Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Purchase O...on.exe

windows7-x64

10

Purchase O...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2023, 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order Specification.exe

  • Size

    967KB

  • MD5

    ff8b0be6beb421eb1679d9d45ba001d5

  • SHA1

    f56a011e441f6ffb00fea0221e1825d69fd812a5

  • SHA256

    6960c8a08fff5fa174f6f8e39ac8fc2a678a5a918b109b2e8d5c90460515e666

  • SHA512

    7e94f5a4404c3c36a23068e01184dde98a413c757fabaa144f0fbc81b5ba9b2db4a77d022f1c3cada584ce92ce234e48b4e75b51f16581ced5df1f687ee71113

  • SSDEEP

    12288:9FlLKHFjcsqUWGV+gB5BR+BbRd7kM6HMG0i9c/HoL8d/1bCY6vsYJRdwUWJ97JRv:7GYgdqnl6pc/HoOlCYasYJ4J9L2kX

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6217135056:AAHXcMRaGpgIntfJgWLF1Xm94Ra44-YLyH0/sendMessage?chat_id=5830834219

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order Specification.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order Specification.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase Order Specification.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order Specification.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order Specification.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/676-74-0x0000000002210000-0x0000000002250000-memory.dmp

    Filesize

    256KB

    Download

  • memory/676-75-0x0000000002210000-0x0000000002250000-memory.dmp

    Filesize

    256KB

    Download

  • memory/936-55-0x0000000000530000-0x0000000000544000-memory.dmp

    Filesize

    80KB

    Download

  • memory/936-56-0x0000000004E60000-0x0000000004EA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/936-57-0x0000000004E60000-0x0000000004EA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/936-58-0x0000000000550000-0x000000000055C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/936-59-0x0000000005330000-0x00000000053D0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/936-60-0x0000000004460000-0x0000000004488000-memory.dmp

    Filesize

    160KB

    Download

  • memory/936-54-0x0000000000010000-0x0000000000108000-memory.dmp

    Filesize

    992KB

    Download

  • memory/1356-62-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1356-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1356-63-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1356-66-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1356-68-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1356-70-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1356-73-0x0000000000550000-0x0000000000590000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1356-64-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1356-61-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1356-76-0x0000000000550000-0x0000000000590000-memory.dmp

    Filesize

    256KB

    Download