Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24/03/2023, 02:59
Static task
static1
Behavioral task
behavioral1
Sample
9ce5895cf7087cd578519a76e9eadb7c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9ce5895cf7087cd578519a76e9eadb7c.exe
Resource
win10v2004-20230220-en
General
-
Target
9ce5895cf7087cd578519a76e9eadb7c.exe
-
Size
1.3MB
-
MD5
9ce5895cf7087cd578519a76e9eadb7c
-
SHA1
43b4d21c0386158c18aa931ce35e99634be7f2e5
-
SHA256
d07f46238c95ae64bb95021846ae77c20bf7c8e4a6e4f02357f6d18382965989
-
SHA512
71c361470f6fc52d3a56085f28e63aa18baaccae3852f17507cd0c03ca1c18bb1d866379dd778469214d262026726d1d4bc8f08088bec1ed61060ebb14d05402
-
SSDEEP
12288:UmZH9f1IgJFbALOi5QGiPqcY4A8nMRUg27h606C:z9NXDGmYT8Pt6T
Malware Config
Signatures
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3432 set thread context of 828 3432 9ce5895cf7087cd578519a76e9eadb7c.exe 87 -
Program crash 1 IoCs
pid pid_target Process procid_target 1040 3432 WerFault.exe 86 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 828 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 828 RegSvcs.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3432 wrote to memory of 828 3432 9ce5895cf7087cd578519a76e9eadb7c.exe 87 PID 3432 wrote to memory of 828 3432 9ce5895cf7087cd578519a76e9eadb7c.exe 87 PID 3432 wrote to memory of 828 3432 9ce5895cf7087cd578519a76e9eadb7c.exe 87 PID 3432 wrote to memory of 828 3432 9ce5895cf7087cd578519a76e9eadb7c.exe 87 PID 3432 wrote to memory of 828 3432 9ce5895cf7087cd578519a76e9eadb7c.exe 87 PID 828 wrote to memory of 888 828 RegSvcs.exe 90 PID 828 wrote to memory of 888 828 RegSvcs.exe 90 PID 828 wrote to memory of 888 828 RegSvcs.exe 90 PID 888 wrote to memory of 4976 888 cmd.exe 92 PID 888 wrote to memory of 4976 888 cmd.exe 92 PID 888 wrote to memory of 4976 888 cmd.exe 92 PID 888 wrote to memory of 4992 888 cmd.exe 93 PID 888 wrote to memory of 4992 888 cmd.exe 93 PID 888 wrote to memory of 4992 888 cmd.exe 93 PID 888 wrote to memory of 1204 888 cmd.exe 94 PID 888 wrote to memory of 1204 888 cmd.exe 94 PID 888 wrote to memory of 1204 888 cmd.exe 94 PID 828 wrote to memory of 2892 828 RegSvcs.exe 95 PID 828 wrote to memory of 2892 828 RegSvcs.exe 95 PID 828 wrote to memory of 2892 828 RegSvcs.exe 95 PID 2892 wrote to memory of 536 2892 cmd.exe 97 PID 2892 wrote to memory of 536 2892 cmd.exe 97 PID 2892 wrote to memory of 536 2892 cmd.exe 97 PID 2892 wrote to memory of 2756 2892 cmd.exe 98 PID 2892 wrote to memory of 2756 2892 cmd.exe 98 PID 2892 wrote to memory of 2756 2892 cmd.exe 98 PID 2892 wrote to memory of 1420 2892 cmd.exe 99 PID 2892 wrote to memory of 1420 2892 cmd.exe 99 PID 2892 wrote to memory of 1420 2892 cmd.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ce5895cf7087cd578519a76e9eadb7c.exe"C:\Users\Admin\AppData\Local\Temp\9ce5895cf7087cd578519a76e9eadb7c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:828 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:4976
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:4992
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key3⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:536
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear4⤵PID:2756
-
-
C:\Windows\SysWOW64\findstr.exefindstr Key4⤵PID:1420
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 2402⤵
- Program crash
PID:1040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3432 -ip 34321⤵PID:1108