Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30/05/2023, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
DHL doc.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DHL doc.exe
Resource
win10v2004-20230220-en
General
-
Target
DHL doc.exe
-
Size
1.4MB
-
MD5
6d4b2188167e36105b407dac8185bf10
-
SHA1
9777d98556ef004559dc67cd4a600e5b16ceb9be
-
SHA256
8926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
-
SHA512
c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
SSDEEP
24576:pPLaVUH999wnomY9hpGlpO3FvAcZ7CXCXBEfgP2xRyfmSOKC7R4EAzFSC4E/Yzwf:xBH9qomY9hglpcqCXBEfgZfmSOKC7R45
Malware Config
Extracted
lokibot
http://161.35.102.56/~nikol/?p=4479137330
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 844 ._cache_DHL doc.exe 1008 Synaptics.exe 1288 Synaptics.exe 396 Synaptics.exe 316 Synaptics.exe 1680 Synaptics.exe 1728 Synaptics.exe -
Loads dropped DLL 4 IoCs
pid Process 696 DHL doc.exe 696 DHL doc.exe 696 DHL doc.exe 696 DHL doc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ._cache_DHL doc.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook ._cache_DHL doc.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ._cache_DHL doc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" DHL doc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1232 set thread context of 696 1232 DHL doc.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1232 DHL doc.exe 1008 Synaptics.exe 1008 Synaptics.exe 1008 Synaptics.exe 1008 Synaptics.exe 1008 Synaptics.exe 1008 Synaptics.exe 1008 Synaptics.exe 1008 Synaptics.exe 1008 Synaptics.exe 1008 Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1232 DHL doc.exe Token: SeDebugPrivilege 844 ._cache_DHL doc.exe Token: SeDebugPrivilege 1008 Synaptics.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1232 wrote to memory of 1280 1232 DHL doc.exe 28 PID 1232 wrote to memory of 1280 1232 DHL doc.exe 28 PID 1232 wrote to memory of 1280 1232 DHL doc.exe 28 PID 1232 wrote to memory of 1280 1232 DHL doc.exe 28 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 1232 wrote to memory of 696 1232 DHL doc.exe 29 PID 696 wrote to memory of 844 696 DHL doc.exe 30 PID 696 wrote to memory of 844 696 DHL doc.exe 30 PID 696 wrote to memory of 844 696 DHL doc.exe 30 PID 696 wrote to memory of 844 696 DHL doc.exe 30 PID 696 wrote to memory of 1008 696 DHL doc.exe 31 PID 696 wrote to memory of 1008 696 DHL doc.exe 31 PID 696 wrote to memory of 1008 696 DHL doc.exe 31 PID 696 wrote to memory of 1008 696 DHL doc.exe 31 PID 1008 wrote to memory of 1288 1008 Synaptics.exe 33 PID 1008 wrote to memory of 1288 1008 Synaptics.exe 33 PID 1008 wrote to memory of 1288 1008 Synaptics.exe 33 PID 1008 wrote to memory of 1288 1008 Synaptics.exe 33 PID 1008 wrote to memory of 396 1008 Synaptics.exe 34 PID 1008 wrote to memory of 396 1008 Synaptics.exe 34 PID 1008 wrote to memory of 396 1008 Synaptics.exe 34 PID 1008 wrote to memory of 396 1008 Synaptics.exe 34 PID 1008 wrote to memory of 316 1008 Synaptics.exe 35 PID 1008 wrote to memory of 316 1008 Synaptics.exe 35 PID 1008 wrote to memory of 316 1008 Synaptics.exe 35 PID 1008 wrote to memory of 316 1008 Synaptics.exe 35 PID 1008 wrote to memory of 1680 1008 Synaptics.exe 36 PID 1008 wrote to memory of 1680 1008 Synaptics.exe 36 PID 1008 wrote to memory of 1680 1008 Synaptics.exe 36 PID 1008 wrote to memory of 1680 1008 Synaptics.exe 36 PID 1008 wrote to memory of 1728 1008 Synaptics.exe 37 PID 1008 wrote to memory of 1728 1008 Synaptics.exe 37 PID 1008 wrote to memory of 1728 1008 Synaptics.exe 37 PID 1008 wrote to memory of 1728 1008 Synaptics.