Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2023, 09:04
Static task
static1
Behavioral task
behavioral1
Sample
TTWireConfirmation_20230720 pdf.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
TTWireConfirmation_20230720 pdf.exe
Resource
win10v2004-20230703-en
General
-
Target
TTWireConfirmation_20230720 pdf.exe
-
Size
40KB
-
MD5
6577e3088e19e789d8cdc328c5c5fe21
-
SHA1
dabd810e66018ff0b27c891f358fe413e8891fbd
-
SHA256
177f753bd39be134d1eb4298663f3dfc9d6291a9d6ed56df851604800ae0d5b6
-
SHA512
f685c5f09f5be1ec031ba3e4e2990e34b5fa5063e5290da36ac3669f591fffc9a3f95e04bd00ea1e77e68692ae270756438a70dd836291f4e96ed33addb49d0f
-
SSDEEP
768:LZzeRDK3EaC8l2hP3SScNY8cfRqTuM+1+I:LZzCDK3Eaqh36G8BTugI
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TTWireConfirmation_20230720 pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TTWireConfirmation_20230720 pdf.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TTWireConfirmation_20230720 pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gunalmvy = "C:\\Users\\Admin\\AppData\\Roaming\\Gunalmvy.exe" TTWireConfirmation_20230720 pdf.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 api.ipify.org 31 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1784 set thread context of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3092 TTWireConfirmation_20230720 pdf.exe 3092 TTWireConfirmation_20230720 pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1784 TTWireConfirmation_20230720 pdf.exe Token: SeDebugPrivilege 3092 TTWireConfirmation_20230720 pdf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1784 wrote to memory of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 PID 1784 wrote to memory of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 PID 1784 wrote to memory of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 PID 1784 wrote to memory of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 PID 1784 wrote to memory of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 PID 1784 wrote to memory of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 PID 1784 wrote to memory of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 PID 1784 wrote to memory of 3092 1784 TTWireConfirmation_20230720 pdf.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TTWireConfirmation_20230720 pdf.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 TTWireConfirmation_20230720 pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TTWireConfirmation_20230720 pdf.exe"C:\Users\Admin\AppData\Local\Temp\TTWireConfirmation_20230720 pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\TTWireConfirmation_20230720 pdf.exe"C:\Users\Admin\AppData\Local\Temp\TTWireConfirmation_20230720 pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3092
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TTWireConfirmation_20230720 pdf.exe.log
Filesize1KB
MD5a13312e452bb67b8b110b6d7fbc6cf6f
SHA1057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50
SHA256d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b
SHA5121e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0