Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/01/2023, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe
-
Size
622KB
-
MD5
a1eb9b01ff7b80dac067728bc1476c55
-
SHA1
40be959c6151c3a224189045084c0c729540390d
-
SHA256
a72167e93f3c86c49dcfb62116416dd94a3781933252f1e0096beba7973e2c3b
-
SHA512
bde60cd01dcfcba0053279725c9cae50b3941c3471bc41eddf8e287934f8f11e2218d9d5245b2cabae5a7ca58f5f66aaf4bb76c908e9f4d0fe4e03224d60ca33
-
SSDEEP
12288:AcWJ+6nT8mlodoRNnKRpj25w3Ng1ADX9rMIbyyjRt:AXBn1lodo6jf3NgMBxOyj/
Malware Config
Extracted
marsstealer
Default
152.89.218.97/gate.php
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe -
Deletes itself 1 IoCs
pid Process 568 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 968 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 968 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Befalings\Zoocoenocyte73\Samordningsproblemers.ini SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 968 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 968 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1532 set thread context of 968 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 27 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Tennist\Retteskemaer\Udblst217\Bacillogenic.ini SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 672 timeout.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1532 wrote to memory of 968 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 27 PID 1532 wrote to memory of 968 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 27 PID 1532 wrote to memory of 968 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 27 PID 1532 wrote to memory of 968 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 27 PID 1532 wrote to memory of 968 1532 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 27 PID 968 wrote to memory of 568 968 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 30 PID 968 wrote to memory of 568 968 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 30 PID 968 wrote to memory of 568 968 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 30 PID 968 wrote to memory of 568 968 SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe 30 PID 568 wrote to memory of 672 568 cmd.exe 32 PID 568 wrote to memory of 672 568 cmd.exe 32 PID 568 wrote to memory of 672 568 cmd.exe 32 PID 568 wrote to memory of 672 568 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.16281.18907.11936.exe" & exit3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:672
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
11KB
MD517ed1c86bd67e78ade4712be48a7d2bd
SHA11cc9fe86d6d6030b4dae45ecddce5907991c01a0
SHA256bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
SHA5120cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5