Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2023, 07:32

General

  • Target

    SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe

  • Size

    622KB

  • MD5

    a1eb9b01ff7b80dac067728bc1476c55

  • SHA1

    40be959c6151c3a224189045084c0c729540390d

  • SHA256

    a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b

  • SHA512

    bde60cd01dcfcba0053279725c9cae50b3941c3471bc41eddf8e287934f8f11e2218d9d5245b2cabae5a7ca58f5f66aaf4bb76c908e9f4d0fe4e03224d60ca33

  • SSDEEP

    12288:AcWJ+6nT8mlodoRNnKRpj25w3Ng1ADX9rMIbyyjRt:AXBn1lodo6jf3NgMBxOyj/

Malware Config

Extracted

Family

marsstealer

Botnet

Default

C2

152.89.218.97/gate.php

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe" & exit
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          4⤵
          • Delays execution with timeout.exe
          PID:672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \ProgramData\mozglue.dll

    Filesize

    133KB

    MD5

    8f73c08a9660691143661bf7332c3c27

    SHA1

    37fa65dd737c50fda710fdbde89e51374d0c204a

    SHA256

    3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

    SHA512

    0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

  • \ProgramData\nss3.dll

    Filesize

    1.2MB

    MD5

    bfac4e3c5908856ba17d41edcd455a51

    SHA1

    8eec7e888767aa9e4cca8ff246eb2aacb9170428

    SHA256

    e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

    SHA512

    2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

  • \Users\Admin\AppData\Local\Temp\nsiCAF.tmp\System.dll

    Filesize

    11KB

    MD5

    17ed1c86bd67e78ade4712be48a7d2bd

    SHA1

    1cc9fe86d6d6030b4dae45ecddce5907991c01a0

    SHA256

    bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

    SHA512

    0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

  • memory/968-82-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

  • memory/968-79-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/968-108-0x0000000001470000-0x0000000007313000-memory.dmp

    Filesize

    94.6MB

  • memory/968-64-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/968-65-0x0000000001470000-0x0000000007313000-memory.dmp

    Filesize

    94.6MB

  • memory/968-106-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/968-105-0x00000000770B0000-0x0000000077230000-memory.dmp

    Filesize

    1.5MB

  • memory/968-68-0x0000000001470000-0x0000000007313000-memory.dmp

    Filesize

    94.6MB

  • memory/968-69-0x0000000076ED0000-0x0000000077079000-memory.dmp

    Filesize

    1.7MB

  • memory/968-72-0x00000000770B0000-0x0000000077230000-memory.dmp

    Filesize

    1.5MB

  • memory/968-73-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/968-76-0x0000000000401000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/968-78-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/968-103-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

  • memory/968-81-0x0000000076ED0000-0x0000000077079000-memory.dmp

    Filesize

    1.7MB

  • memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

    Filesize

    8KB

  • memory/1532-80-0x00000000770B0000-0x0000000077230000-memory.dmp

    Filesize

    1.5MB

  • memory/1532-58-0x0000000076ED0000-0x0000000077079000-memory.dmp

    Filesize

    1.7MB

  • memory/1532-62-0x00000000770B0000-0x0000000077230000-memory.dmp

    Filesize

    1.5MB

  • memory/1532-57-0x0000000002520000-0x000000000316A000-memory.dmp

    Filesize

    12.3MB

  • memory/1532-66-0x00000000770B0000-0x0000000077230000-memory.dmp

    Filesize

    1.5MB

  • memory/1532-67-0x00000000770B0000-0x0000000077230000-memory.dmp

    Filesize

    1.5MB

  • memory/1532-56-0x0000000002520000-0x000000000316A000-memory.dmp

    Filesize

    12.3MB

  • memory/1532-63-0x00000000770B0000-0x0000000077230000-memory.dmp

    Filesize

    1.5MB