Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    104s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2023, 12:02

General

  • Target

    New Order POH12-FA2306133.rtf

  • Size

    31KB

  • MD5

    bd2d365b0b710589dc5b3b91ac134c12

  • SHA1

    89080ada673d15549f7ba409adcac011b7a088bf

  • SHA256

    8085e0c9ee59ac43c57ad7c3c2b85419d6ed714fc25e41ce63e35ae48538f532

  • SHA512

    b2286cdda78e52852e93699df609bf1afa43295c7ccd07d37c63a1b0221310104406f49984917860a1061c22cf6fb522852d9fefe878709da975fc3898984cb5

  • SSDEEP

    768:/Fx0XaIsnPRIa4fwJMIywRl9Qo/B1X67OePLeD3QoLJeB:/f0Xvx3EMIywRleo/+7XeD3veB

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 6 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New Order POH12-FA2306133.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2000
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Users\Admin\AppData\Roaming\welath7936.exe
        "C:\Users\Admin\AppData\Roaming\welath7936.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1772
        • C:\Users\Admin\AppData\Roaming\welath7936.exe
          "C:\Users\Admin\AppData\Roaming\welath7936.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:1752

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    • C:\Users\Admin\AppData\Local\Temp\Tar34EE.tmp

      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      a2630542ef64e7b71d73b9fc6069b04d

      SHA1

      f33f3b8004644c060ace0153e62dd0be78a8fd42

      SHA256

      3946f559807004a77a51d9d43828b783ed266049bd64ef724f33fa1c253e252a

      SHA512

      32df5200853b25ff8c3de50480b9661957143139fd4c8080613dc60fe797bd70e8edc68419632ef15ea875db8b941ea20cce4ba4cba26305a90eed53e811b29e

    • C:\Users\Admin\AppData\Roaming\welath7936.exe

      Filesize

      734KB

      MD5

      81016f4d0891cae478bae8c06a51aef8

      SHA1

      41ae8925b074ae4aa7445a6579f7013bf8b39cc6

      SHA256

      96d19b0d965d8afeb87bd82f3922f80b44224b8eb6b373bafcaeecfba7ea27d9

      SHA512

      72b3a77f1fb0aa786a3d3d94300d82c069ee03c9b9c2d7ac6ce5b2a4019f41847f9af963c5dc07891dc4cd4b498b77d72f8635643353f63a7b90c2c9cf9ac8c1

    • C:\Users\Admin\AppData\Roaming\welath7936.exe

      Filesize

      734KB

      MD5

      81016f4d0891cae478bae8c06a51aef8

      SHA1

      41ae8925b074ae4aa7445a6579f7013bf8b39cc6

      SHA256

      96d19b0d965d8afeb87bd82f3922f80b44224b8eb6b373bafcaeecfba7ea27d9

      SHA512

      72b3a77f1fb0aa786a3d3d94300d82c069ee03c9b9c2d7ac6ce5b2a4019f41847f9af963c5dc07891dc4cd4b498b77d72f8635643353f63a7b90c2c9cf9ac8c1

    • C:\Users\Admin\AppData\Roaming\welath7936.exe

      Filesize

      734KB

      MD5

      81016f4d0891cae478bae8c06a51aef8

      SHA1

      41ae8925b074ae4aa7445a6579f7013bf8b39cc6

      SHA256

      96d19b0d965d8afeb87bd82f3922f80b44224b8eb6b373bafcaeecfba7ea27d9

      SHA512

      72b3a77f1fb0aa786a3d3d94300d82c069ee03c9b9c2d7ac6ce5b2a4019f41847f9af963c5dc07891dc4cd4b498b77d72f8635643353f63a7b90c2c9cf9ac8c1

    • C:\Users\Admin\AppData\Roaming\welath7936.exe

      Filesize

      734KB

      MD5

      81016f4d0891cae478bae8c06a51aef8

      SHA1

      41ae8925b074ae4aa7445a6579f7013bf8b39cc6

      SHA256

      96d19b0d965d8afeb87bd82f3922f80b44224b8eb6b373bafcaeecfba7ea27d9

      SHA512

      72b3a77f1fb0aa786a3d3d94300d82c069ee03c9b9c2d7ac6ce5b2a4019f41847f9af963c5dc07891dc4cd4b498b77d72f8635643353f63a7b90c2c9cf9ac8c1

    • \Users\Admin\AppData\Roaming\welath7936.exe

      Filesize

      734KB

      MD5

      81016f4d0891cae478bae8c06a51aef8

      SHA1

      41ae8925b074ae4aa7445a6579f7013bf8b39cc6

      SHA256

      96d19b0d965d8afeb87bd82f3922f80b44224b8eb6b373bafcaeecfba7ea27d9

      SHA512

      72b3a77f1fb0aa786a3d3d94300d82c069ee03c9b9c2d7ac6ce5b2a4019f41847f9af963c5dc07891dc4cd4b498b77d72f8635643353f63a7b90c2c9cf9ac8c1

    • memory/1236-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1236-146-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1752-79-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/1752-87-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/1752-128-0x0000000004CC0000-0x0000000004D00000-memory.dmp

      Filesize

      256KB

    • memory/1752-80-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/1752-82-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/1752-81-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/1752-84-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/1752-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/1752-90-0x0000000004CC0000-0x0000000004D00000-memory.dmp

      Filesize

      256KB

    • memory/1752-89-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/1772-78-0x0000000000CD0000-0x0000000000D12000-memory.dmp

      Filesize

      264KB

    • memory/1772-76-0x0000000000630000-0x000000000063C000-memory.dmp

      Filesize

      48KB

    • memory/1772-74-0x0000000004C50000-0x0000000004C90000-memory.dmp

      Filesize

      256KB

    • memory/1772-73-0x0000000000550000-0x0000000000562000-memory.dmp

      Filesize

      72KB

    • memory/1772-77-0x0000000008140000-0x00000000081BA000-memory.dmp

      Filesize

      488KB

    • memory/1772-72-0x0000000004C50000-0x0000000004C90000-memory.dmp

      Filesize

      256KB

    • memory/1772-67-0x0000000000D70000-0x0000000000E2E000-memory.dmp

      Filesize

      760KB