Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 20:27
Behavioral task
behavioral1
Sample
f19126b02be0b331982e041dc9bcad51.exe
Resource
win7-20230220-en
General
-
Target
f19126b02be0b331982e041dc9bcad51.exe
-
Size
223KB
-
MD5
f19126b02be0b331982e041dc9bcad51
-
SHA1
10ab04a6f24ce4540a564041375d8275a691e409
-
SHA256
2869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb
-
SHA512
e6158c6c1563ff3f013b97c0b5da7b5f3301657b948ddb1198ebaea7ce5fc3a9c9f3f449646f45c070514e8796e6315a2afaab7894ba20e3b857a5dc504d093c
-
SSDEEP
3072:fvfoUJQCw+d+Uoj9DVbDWb0Cdfc6mdSCFytxpNS17e+8TNBfxz9l:fvfoOQHelqJbD4HJe7FytVSle+8TxX
Malware Config
Extracted
gurcu
https://api.telegram.org/bot5975822207:AAFJtzAlzLoF8RfkpKUagQJGRi0ksib6w3g/sendMessage?chat_id=1396661331
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation f19126b02be0b331982e041dc9bcad51.exe Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation f19126b02be0b331982e041dc9bcad51.exe -
Executes dropped EXE 3 IoCs
pid Process 3364 f19126b02be0b331982e041dc9bcad51.exe 1620 f19126b02be0b331982e041dc9bcad51.exe 2516 tor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2356 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3444 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3364 f19126b02be0b331982e041dc9bcad51.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5060 f19126b02be0b331982e041dc9bcad51.exe Token: SeDebugPrivilege 3364 f19126b02be0b331982e041dc9bcad51.exe Token: SeDebugPrivilege 1620 f19126b02be0b331982e041dc9bcad51.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 5060 wrote to memory of 616 5060 f19126b02be0b331982e041dc9bcad51.exe 86 PID 5060 wrote to memory of 616 5060 f19126b02be0b331982e041dc9bcad51.exe 86 PID 616 wrote to memory of 4956 616 cmd.exe 88 PID 616 wrote to memory of 4956 616 cmd.exe 88 PID 616 wrote to memory of 3444 616 cmd.exe 89 PID 616 wrote to memory of 3444 616 cmd.exe 89 PID 616 wrote to memory of 2356 616 cmd.exe 90 PID 616 wrote to memory of 2356 616 cmd.exe 90 PID 616 wrote to memory of 3364 616 cmd.exe 91 PID 616 wrote to memory of 3364 616 cmd.exe 91 PID 1620 wrote to memory of 4652 1620 f19126b02be0b331982e041dc9bcad51.exe 99 PID 1620 wrote to memory of 4652 1620 f19126b02be0b331982e041dc9bcad51.exe 99 PID 1620 wrote to memory of 2516 1620 f19126b02be0b331982e041dc9bcad51.exe 101 PID 1620 wrote to memory of 2516 1620 f19126b02be0b331982e041dc9bcad51.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f19126b02be0b331982e041dc9bcad51.exe"C:\Users\Admin\AppData\Local\Temp\f19126b02be0b331982e041dc9bcad51.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "f19126b02be0b331982e041dc9bcad51" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\f19126b02be0b331982e041dc9bcad51.exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4956
-
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3444
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "f19126b02be0b331982e041dc9bcad51" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2356
-
-
C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe"C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
-
C:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exeC:\Users\Admin\AppData\Local\NET.Framework\f19126b02be0b331982e041dc9bcad51.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\System32\tar.exe"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmp3033.tmp" -C "C:\Users\Admin\AppData\Local\i86t5yhbwx"2⤵PID:4652
-
-
