Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21/02/2023, 09:11 UTC

General

  • Target

    Quotation Required.exe

  • Size

    501KB

  • MD5

    c6479e3bcb864d87e5d93ff06ed15c60

  • SHA1

    af08bbfe61178ee821e85b1f09be975b732387aa

  • SHA256

    9842d23cef4dc305ab6b8cd1ade477e1186d94cfd18861e1c87a55aff4d04c40

  • SHA512

    c5f4b4638b76b963fe8b731a08c43f67d5a8c512262755f78eca27feea5004e348e85a913926f8afe73accefa6a680bba37207adb37880100cd2f8ff6509b1b6

  • SSDEEP

    12288:/YmibSNNCgbjT5hg1s5PiA8C58tpxxqVTEp1B:/YmQoz5hgSN8tpxAVEp1B

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation Required.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation Required.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe
      "C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe" C:\Users\Admin\AppData\Local\Temp\ovcnaiorxn.d
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:852
      • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe
        "C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:976

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe

    Filesize

    54KB

    MD5

    208f168a8a01e2d071375e09c084dc5a

    SHA1

    e04b395d08bfad73c65997e24f4fb951a7837d61

    SHA256

    0ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b

    SHA512

    10f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc

  • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe

    Filesize

    54KB

    MD5

    208f168a8a01e2d071375e09c084dc5a

    SHA1

    e04b395d08bfad73c65997e24f4fb951a7837d61

    SHA256

    0ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b

    SHA512

    10f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc

  • C:\Users\Admin\AppData\Local\Temp\lhiecmmdg.exe

    Filesize

    54KB

    MD5

    208f168a8a01e2d071375e09c084dc5a

    SHA1

    e04b395d08bfad73c65997e24f4fb951a7837d61

    SHA256

    0ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b

    SHA512

    10f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc

  • C:\Users\Admin\AppData\Local\Temp\ovcnaiorxn.d

    Filesize

    5KB

    MD5

    162e0c2bbbccab38c10728759e5c96b7

    SHA1

    0f45df923464f98cc5f655af51f31f30646e164b

    SHA256

    8213a9356d16fc8d08625217bf8f5a95168bacf3dc1c0413820533f8a2aff10c

    SHA512

    0820e5ee0c3c2dacc596a8101a362ed53037c9560dc8b76d09db1798651cb1b09136e5438fb176cefb6fa81358bb3973a4ad05a2b61622453f5ed58beb17da20

  • C:\Users\Admin\AppData\Local\Temp\zeylacft.exz

    Filesize

    460KB

    MD5

    df3d012d61af20771fd15c9b906051fa

    SHA1

    2cd498b119af9cac981fd2a12e55224b8481f1ac

    SHA256

    a5c41dc9d73516047db56803ce3837afb830f990d01dd497494e24215a5597ac

    SHA512

    d27e5ad78d500d2300800a0b0d9302dd0dfeb367f2d1f983645c440950795fe883acab1c5056ddfc35e08d4ddf1f008ee3cc718e914a0e6b03d21fb475b09bc2

  • \Users\Admin\AppData\Local\Temp\lhiecmmdg.exe

    Filesize

    54KB

    MD5

    208f168a8a01e2d071375e09c084dc5a

    SHA1

    e04b395d08bfad73c65997e24f4fb951a7837d61

    SHA256

    0ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b

    SHA512

    10f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc

  • \Users\Admin\AppData\Local\Temp\lhiecmmdg.exe

    Filesize

    54KB

    MD5

    208f168a8a01e2d071375e09c084dc5a

    SHA1

    e04b395d08bfad73c65997e24f4fb951a7837d61

    SHA256

    0ea519809172240457a3d0bdb4dce19d0456670355ff1ead6d9823a1e72e433b

    SHA512

    10f05cac53cc143ce0388e8cd3546e856ed245f3999aca51d2db1e2efeacfb7dc5a18192280ebcb4087208a9cd50e90612150712eeed2c68c5876741bfa940cc

  • memory/976-81-0x0000000000610000-0x0000000000650000-memory.dmp

    Filesize

    256KB

  • memory/976-79-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/976-80-0x0000000000960000-0x0000000000A1C000-memory.dmp

    Filesize

    752KB

  • memory/976-73-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/976-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/976-75-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/976-77-0x0000000000090000-0x00000000000F6000-memory.dmp

    Filesize

    408KB

  • memory/1520-68-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-88-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-65-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-82-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-83-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-84-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-85-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-86-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-87-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-72-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-89-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-90-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-91-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-92-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-93-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-94-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-95-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1520-96-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.