Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
31/08/2023, 07:08 UTC
Static task
static1
Behavioral task
behavioral1
Sample
ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe
Resource
win10v2004-20230703-en
General
-
Target
ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe
-
Size
25KB
-
MD5
60f6e8250693d698945a9744a08aea75
-
SHA1
c5391a4165c1df0686e7d312169c5881904a2bde
-
SHA256
ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8
-
SHA512
e8c353f365d835ee71dda5119cd6ac52f980d1639541a8c44eaf9eca8b2514b8f0af26e3e082c9219afcef63d271d9d03e3c7641608c99820c6a0462f3335e61
-
SSDEEP
384:qc0J+vqBoLotA8oPNIrxKRQSv7QrzVVvOytGxboE9K/mKHrjpjv/+Vl:8Q3LotOPNSQVwVVxGKEvKHrV2l
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1076 spoolsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe" ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe" spoolsv.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\spoolsv.exe ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe File created C:\Windows\spoolsv.exe spoolsv.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\https:\onsapay.com\loader spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1544 ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe Token: SeDebugPrivilege 1076 spoolsv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1544 wrote to memory of 1076 1544 ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe 80 PID 1544 wrote to memory of 1076 1544 ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe 80 PID 1544 wrote to memory of 1076 1544 ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe"C:\Users\Admin\AppData\Local\Temp\ea17303f6dc9d21f61d9bb9558ebbe3ebc95f4d612c50fab858e7db2460d7df8.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\spoolsv.exe"C:\Windows\spoolsv.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request59.128.231.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.177.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request90.16.208.104.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
59.128.231.4.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.177.238.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
90.16.208.104.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349KB
MD5b52b2b139d128e200b9a6ae0442b25b0
SHA1ef59b2b1461828144936cf5fd01435e394dec059
SHA25691543fce51e1b0a22281e3213aa87a8a6f8279003dc50a2103f8f3c29c907f59
SHA512f9cffe835718293d72bf78eb2a4206fe688d8d0dd1eb0045076caa53e9304d7b075cfc366b685337fe4f6558c7756ab8006b3fbf9b8e10c7e7e04a16d7a8da92
-
Filesize
25KB
MD5e85618f74919ec8dc0161e08fa39904e
SHA1c7a14a06aa22704226acd39a8b11639bd5c0d638
SHA256b46acea9ec05e724354815194c67ee5b8a1bfda99e90171f2d9febd5d0921b8e
SHA5129656da40c8777c357d610d02f7827fb5deef4914a0dff16b11224a09b404c2a31a9ec151763266d71cefb5c3d723eac4db34bd3c574917a1a5836c1eeb765200
-
Filesize
25KB
MD582071fd2379c64429acf376487fcddff
SHA12da42c7eaa62ecee65757b441c939f12b52228fb
SHA256272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8
SHA512194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb
-
Filesize
25KB
MD582071fd2379c64429acf376487fcddff
SHA12da42c7eaa62ecee65757b441c939f12b52228fb
SHA256272bd07fa6c2678fd96a026237a184fceffa65d319f6844bac582aff90ce25d8
SHA512194bdbdf624ec425a095a44116032687c46b3e2370f3c436e2d5516dcc778824ff57fa69edfacb42e5e76e05894eb0a40acf32dcee3b80ba397f823ec82b6adb