Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
13/04/2023, 17:36
230413-v6r57ada84 913/04/2023, 17:34
230413-v5dleaec8w 913/04/2023, 16:59
230413-vhwtgaeb6w 9Analysis
-
max time kernel
88s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13/04/2023, 16:59
Static task
static1
Behavioral task
behavioral1
Sample
Discord_Raider.exe
Resource
win7-20230220-en
General
-
Target
Discord_Raider.exe
-
Size
2.8MB
-
MD5
5238bf37a0c3a5501ecf2ede42e5f7e3
-
SHA1
08618aba7eae5b2b630871b62cd34b6f35a93af9
-
SHA256
736638cd73af6c935574c399d9df6734707935ec6a417adf9f399598dc5e8657
-
SHA512
e40a2d64155c01185818104b3ddf2e89ad4471977f0e8795718f6dbde043a2e152d3a004fcd52d518277c79d12678bfb930a328038db596fd8cd5b23d6fe6ea5
-
SSDEEP
49152:YsmhnqAs9pJc0dnKh+Q0N1rs+vIUSg+6+8ohnRh1Na1OKM6nYAKhFQpSH3Oh5gxr:SqXpy05Q0N1rsYSZ6BoXh1kkypSH3Ohs
Malware Config
Signatures
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/580-63-0x000000001B400000-0x000000001B742000-memory.dmp WebBrowserPassView behavioral1/memory/580-120-0x000000001B010000-0x000000001B090000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral1/memory/580-63-0x000000001B400000-0x000000001B742000-memory.dmp Nirsoft behavioral1/memory/580-65-0x000000001B010000-0x000000001B090000-memory.dmp Nirsoft behavioral1/memory/580-120-0x000000001B010000-0x000000001B090000-memory.dmp Nirsoft behavioral1/files/0x0008000000012319-132.dat Nirsoft behavioral1/files/0x0008000000012319-131.dat Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 580 RtkBtManServ.exe 1224 bfsvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api64.ipify.org 5 api64.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 636 580 WerFault.exe 28 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RtkBtManServ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RtkBtManServ.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RtkBtManServ.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1224 bfsvc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 580 RtkBtManServ.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1060 wrote to memory of 580 1060 Discord_Raider.exe 28 PID 1060 wrote to memory of 580 1060 Discord_Raider.exe 28 PID 1060 wrote to memory of 580 1060 Discord_Raider.exe 28 PID 580 wrote to memory of 1644 580 RtkBtManServ.exe 29 PID 580 wrote to memory of 1644 580 RtkBtManServ.exe 29 PID 580 wrote to memory of 1644 580 RtkBtManServ.exe 29 PID 1644 wrote to memory of 1084 1644 WScript.exe 30 PID 1644 wrote to memory of 1084 1644 WScript.exe 30 PID 1644 wrote to memory of 1084 1644 WScript.exe 30 PID 1084 wrote to memory of 1224 1084 cmd.exe 32 PID 1084 wrote to memory of 1224 1084 cmd.exe 32 PID 1084 wrote to memory of 1224 1084 cmd.exe 32 PID 1084 wrote to memory of 1224 1084 cmd.exe 32 PID 580 wrote to memory of 636 580 RtkBtManServ.exe 33 PID 580 wrote to memory of 636 580 RtkBtManServ.exe 33 PID 580 wrote to memory of 636 580 RtkBtManServ.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Discord_Raider.exe"C:\Users\Admin\AppData\Local\Temp\Discord_Raider.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6gJSKY3RhQ79JCJSFqEll6W3JbKxPovOOtZyi89x1/Whf/AOhzqqRCYGErJh6WrRWrmL8maS2ZsDaJWmpU2R8fmZ0XTjwlWNle4CsXiZiQSiWXj9847FLpSpCrIedRLk8=2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat4⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeC:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1224
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 580 -s 22603⤵
- Program crash
PID:636
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD588ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
Filesize
2.8MB
MD588ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
Filesize
529B
MD55242530a2b65089696f3cf8e5ee02ff7
SHA1d604293148cdd953b3368c54920c043cffe9e1c1
SHA256239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781
SHA5127aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a
-
Filesize
71KB
MD5899d3ed011eb58459b8a4fc2b81f0924
SHA180361f1e0b93143ec1ddfee156760f5938c85791
SHA2565e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05
-
Filesize
71KB
MD5899d3ed011eb58459b8a4fc2b81f0924
SHA180361f1e0b93143ec1ddfee156760f5938c85791
SHA2565e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05
-
Filesize
70B
MD5d90accebb3f79fe65cd938425c07b0ae
SHA19df3812a88d87dd419cd9e89afa5fb1d71be0dc9
SHA256aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e
SHA51244013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560
-
Filesize
265B
MD5ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
Filesize
103B
MD56c5c5aaadd88e8c19bbed9b070d135ef
SHA1abc6ecb99646ddafb3575b01e0f65ca48da4e55c
SHA2560e9e23a0758e739f54690f1b3f3880731d23bb5592e30badbe2fd857d3e77a15
SHA51294e0653ef293aa4fcff73244554ec0c158c8e781af122b063f189972d92261a208591d51a0d3a08077ffde15311717e9d8c0404b810bfc182bc4cd66c3781bc1