Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21/12/2022, 01:43
Behavioral task
behavioral1
Sample
09ee64f8bb9aebb6a09da283e34c528a.exe
Resource
win7-20220901-en
windows7-x64
14 signatures
150 seconds
General
-
Target
09ee64f8bb9aebb6a09da283e34c528a.exe
-
Size
232KB
-
MD5
09ee64f8bb9aebb6a09da283e34c528a
-
SHA1
3b55fff91903daf89131c1ee51653c7cf4027d18
-
SHA256
e03f6c4f04ef25238b6d7c8a447555402caa7d1ddb1803bbb6cbcb889cab1135
-
SHA512
e12a387b578dc1b1307e9bc7fb43e9da5b4a10106958fb329e171f8851767911814e74e2c7468460d00a9adf1691430be28439a087e12383a16a27b8e490aebf
-
SSDEEP
6144:bDubaBBOBIIj6HLLYLCYJqvc1DMaJ+2+AHbEr1peYGrNNaR0NUg:ubaj9Gk1pLZi
Malware Config
Extracted
Family
asyncrat
Botnet
Default
C2
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5841906429:AAHSe6la_NGlt9rOSoOwJAowwZ6H54N0dWA/sendMessage?chat_id=5816850831
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/1220-54-0x0000000000A30000-0x0000000000A70000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1220-54-0x0000000000A30000-0x0000000000A70000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\87e192321bff5e78c29cab0ac3a6eee0\Admin@RYNKSFQE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini 09ee64f8bb9aebb6a09da283e34c528a.exe File created C:\Users\Admin\AppData\Local\87e192321bff5e78c29cab0ac3a6eee0\Admin@RYNKSFQE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini 09ee64f8bb9aebb6a09da283e34c528a.exe File created C:\Users\Admin\AppData\Local\87e192321bff5e78c29cab0ac3a6eee0\Admin@RYNKSFQE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini 09ee64f8bb9aebb6a09da283e34c528a.exe File created C:\Users\Admin\AppData\Local\87e192321bff5e78c29cab0ac3a6eee0\Admin@RYNKSFQE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini 09ee64f8bb9aebb6a09da283e34c528a.exe File opened for modification C:\Users\Admin\AppData\Local\87e192321bff5e78c29cab0ac3a6eee0\Admin@RYNKSFQE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini 09ee64f8bb9aebb6a09da283e34c528a.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 09ee64f8bb9aebb6a09da283e34c528a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 09ee64f8bb9aebb6a09da283e34c528a.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 1220 09ee64f8bb9aebb6a09da283e34c528a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1220 09ee64f8bb9aebb6a09da283e34c528a.exe Token: SeDebugPrivilege 1220 09ee64f8bb9aebb6a09da283e34c528a.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1220 wrote to memory of 288 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 28 PID 1220 wrote to memory of 288 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 28 PID 1220 wrote to memory of 288 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 28 PID 1220 wrote to memory of 288 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 28 PID 288 wrote to memory of 904 288 cmd.exe 30 PID 288 wrote to memory of 904 288 cmd.exe 30 PID 288 wrote to memory of 904 288 cmd.exe 30 PID 288 wrote to memory of 904 288 cmd.exe 30 PID 288 wrote to memory of 1844 288 cmd.exe 31 PID 288 wrote to memory of 1844 288 cmd.exe 31 PID 288 wrote to memory of 1844 288 cmd.exe 31 PID 288 wrote to memory of 1844 288 cmd.exe 31 PID 288 wrote to memory of 1544 288 cmd.exe 32 PID 288 wrote to memory of 1544 288 cmd.exe 32 PID 288 wrote to memory of 1544 288 cmd.exe 32 PID 288 wrote to memory of 1544 288 cmd.exe 32 PID 1220 wrote to memory of 1100 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 33 PID 1220 wrote to memory of 1100 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 33 PID 1220 wrote to memory of 1100 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 33 PID 1220 wrote to memory of 1100 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 33 PID 1100 wrote to memory of 1580 1100 cmd.exe 35 PID 1100 wrote to memory of 1580 1100 cmd.exe 35 PID 1100 wrote to memory of 1580 1100 cmd.exe 35 PID 1100 wrote to memory of 1580 1100 cmd.exe 35 PID 1100 wrote to memory of 1692 1100 cmd.exe 36 PID 1100 wrote to memory of 1692 1100 cmd.exe 36 PID 1100 wrote to memory of 1692 1100 cmd.exe 36 PID 1100 wrote to memory of 1692 1100 cmd.exe 36 PID 1220 wrote to memory of 1364 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 37 PID 1220 wrote to memory of 1364 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 37 PID 1220 wrote to memory of 1364 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 37 PID 1220 wrote to memory of 1364 1220 09ee64f8bb9aebb6a09da283e34c528a.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\09ee64f8bb9aebb6a09da283e34c528a.exe"C:\Users\Admin\AppData\Local\Temp\09ee64f8bb9aebb6a09da283e34c528a.exe"1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:904
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:1844
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1580
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:1692
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\09ee64f8bb9aebb6a09da283e34c528a.exe"2⤵
- Creates scheduled task(s)
PID:1364
-