Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2023, 18:40
Static task
static1
Behavioral task
behavioral1
Sample
HSBC Advise_pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HSBC Advise_pdf.exe
Resource
win10v2004-20221111-en
General
-
Target
HSBC Advise_pdf.exe
-
Size
356KB
-
MD5
9587102c110910a51b37b74ce40e2362
-
SHA1
4126184e03449d077a878c0c3201508cf66e8ce4
-
SHA256
db8eae6ede6a43fac5b49d89810a2e17c3e2c0d78c6487af3b6532e4a32779ce
-
SHA512
f2cbec2e3fbac6eb518faa9a3828db0034e3c38c78fa573199175219252485bb8267605e4847fc0113d09af33fdfcd1a671b53bcf0c043155ef6e3bdeb8c1c3e
-
SSDEEP
6144:uYa6TFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFY:uY///tP2MgwSDevfvFep+O3
Malware Config
Extracted
lokibot
https://sempersim.su/ha12/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 864 ohepcmepaf.exe 4892 ohepcmepaf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ohepcmepaf.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ohepcmepaf.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ohepcmepaf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 864 set thread context of 4892 864 ohepcmepaf.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 864 ohepcmepaf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4892 ohepcmepaf.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4328 wrote to memory of 864 4328 HSBC Advise_pdf.exe 82 PID 4328 wrote to memory of 864 4328 HSBC Advise_pdf.exe 82 PID 4328 wrote to memory of 864 4328 HSBC Advise_pdf.exe 82 PID 864 wrote to memory of 4892 864 ohepcmepaf.exe 83 PID 864 wrote to memory of 4892 864 ohepcmepaf.exe 83 PID 864 wrote to memory of 4892 864 ohepcmepaf.exe 83 PID 864 wrote to memory of 4892 864 ohepcmepaf.exe 83 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ohepcmepaf.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ohepcmepaf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC Advise_pdf.exe"C:\Users\Admin\AppData\Local\Temp\HSBC Advise_pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe"C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe" C:\Users\Admin\AppData\Local\Temp\ffifn.z2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe"C:\Users\Admin\AppData\Local\Temp\ohepcmepaf.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4892
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f6d88da8df52578bbf8023b3425e45a3
SHA10ce6ab36809498fc0e57e0e542247cbad6222885
SHA256a2a79426ba2f347aededfd6c29733bf1fdf66ecf9fa900d7fb64de5482b4767d
SHA512accd3c6bd8a1537d82d91c0dd09ed365af9dae7e8424c81470036a15b2072d6430d3cc732329f44837009f9767226b49f857743df45702c55f44a321beaa6cde
-
Filesize
124KB
MD5d0d7600862f71f86a72fc4a8f0ac7e94
SHA1208be4aa6b02b68e967c14e21613f96debd9bec9
SHA256c75e2c34bd89e0c1d60bb3ffce9caa7acf04e77c315a043f412d419f17319b92
SHA51226455bb18f03bd4bf57e98295fba5aef4a0db0a85626b758779b4d80b9ff5b704b674cdaa468dc009369d9be720b90ae65c6a0b4a6d5dce891e38efd4d6e1a41
-
Filesize
131KB
MD50f4ef42ba22255821c2bee2c49d8c253
SHA1c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e
SHA256ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9
SHA51297affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417
-
Filesize
131KB
MD50f4ef42ba22255821c2bee2c49d8c253
SHA1c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e
SHA256ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9
SHA51297affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417
-
Filesize
131KB
MD50f4ef42ba22255821c2bee2c49d8c253
SHA1c2e4feb3ffd2fe54050e63597d7b8e007aa5d57e
SHA256ce884e7ed3c712419874912d8f205d962bb11a451e951a419abe2f90de7eaab9
SHA51297affbaf0f081bee08e03ee7ce3e979ee52b8a997c2041859297186939ed9a1a66cbc319dee8dbb748d8633f543e75ff210abf064234d7a39c1fe81e2daed417