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook ._cache_DHL doc.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook ._cache_DHL doc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL doc.exe"C:\Users\Admin\AppData\Local\Temp\DHL doc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\DHL doc.exe"C:\Users\Admin\AppData\Local\Temp\DHL doc.exe"2⤵PID:1280
-
-
C:\Users\Admin\AppData\Local\Temp\DHL doc.exe"C:\Users\Admin\AppData\Local\Temp\DHL doc.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\._cache_DHL doc.exe"C:\Users\Admin\AppData\Local\Temp\._cache_DHL doc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:844
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
PID:1288
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
PID:396
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
PID:316
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
PID:1680
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
PID:1728
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
104KB
MD53d81dc8162f2c97463d9b4487c2a1308
SHA198ba9509e131f36742200cd116733c338b4b1971
SHA256e17c72d80c47b69de339dabcea2cb93ebb9a7a98f7f8f78c233d4cec02471aee
SHA5124c806f39bbc55a8cb492be82ce2698059b4ff2c3f5a2bd96293e2123d0fd40fa09fc1f3b01b7b4fa1f3facb60e35add959e9da1ed0a7b1bee2b38b592bb2d892
-
Filesize
104KB
MD53d81dc8162f2c97463d9b4487c2a1308
SHA198ba9509e131f36742200cd116733c338b4b1971
SHA256e17c72d80c47b69de339dabcea2cb93ebb9a7a98f7f8f78c233d4cec02471aee
SHA5124c806f39bbc55a8cb492be82ce2698059b4ff2c3f5a2bd96293e2123d0fd40fa09fc1f3b01b7b4fa1f3facb60e35add959e9da1ed0a7b1bee2b38b592bb2d892
-
Filesize
104KB
MD53d81dc8162f2c97463d9b4487c2a1308
SHA198ba9509e131f36742200cd116733c338b4b1971
SHA256e17c72d80c47b69de339dabcea2cb93ebb9a7a98f7f8f78c233d4cec02471aee
SHA5124c806f39bbc55a8cb492be82ce2698059b4ff2c3f5a2bd96293e2123d0fd40fa09fc1f3b01b7b4fa1f3facb60e35add959e9da1ed0a7b1bee2b38b592bb2d892
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
1.4MB
MD56d4b2188167e36105b407dac8185bf10
SHA19777d98556ef004559dc67cd4a600e5b16ceb9be
SHA2568926f2c51db03fda181f7b020c07b72627f8348c1d9b73d22eefd05ac4a0983f
SHA512c96d8a1280c268d7fbeec8ae58451e271033c5e4676269ed5bc9ba9a5a84c759a64fb0310d80a8dbc6abd6bb33a2aca37d895472cfa0d4bbfd5de1832afa945a
-
Filesize
104KB
MD53d81dc8162f2c97463d9b4487c2a1308
SHA198ba9509e131f36742200cd116733c338b4b1971
SHA256e17c72d80c47b69de339dabcea2cb93ebb9a7a98f7f8f78c233d4cec02471aee
SHA5124c806f39bbc55a8cb492be82ce2698059b4ff2c3f5a2bd96293e2123d0fd40fa09fc1f3b01b7b4fa1f3facb60e35add959e9da1ed0a7b1bee2b38b592bb2d892
-
Filesize
104KB
MD53d81dc8162f2c97463d9b4487c2a1308
SHA198ba9509e131f36742200cd116733c338b4b1971
SHA256e17c72d80c47b69de339dabcea2cb93ebb9a7a98f7f8f78c233d4cec02471aee
SHA5124c806f39bbc55a8cb492be82ce2698059b4ff2c3f5a2bd96293e2123d0fd40fa09fc1f3b01b7b4fa1f3facb60e35add959e9da1ed0a7b1bee2b38b592bb2d892