C:\Users\Admin\AppData\Local\i86t5yhbwx\tor\tor.exe"C:\Users\Admin\AppData\Local\i86t5yhbwx\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\i86t5yhbwx\torrc.txt"2⤵
- Executes dropped EXE
PID:2516
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fc1be6f3f52d5c841af91f8fc3f790cb
SHA1ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA2566da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA5122f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6
-
Filesize
223KB
MD5f19126b02be0b331982e041dc9bcad51
SHA110ab04a6f24ce4540a564041375d8275a691e409
SHA2562869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb
SHA512e6158c6c1563ff3f013b97c0b5da7b5f3301657b948ddb1198ebaea7ce5fc3a9c9f3f449646f45c070514e8796e6315a2afaab7894ba20e3b857a5dc504d093c
-
Filesize
223KB
MD5f19126b02be0b331982e041dc9bcad51
SHA110ab04a6f24ce4540a564041375d8275a691e409
SHA2562869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb
SHA512e6158c6c1563ff3f013b97c0b5da7b5f3301657b948ddb1198ebaea7ce5fc3a9c9f3f449646f45c070514e8796e6315a2afaab7894ba20e3b857a5dc504d093c
-
Filesize
223KB
MD5f19126b02be0b331982e041dc9bcad51
SHA110ab04a6f24ce4540a564041375d8275a691e409
SHA2562869db18f346049bcc9e378a77ed809fd9caad2fd2bd4d9f58d6e728c784b3eb
SHA512e6158c6c1563ff3f013b97c0b5da7b5f3301657b948ddb1198ebaea7ce5fc3a9c9f3f449646f45c070514e8796e6315a2afaab7894ba20e3b857a5dc504d093c
-
Filesize
13.3MB
MD589d2d5811c1aff539bb355f15f3ddad0
SHA15bb3577c25b6d323d927200c48cd184a3e27c873
SHA256b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12
SHA51239e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289
-
Filesize
2.3MB
MD5cf90fa3a9a4f38a4bc7062852dec45ba
SHA10ba595a323aca695c9c57a5e0b63b879d9feabfa
SHA2560851ef13b0a8c84cbffaacfa40442d3cd1bfb47e1114fbe74e2a42fd7a6e6131
SHA512f77a9aaf72bf408eec09bd60d82fde0b4190cbaae2c5e74b8c577f19050a5e5063c2a0e7b78d70ee2fa63e86584a0bd8106b8d0e953bf59dc80eb1caabee410f
-
Filesize
4.4MB
MD55e15435ac25afde081a92a44e46e4434
SHA13dc764a8731ca91908147900738e4306e4d908ce
SHA256010e82e1f0685857c52839ceb190249edd9641379fbe4f85d88c3d6b5e7b253f
SHA51292020171241121dc0a476a6ef0eed71e68317af9d305cfc2b19ceca6387834e86fce0806eeb2651ba3e93d5a0ce0a77054c7227a5e62768684939c36b79bd3cc
-
Filesize
64B
MD5ed5511032287e9c7a2b13d4ac9f707e6
SHA17d0549a995bfe70f4aeaa0f37ab27b7950d8605d
SHA2569f4b4a8e213e7e9abaafd66671fadf62c7e8306a75d4544f34ac4121da3d0169
SHA512319488679e131af5dbb22fb301e6ef180a2b234cc7a8dbe98d02dc71669d6847197663eaac106d3841bed9f092e437239c31fb09863a552945de430b4f7778ee
-
Filesize
4B
MD507f75d9144912970de5a09f5a305e10c
SHA111ff2346b384b19190353d5d04521327b7486e6e
SHA2560db1804a6beaabd4686ed1f9a9763427df438dafe97e3a2a761e1db81405f538
SHA51298140230395fd2b9515eb073e5c0261057ee2be9a608f5194b95e8b2ff406d9fe60d44bb78bb2b767a66bc20ad84920048505b7a819539fdfd2c8500cf66fbfb
-
Filesize
7.4MB
MD588590909765350c0d70c6c34b1f31dd2
SHA1129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA25646fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192
-
Filesize
7.4MB
MD588590909765350c0d70c6c34b1f31dd2
SHA1129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7
SHA25646fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82
SHA512a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192
-
Filesize
218B
MD52fc31937bd5f917af0603d890afc2435
SHA10d7c35f266584c830a18f1f7b33a2278fceef02a
SHA2561f0bdaa2317a9089bd1f51a0de0aa76ce870da2820e9af25e6ab027c015ac01c
SHA512e9fe4bcce4d790e8384b4f872d16ea2f4dd578e1d4ff7a2104324655de8dfea6bbf9e8b324fa07f335a682b3a470f64d99a1be759426c2e886f3fdf40893257d