Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
597s -
max time network
572s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23/04/2023, 14:40
Behavioral task
behavioral1
Sample
stub.exe
Resource
win7-20230220-en
6 signatures
600 seconds
Behavioral task
behavioral2
Sample
stub.exe
Resource
win10v2004-20230220-en
23 signatures
600 seconds
General
-
Target
stub.exe
-
Size
3.8MB
-
MD5
d5cad087973fab0104f92810bbf16871
-
SHA1
ced93e48beea62c6e444cdb8ae5ea2fbed72085d
-
SHA256
0a3d2686f9f3df3a943578869afa5b87e249dbcb41a1752626ba8948445fe1e9
-
SHA512
1497f30f44a9adfe1496ccc1dc5befe4736bf32e0862102b5a39ca6caadaa1f35023bc8d33ea88cbafd6962e07a92faa49d3a4c0e9e0e192c7f5829ca63ddd8b
-
SSDEEP
98304:d77Pmq33rE/JDLPWZADUGer7B6iY74M/JmlwXVZ4FB:5+R/eZADUXR
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
soon-lp.at.ply.gg:17209
Attributes
-
communication_password
33d47f3d76b1b6a91406c01ef0ce5164
-
install_dir
BIRAT
-
install_file
svchost
-
tor_process
Tls_Connect
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\BIRAT\\svchost" stub.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe -
Suspicious behavior: RenamesItself 64 IoCs
pid Process 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe 1204 stub.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1204 stub.exe Token: SeShutdownPrivilege 1204 stub.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1204 stub.exe 1204 stub.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204