190.147.81.28/Msm.exe
http://pje-llc.com/KtE.exe
http://salsaconfuego.com/RCY.exe
http://www.les-vins-du-monde.fr/ra7twEg.exe
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeImpersonatePrivilege 956 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe Token: SeTcbPrivilege 956 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe Token: SeChangeNotifyPrivilege 956 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe Token: SeCreateTokenPrivilege 956 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe Token: SeBackupPrivilege 956 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe Token: SeRestorePrivilege 956 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe Token: SeIncreaseQuotaPrivilege 956 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe Token: SeAssignPrimaryTokenPrivilege 956 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe"C:\Users\Admin\AppData\Local\Temp\81c13a9f00c3f44035f35af76ca5574db284c881adb1c15b362c5602aef725a6.exe"1⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:956