Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    16/09/2023, 02:40 UTC

General

  • Target

    bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe

  • Size

    9.6MB

  • MD5

    ec333982af0977d8af5a4984792a4385

  • SHA1

    d5b7e49c6476766d45a18cdd150d0679a9529a5a

  • SHA256

    bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74

  • SHA512

    1446ecc9ca6f193796cdbaf1b9f291b85a36279659254e6cbf286dba8a0e5f233c889b459b799a0d18462f1210841a61a207f76bc90db4365a43e7d967761cfc

  • SSDEEP

    49152:LLLjKXCrX+hMesdq40bf95X9K5NRcSJDg/u/fiGhG6E7/6bp1pBt0zKkevwN/+j:

Score
10/10

Malware Config

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe
    "C:\Users\Admin\AppData\Local\Temp\bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Users\Admin\AppData\Roaming\Adobe\HV109XI1.exe
      "C:\Users\Admin\AppData\Roaming\Adobe\HV109XI1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2392 -s 1152
        3⤵
          PID:1944
      • C:\Users\Admin\AppData\Roaming\Adobe\9XZON5WB.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\9XZON5WB.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2096

    Network

    • flag-us
      DNS
      ipwhois.app
      HV109XI1.exe
      Remote address:
      8.8.8.8:53
      Request
      ipwhois.app
      IN A
      Response
      ipwhois.app
      IN A
      108.181.98.179
    • flag-ca
      GET
      http://ipwhois.app/xml/
      HV109XI1.exe
      Remote address:
      108.181.98.179:80
      Request
      GET /xml/ HTTP/1.1
      Host: ipwhois.app
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sat, 16 Sep 2023 02:40:46 GMT
      Content-Type: application/xml
      Transfer-Encoding: chunked
      Connection: keep-alive
      Server: ipwhois
      Access-Control-Allow-Origin: *
      Access-Control-Allow-Headers: *
      X-Robots-Tag: noindex
    • flag-us
      DNS
      log3.criminalaffair.com
      HV109XI1.exe
      Remote address:
      8.8.8.8:53
      Request
      log3.criminalaffair.com
      IN A
      Response
    • 108.181.98.179:80
      http://ipwhois.app/xml/
      http
      HV109XI1.exe
      295 B
      1.4kB
      5
      4

      HTTP Request

      GET http://ipwhois.app/xml/

      HTTP Response

      200
    • 8.8.8.8:53
      ipwhois.app
      dns
      HV109XI1.exe
      57 B
      73 B
      1
      1

      DNS Request

      ipwhois.app

      DNS Response

      108.181.98.179

    • 8.8.8.8:53
      log3.criminalaffair.com
      dns
      HV109XI1.exe
      69 B
      142 B
      1
      1

      DNS Request

      log3.criminalaffair.com

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Adobe\9XZON5WB.exe

      Filesize

      1.8MB

      MD5

      cdb983e76d6fc15c5eaef54a063f0091

      SHA1

      ff22a165f86cf929727fa12d8e787e69d24bb19c

      SHA256

      0d9e31079d1626252be3d0241e9559e975a0ccf94648d4f41219119136f361f1

      SHA512

      a665a3c222a4fb218dca8af4e10582e493e4aec146e6e5bbf1091d482ea3081528e77fc9b176f892d5ba04fe442991947acc20242b3e4885fd37a614a963f3c6

    • C:\Users\Admin\AppData\Roaming\Adobe\9XZON5WB.exe

      Filesize

      1.8MB

      MD5

      cdb983e76d6fc15c5eaef54a063f0091

      SHA1

      ff22a165f86cf929727fa12d8e787e69d24bb19c

      SHA256

      0d9e31079d1626252be3d0241e9559e975a0ccf94648d4f41219119136f361f1

      SHA512

      a665a3c222a4fb218dca8af4e10582e493e4aec146e6e5bbf1091d482ea3081528e77fc9b176f892d5ba04fe442991947acc20242b3e4885fd37a614a963f3c6

    • C:\Users\Admin\AppData\Roaming\Adobe\HV109XI1.exe

      Filesize

      1.8MB

      MD5

      8bbaf95337912b8a1d36594e5bb2f5e6

      SHA1

      5db26a00543868b7f7bc88ec6597a17cf0dc71ae

      SHA256

      c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

      SHA512

      3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620

    • C:\Users\Admin\AppData\Roaming\Adobe\HV109XI1.exe

      Filesize

      1.8MB

      MD5

      8bbaf95337912b8a1d36594e5bb2f5e6

      SHA1

      5db26a00543868b7f7bc88ec6597a17cf0dc71ae

      SHA256

      c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

      SHA512

      3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620

    • memory/808-0-0x0000000000D30000-0x00000000016CA000-memory.dmp

      Filesize

      9.6MB

    • memory/808-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

      Filesize

      9.9MB

    • memory/808-15-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

      Filesize

      9.9MB

    • memory/2392-13-0x0000000000850000-0x0000000000A2C000-memory.dmp

      Filesize

      1.9MB

    • memory/2392-12-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

      Filesize

      9.9MB

    • memory/2392-16-0x000000001B350000-0x000000001B3D0000-memory.dmp

      Filesize

      512KB

    • memory/2392-17-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

      Filesize

      9.9MB

    • memory/2392-18-0x000000001B350000-0x000000001B3D0000-memory.dmp

      Filesize

      512KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.