Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

13/04/2023, 17:36

230413-v6r57ada84 9

13/04/2023, 17:34

230413-v5dleaec8w 9

13/04/2023, 16:59

230413-vhwtgaeb6w 9

Analysis

  • max time kernel
    88s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13/04/2023, 16:59

General

  • Target

    Discord_Raider.exe

  • Size

    2.8MB

  • MD5

    5238bf37a0c3a5501ecf2ede42e5f7e3

  • SHA1

    08618aba7eae5b2b630871b62cd34b6f35a93af9

  • SHA256

    736638cd73af6c935574c399d9df6734707935ec6a417adf9f399598dc5e8657

  • SHA512

    e40a2d64155c01185818104b3ddf2e89ad4471977f0e8795718f6dbde043a2e152d3a004fcd52d518277c79d12678bfb930a328038db596fd8cd5b23d6fe6ea5

  • SSDEEP

    49152:YsmhnqAs9pJc0dnKh+Q0N1rs+vIUSg+6+8ohnRh1Na1OKM6nYAKhFQpSH3Oh5gxr:SqXpy05Q0N1rsYSZ6BoXh1kkypSH3Ohs

Score
9/10

Malware Config

Signatures

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Discord_Raider.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord_Raider.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
      "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6gJSKY3RhQ79JCJSFqEll6W3JbKxPovOOtZyi89x1/Whf/AOhzqqRCYGErJh6WrRWrmL8maS2ZsDaJWmpU2R8fmZ0XTjwlWNle4CsXiZiQSiWXj9847FLpSpCrIedRLk8=
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c compile.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1084
          • C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
            C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:1224
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 580 -s 2260
        3⤵
        • Program crash
        PID:636

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

    Filesize

    2.8MB

    MD5

    88ab0bb59b0b20816a833ba91c1606d3

    SHA1

    72c09b7789a4bac8fee41227d101daed8437edeb

    SHA256

    f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

    SHA512

    05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

  • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

    Filesize

    2.8MB

    MD5

    88ab0bb59b0b20816a833ba91c1606d3

    SHA1

    72c09b7789a4bac8fee41227d101daed8437edeb

    SHA256

    f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

    SHA512

    05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

  • C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

    Filesize

    529B

    MD5

    5242530a2b65089696f3cf8e5ee02ff7

    SHA1

    d604293148cdd953b3368c54920c043cffe9e1c1

    SHA256

    239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781

    SHA512

    7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a

  • C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

    Filesize

    71KB

    MD5

    899d3ed011eb58459b8a4fc2b81f0924

    SHA1

    80361f1e0b93143ec1ddfee156760f5938c85791

    SHA256

    5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

    SHA512

    802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

  • C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

    Filesize

    71KB

    MD5

    899d3ed011eb58459b8a4fc2b81f0924

    SHA1

    80361f1e0b93143ec1ddfee156760f5938c85791

    SHA256

    5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

    SHA512

    802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

  • C:\Users\Admin\AppData\Local\Temp\compile.bat

    Filesize

    70B

    MD5

    d90accebb3f79fe65cd938425c07b0ae

    SHA1

    9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

    SHA256

    aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

    SHA512

    44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

  • C:\Users\Admin\AppData\Local\Temp\compile.vbs

    Filesize

    265B

    MD5

    ca906422a558f4bc9e471709f62ec1a9

    SHA1

    e3da070007fdeae52779964df6f71fcb697ffb06

    SHA256

    abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

    SHA512

    661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

  • C:\Users\Admin\AppData\Local\Temp\config

    Filesize

    103B

    MD5

    6c5c5aaadd88e8c19bbed9b070d135ef

    SHA1

    abc6ecb99646ddafb3575b01e0f65ca48da4e55c

    SHA256

    0e9e23a0758e739f54690f1b3f3880731d23bb5592e30badbe2fd857d3e77a15

    SHA512

    94e0653ef293aa4fcff73244554ec0c158c8e781af122b063f189972d92261a208591d51a0d3a08077ffde15311717e9d8c0404b810bfc182bc4cd66c3781bc1

  • memory/580-98-0x0000000000BD0000-0x0000000000C00000-memory.dmp

    Filesize

    192KB

  • memory/580-99-0x0000000000A10000-0x0000000000A1C000-memory.dmp

    Filesize

    48KB

  • memory/580-100-0x000000001AB00000-0x000000001AB1A000-memory.dmp

    Filesize

    104KB

  • memory/580-101-0x000000001AB40000-0x000000001AB72000-memory.dmp

    Filesize

    200KB

  • memory/580-102-0x000000001BDA0000-0x000000001BE42000-memory.dmp

    Filesize

    648KB

  • memory/580-120-0x000000001B010000-0x000000001B090000-memory.dmp

    Filesize

    512KB

  • memory/580-121-0x000000001AB80000-0x000000001AB88000-memory.dmp

    Filesize

    32KB

  • memory/580-66-0x00000000023F0000-0x00000000024A0000-memory.dmp

    Filesize

    704KB

  • memory/580-65-0x000000001B010000-0x000000001B090000-memory.dmp

    Filesize

    512KB

  • memory/580-64-0x0000000000440000-0x0000000000446000-memory.dmp

    Filesize

    24KB

  • memory/580-63-0x000000001B400000-0x000000001B742000-memory.dmp

    Filesize

    3.3MB

  • memory/580-62-0x0000000000C00000-0x0000000000EDA000-memory.dmp

    Filesize

    2.9MB

  • memory/1060-54-0x0000000000350000-0x000000000062E000-memory.dmp

    Filesize

    2.9MB