Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/02/2023, 15:18
Static task
static1
Behavioral task
behavioral1
Sample
Uarngd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Uarngd.exe
Resource
win10v2004-20221111-en
General
-
Target
Uarngd.exe
-
Size
7KB
-
MD5
51b95537e2f88be4e97ca30fd565c6a2
-
SHA1
3c19c4f72b3737b8c365462b578e46a681990470
-
SHA256
3b6d60b69e3438ca5aaad8edf8b87f8c39f72803aa3c90a929aff5239d998333
-
SHA512
d177cfdbec6511d7fce4911b0e2b4d3581bb625d02df2ced2ab3cf774873cae1748f796fa939b269c1d0c267a63f89d82c51784c183c067cd9f9c6a0f89e9c39
-
SSDEEP
96:0+10kTSeg3MLEmVJsdtldCDxLGP8ZY7ZMtblNb6k2wImQgJtXstMtzNt:0+nWeg3SXJ45C5GPGldHbIfgzXEMH
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5497972920:AAHqqS9EfkxnwYz3pQtCWef33URevfy5tRk/sendMessage?chat_id=1653988628
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/2024-56-0x00000000062B0000-0x0000000006520000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
resource yara_rule behavioral1/memory/1544-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1544-68-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1544-69-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1544-70-0x00000000004207DE-mapping.dmp family_snakekeylogger behavioral1/memory/1544-72-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1544-74-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Uarngd.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Uarngd.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Uarngd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fapkq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Icrqbdo\\Fapkq.exe\"" Uarngd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2024 set thread context of 1544 2024 Uarngd.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 596 powershell.exe 1544 Uarngd.exe 1544 Uarngd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2024 Uarngd.exe Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 1544 Uarngd.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2024 wrote to memory of 596 2024 Uarngd.exe 28 PID 2024 wrote to memory of 596 2024 Uarngd.exe 28 PID 2024 wrote to memory of 596 2024 Uarngd.exe 28 PID 2024 wrote to memory of 596 2024 Uarngd.exe 28 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 PID 2024 wrote to memory of 1544 2024 Uarngd.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Uarngd.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Uarngd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Uarngd.exe"C:\Users\Admin\AppData\Local\Temp\Uarngd.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596
-
-
C:\Users\Admin\AppData\Local\Temp\Uarngd.exeC:\Users\Admin\AppData\Local\Temp\Uarngd.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1544
-