Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    100s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2023, 18:37

General

  • Target

    PO.rtf

  • Size

    39KB

  • MD5

    7bef0db4752cfa72fa2a6b803399b404

  • SHA1

    e54ad9a8b00581c8523dfca5230878d72a84243f

  • SHA256

    47be618f3bc464769ed523f82df8383dfdd60f6c713c1662fbc5b57a068223c5

  • SHA512

    fc3609c5bbdac032f152aafd87369f58dffa549831d25d6a306ed5bef8feaf10d1325c6586b5665de6d1a27919954526054dd617b9b6f2e5d391d1b69e904f26

  • SSDEEP

    768:nFx0XaIsnPRIa4fwJMgD4mkPpqI89JyAJnAudW4jN0g5+8A23Py:nf0Xvx3EMQCSJDJnA54JjAP

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1732
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Roaming\wealtgo584.exe
        "C:\Users\Admin\AppData\Roaming\wealtgo584.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:628
        • C:\Users\Admin\AppData\Roaming\wealtgo584.exe
          "C:\Users\Admin\AppData\Roaming\wealtgo584.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:316

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\wealtgo584.exe

      Filesize

      918KB

      MD5

      423cb81a6a34150f52d974f0b5ad7671

      SHA1

      1edea836f2138dde98aad41beb959894abc9a7df

      SHA256

      2f7fa88382210dc974ad20d7dd204655d5321cb220f7507bfbe57577c767d66a

      SHA512

      b71cc796d5397476a9c2c4afe7b847c63d75c6edae57e45b05da05583d4308fdd6129e60fb27b753ffed0ed8dc5c92745e9709e294218d592d4652e03e9f2325

    • C:\Users\Admin\AppData\Roaming\wealtgo584.exe

      Filesize

      918KB

      MD5

      423cb81a6a34150f52d974f0b5ad7671

      SHA1

      1edea836f2138dde98aad41beb959894abc9a7df

      SHA256

      2f7fa88382210dc974ad20d7dd204655d5321cb220f7507bfbe57577c767d66a

      SHA512

      b71cc796d5397476a9c2c4afe7b847c63d75c6edae57e45b05da05583d4308fdd6129e60fb27b753ffed0ed8dc5c92745e9709e294218d592d4652e03e9f2325

    • C:\Users\Admin\AppData\Roaming\wealtgo584.exe

      Filesize

      918KB

      MD5

      423cb81a6a34150f52d974f0b5ad7671

      SHA1

      1edea836f2138dde98aad41beb959894abc9a7df

      SHA256

      2f7fa88382210dc974ad20d7dd204655d5321cb220f7507bfbe57577c767d66a

      SHA512

      b71cc796d5397476a9c2c4afe7b847c63d75c6edae57e45b05da05583d4308fdd6129e60fb27b753ffed0ed8dc5c92745e9709e294218d592d4652e03e9f2325

    • \Users\Admin\AppData\Roaming\wealtgo584.exe

      Filesize

      918KB

      MD5

      423cb81a6a34150f52d974f0b5ad7671

      SHA1

      1edea836f2138dde98aad41beb959894abc9a7df

      SHA256

      2f7fa88382210dc974ad20d7dd204655d5321cb220f7507bfbe57577c767d66a

      SHA512

      b71cc796d5397476a9c2c4afe7b847c63d75c6edae57e45b05da05583d4308fdd6129e60fb27b753ffed0ed8dc5c92745e9709e294218d592d4652e03e9f2325

    • memory/316-73-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/316-85-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/316-83-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/316-79-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/316-78-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/316-76-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/316-74-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/628-66-0x0000000000410000-0x0000000000424000-memory.dmp

      Filesize

      80KB

    • memory/628-70-0x00000000009F0000-0x00000000009FC000-memory.dmp

      Filesize

      48KB

    • memory/628-71-0x0000000004E30000-0x0000000004EB2000-memory.dmp

      Filesize

      520KB

    • memory/628-72-0x0000000000C50000-0x0000000000C78000-memory.dmp

      Filesize

      160KB

    • memory/628-64-0x0000000001100000-0x00000000011EC000-memory.dmp

      Filesize

      944KB

    • memory/1636-67-0x0000000070BDD000-0x0000000070BE8000-memory.dmp

      Filesize

      44KB

    • memory/1636-54-0x0000000072171000-0x0000000072174000-memory.dmp

      Filesize

      12KB

    • memory/1636-58-0x0000000075071000-0x0000000075073000-memory.dmp

      Filesize

      8KB

    • memory/1636-57-0x0000000070BDD000-0x0000000070BE8000-memory.dmp

      Filesize

      44KB

    • memory/1636-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1636-55-0x000000006FBF1000-0x000000006FBF3000-memory.dmp

      Filesize

      8KB

    • memory/1636-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1636-88-0x0000000070BDD000-0x0000000070BE8000-memory.dmp

      Filesize

      44KB

    • memory/1732-69-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

      Filesize

      8KB