Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

90382d070f...0f.exe

windows7-x64

10

90382d070f...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    203s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2023, 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f.exe

  • Size

    1.5MB

  • MD5

    e2b30c0c90faeeb878ed21be152d2dc1

  • SHA1

    b64e8bbd7d23f9585a7ff9b24a61a7ab119f1769

  • SHA256

    90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f

  • SHA512

    7126633aeaeaa91f08d5c0dce6129bfb7501287cad6ac106f1c64c2ab0cb010d3b870680047ea3e9dffdb3bfccab2a9d2a11f8057dd302dfaf140b34022bd74f

  • SSDEEP

    24576:PnQ3GQdfKrh2G8uraReOgX1yFQ+5irxTCQJ5xvCwUXZMnKfJIxzN5b2K:P9QdIuWed+sKK+CQ5CwMZMnx0

Score
10/10
blustealercollectionstealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 6 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 5 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f.exe
    "C:\Users\Admin\AppData\Local\Temp\90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f.exe
      "C:\Users\Admin\AppData\Local\Temp\90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f.exe"
      2⤵
        PID:1156
      • C:\Users\Admin\AppData\Local\Temp\90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f.exe
        "C:\Users\Admin\AppData\Local\Temp\90382d070f58dd0a9f21d05327c2589116e2271e2cce2cce69018e1f4d836c0f.exe"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          3⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:2992
    • C:\Windows\System32\alg.exe
      C:\Windows\System32\alg.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2952
    • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      1⤵
      • Executes dropped EXE
      PID:2616
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
      1⤵
        PID:1604
      • C:\Windows\system32\fxssvc.exe
        C:\Windows\system32\fxssvc.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
        1⤵
        • Executes dropped EXE
        PID:664
      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
        1⤵
        • Executes dropped EXE
        PID:4940
      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
        1⤵
        • Executes dropped EXE
        PID:2800

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
        Filesize

        2.1MB

        MD5

        0da9d2bac2dcd332aef6f2954f5f81e8

        SHA1

        d653450f28a4adf253c2a87eb2a0eb626719f7a2

        SHA256

        f1027f7043bcb0af319a7e9a66de23d38db3244aacf87e33511c72a7fa20f6ef

        SHA512

        9f8747bed40118018a3a1ed63ca72e1f556d69453f52ba78f988e77ae60d35ffb778feb2b2c382320a875f50c8d62a186cb6b71c7be59635feff963e7df03a20

        Download Submit

      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        Filesize

        1.4MB

        MD5

        f844d597da3ea55ef83be7d0458baa6a

        SHA1

        e2845e82e0974158eb01824e12350151b0b53411

        SHA256

        93e8712af0e8b3f9b6e61f289c373562ea894884034ba6f8f42d49eef9a10c52

        SHA512

        a49f0efeef3730e624139b835fd4b818cd74c33ede65d700edb5d5b6fde74bfe8b7f2217231ffd00e21141b440de5b49a8b3c1811bee0b17df4b35279e0e6abc

        Download Submit

      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
        Filesize

        2.1MB

        MD5

        fa0d98a41f4aa0a463f1fce155e64eb4

        SHA1

        e567e910c7f61fc28c96b41d8a48a19f6b59bc72

        SHA256

        cb42cc1ff1183b70803d02d4f4665b9afb274b8e4591f57ef41f0ecf2a70c1a2

        SHA512

        7825073ea97df83cd5823303f0a2ffd50c29d13a460af8e2d6adeb4285f0b439133062a6f0cdb2f9429cd18e52ceaa9637bd9d9bde39f8fe4d494b90d153f1f7

        Download Submit

      • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
        Filesize

        1.3MB

        MD5

        46e7f6acb0ef8a6f48754703b574b66f

        SHA1

        8d43fad37fb2580ee7feeece03d32b72065e15c1

        SHA256

        7995e0be800144323d08bb196491fd581005acccbde4bc511e5afcad49d6c947

        SHA512

        850b501ff632fb8157304a5d9d559543d519c22eda23b69ff274732c483ac951600b27d33508bccdcad75a754174baa456ce9e2ac9d6fc5d38c7ecaa507709e7

        Download Submit

      • C:\Windows\System32\FXSSVC.exe
        Filesize

        1.2MB

        MD5

        e3f85ffec7faabc6028bfca0a578bbce

        SHA1

        cb0baf27629708a1a9a2712943bf2025ce16de28

        SHA256

        6b8335e7463d8a954c66b814e46ad65a9151c62070534d10f057b6183c47c492

        SHA512

        200b0507b9afbd8c9193f6dac999085c4e0a35e2c9292f7240ec97ac84e2ee432f9cb67424d12ebb437e6b45ae7d1d344c53772adc968bb0715621aafb40db46

        Download Submit

      • C:\Windows\System32\alg.exe
        Filesize

        1.3MB

        MD5

        4a831043175b09fac62deea276c2946a

        SHA1

        b1a22f62db47213e29cc919175820031b34cd2e4

        SHA256

        8c7a40ad556905bc8a83cec45c73edca5e54a8cc8a1dbb62a1da232b0c00ea1b

        SHA512

        792acec4333a193b022e2944a21376ff564028039dc3d1b001344cc31a8ce892b26cf8cf92f1fc3c63b6b3e76236c95b945d1550d1bbc097f5b2560a43f91bc0

        Download Submit

      • memory/664-234-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/664-198-0x00000000004D0000-0x0000000000530000-memory.dmp

        Filesize

        384KB

        Download

      • memory/664-204-0x00000000004D0000-0x0000000000530000-memory.dmp

        Filesize

        384KB

        Download

      • memory/664-207-0x0000000140000000-0x0000000140237000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1216-136-0x0000000005730000-0x000000000573A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1216-133-0x0000000000040000-0x00000000001C4000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1216-138-0x0000000004A80000-0x0000000004A90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1216-137-0x0000000004A80000-0x0000000004A90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1216-134-0x0000000004FB0000-0x0000000005554000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1216-139-0x00000000079F0000-0x0000000007A8C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1216-135-0x0000000004AA0000-0x0000000004B32000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2616-181-0x0000000140000000-0x0000000140200000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2616-171-0x0000000000670000-0x00000000006D0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2616-177-0x0000000000670000-0x00000000006D0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2800-221-0x0000000140000000-0x0000000140221000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2800-220-0x0000000001A00000-0x0000000001A60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2952-168-0x0000000140000000-0x0000000140201000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2952-163-0x00000000004A0000-0x0000000000500000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2952-157-0x00000000004A0000-0x0000000000500000-memory.dmp

        Filesize

        384KB

        Download

      • memory/2992-169-0x0000000001230000-0x0000000001296000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2992-182-0x00000000057C0000-0x00000000057D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3640-149-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/3640-150-0x0000000003170000-0x00000000031D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3640-140-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/3640-143-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/3640-144-0x0000000003170000-0x00000000031D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3640-179-0x0000000000400000-0x0000000000654000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4940-215-0x0000000000190000-0x00000000001F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4940-217-0x0000000140000000-0x000000014022B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4940-209-0x0000000000190000-0x00000000001F0000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4940-235-0x0000000140000000-0x000000014022B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/4944-196-0x0000000140000000-0x0000000140135000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4944-185-0x00000000008C0000-0x0000000000920000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4944-191-0x00000000008C0000-0x0000000000920000-memory.dmp

        Filesize

        384KB

        Download

      • memory/4944-193-0x00000000008C0000-0x0000000000920000-memory.dmp

        Filesize

        384KB

        Download