Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    168s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 09:38 UTC

General

  • Target

    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe

  • Size

    1.5MB

  • MD5

    7f7b975c1658fe0fc6d7913f1bdd08a7

  • SHA1

    45ccf2ad1260883df7d14df36b47f47b32ffc480

  • SHA256

    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c

  • SHA512

    7f1fa7a52b7d3821b1cdc1e3b7eda0744040018fa06a40ed2e99b9b2d83b28afabb7f111be8c1470c4cb408323d875e594b8f9346fd36486088c3567364d795b

  • SSDEEP

    24576:tmpzgGd5UyylnSF99NfqLi+gJmssUZpwEi5nLwrFqznNM:IplDlmBvPp5nLwrFinNM

Malware Config

Signatures

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    "C:\Users\Admin\AppData\Local\Temp\af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:996
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2280

Network

  • flag-unknown
    DNS
    www.icodeps.com
    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    Remote address:
    8.8.8.8:53
    Request
    www.icodeps.com
    IN A
    Response
  • flag-unknown
    DNS
    iplogger.org
    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    Remote address:
    8.8.8.8:53
    Request
    iplogger.org
    IN A
    Response
    iplogger.org
    IN A
    148.251.234.83
  • 8.248.5.254:80
    260 B
    5
  • 148.251.234.83:443
    iplogger.org
    tls
    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    837 B
    5.5kB
    11
    10
  • 104.80.225.205:443
    322 B
    7
  • 8.248.5.254:80
    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    260 B
    5
  • 52.182.143.208:443
    322 B
    7
  • 8.248.5.254:80
    322 B
    7
  • 8.248.5.254:80
    322 B
    7
  • 8.248.5.254:80
    322 B
    7
  • 148.251.234.83:443
    iplogger.org
    tls
    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    401 B
    219 B
    6
    5
  • 148.251.234.83:443
    iplogger.org
    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    208 B
    4
  • 8.8.8.8:53
    www.icodeps.com
    dns
    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    61 B
    61 B
    1
    1

    DNS Request

    www.icodeps.com

  • 8.8.8.8:53
    iplogger.org
    dns
    af8d3488f30527e942d0022e7c6fcd87e47f43f956a1ea51cf1aa32544175b5c.exe
    58 B
    74 B
    1
    1

    DNS Request

    iplogger.org

    DNS Response

    148.251.234.83

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.