Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2023, 15:43 UTC

General

  • Target

    Зоркий Глаз 5.409 (setup).exe

  • Size

    5.9MB

  • MD5

    f0c2a8ff2890cad08f17e607ccdda7fc

  • SHA1

    87fbf60e9ba1d60b546347632f1884fe1c531f0f

  • SHA256

    44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb

  • SHA512

    4001a301c6b7295126c7bcc79122ebdd85e7976224e3399b03285cebfc623550f186c45285f78116927c2ed26496ab475d91739adc918a0b390512064651732c

  • SSDEEP

    49152:9so8Likxo9IiDqmbTp15J+/EE8Yfbebq/9jTaOS9SW5NyBFTGbxN+owQ:

Malware Config

Extracted

Family

marsstealer

Botnet

Default

C2

rakishev.org/wp-load.php

Signatures

  • Mars Stealer

    An infostealer written in C++ based on other infostealers.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Зоркий Глаз 5.409 (setup).exe
    "C:\Users\Admin\AppData\Local\Temp\Зоркий Глаз 5.409 (setup).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\ProgramData\Microsoft\DWFCKBOM.exe
      "C:\ProgramData\Microsoft\DWFCKBOM.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Users\Admin\AppData\Roaming\Adobe\C.exe
        "C:\Users\Admin\AppData\Roaming\Adobe\C.exe"
        3⤵
        • Executes dropped EXE
        PID:2812
    • C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe
      "C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp" /SL5="$40196,1628111,62976,C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2660

Network

  • flag-us
    DNS
    rakishev.org
    C.exe
    Remote address:
    8.8.8.8:53
    Request
    rakishev.org
    IN A
    Response
    rakishev.org
    IN A
    104.21.20.56
    rakishev.org
    IN A
    172.67.191.205
  • flag-us
    GET
    http://rakishev.org/wp-load.php
    C.exe
    Remote address:
    104.21.20.56:80
    Request
    GET /wp-load.php HTTP/1.1
    Host: rakishev.org
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Date: Tue, 03 Oct 2023 15:43:38 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 4380
    Connection: close
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f9U6b6ERbS5UVtO7U7B7SGg4AGiyabOz4ZeqEtzylx6zVRTQRk0fP%2BHXoimjo66%2FJlyfabT5%2BPOzEriV0qT4kzAkaqCnWnkltEWZf1%2BLsrxQOvvuyY%2BYuA2ENirCBeQ%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 81064d48fbe80a68-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    http://rakishev.org/wp-load.php
    C.exe
    Remote address:
    104.21.20.56:80
    Request
    GET /wp-load.php HTTP/1.1
    Host: rakishev.org
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Date: Tue, 03 Oct 2023 15:44:08 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 4379
    Connection: close
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OVnWyBLvALM0ndw1kc1aWy1%2BDzAce%2FOLLkWYH7V611TNww5bfh1eFRV0DPA2S0mFEwrk%2BPqDvfEf28dijok16sEvL%2FgltK8loTyg7SFnLI1rRLxoQ8rcqgestoR7sl4%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 81064e04be4fb93e-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    http://rakishev.org/wp-load.php
    C.exe
    Remote address:
    104.21.20.56:80
    Request
    GET /wp-load.php HTTP/1.1
    Host: rakishev.org
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Date: Tue, 03 Oct 2023 15:44:38 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 4380
    Connection: close
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g%2FkBrS9fFYk%2FyM3bmK4dPXLhRUaMM40PNWYYOYD7Dn7%2FT0NL%2Bb2ZTRTU6wEzRbIuzfvUblkWNfO6HgpFDRLZ1nxhEnbVv8pDi1%2FE3OKF9ZvGGlSMojngmKvnvE%2BbmG0%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 81064ec06cfdb92a-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    http://rakishev.org/wp-load.php
    C.exe
    Remote address:
    104.21.20.56:80
    Request
    GET /wp-load.php HTTP/1.1
    Host: rakishev.org
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Date: Tue, 03 Oct 2023 15:45:08 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 4380
    Connection: close
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Oq6S0G7GFKmpXbGQZvsjaw4RxzARM62ImuVVqNXtQiqD1H8A4VY7IOyhhNzLe%2BzNGDGZHQyBceW7OmMlPC8ZBqFpaNckg%2FELMbMplMX3uxOjjHfScsSu%2FdY3HapWSKY%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 81064f7c1967b76c-AMS
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    http://rakishev.org/wp-load.php
    C.exe
    Remote address:
    104.21.20.56:80
    Request
    GET /wp-load.php HTTP/1.1
    Host: rakishev.org
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Date: Tue, 03 Oct 2023 15:45:38 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 4380
    Connection: close
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Xhyw%2Bz0TDSF99Hst6jrDz%2Bm7W8oJmjXI4S9e7XiGlnKGO4d4Til%2F9%2FymIDOt8zcvfpXfDlPTma3hd25qZZ6EO7pEJTa4wappoJUrDo6ZnBR32sj9wubB73wuFEj7NhM%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 81065037c8d6b6fb-AMS
    alt-svc: h3=":443"; ma=86400
  • 104.21.20.56:80
    http://rakishev.org/wp-load.php
    http
    C.exe
    420 B
    6.0kB
    7
    9

    HTTP Request

    GET http://rakishev.org/wp-load.php

    HTTP Response

    403
  • 104.21.20.56:80
    http://rakishev.org/wp-load.php
    http
    C.exe
    420 B
    6.0kB
    7
    9

    HTTP Request

    GET http://rakishev.org/wp-load.php

    HTTP Response

    403
  • 104.21.20.56:80
    http://rakishev.org/wp-load.php
    http
    C.exe
    420 B
    6.0kB
    7
    9

    HTTP Request

    GET http://rakishev.org/wp-load.php

    HTTP Response

    403
  • 104.21.20.56:80
    http://rakishev.org/wp-load.php
    http
    C.exe
    420 B
    6.0kB
    7
    9

    HTTP Request

    GET http://rakishev.org/wp-load.php

    HTTP Response

    403
  • 104.21.20.56:80
    http://rakishev.org/wp-load.php
    http
    C.exe
    374 B
    5.9kB
    6
    8

    HTTP Request

    GET http://rakishev.org/wp-load.php

    HTTP Response

    403
  • 8.8.8.8:53
    rakishev.org
    dns
    C.exe
    58 B
    90 B
    1
    1

    DNS Request

    rakishev.org

    DNS Response

    104.21.20.56
    172.67.191.205

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\DWFCKBOM.exe

    Filesize

    434KB

    MD5

    0541dbe9dc3430860997086e63db74a9

    SHA1

    ba922c9fb5eb75ac97ceba4c54c423f8e89d8eb5

    SHA256

    b34c6fa3634b5c3cc501bf21d72e82cd57b4bd9e32d22fb4e31f7d83d852b691

    SHA512

    32240a020bf8ce4ec593a713f49369f52b9525cc1a428fcde4fa71bd26c60ccc065e3f2c619de8a5ef1e2396d40668e65c341ec7ff53451c0e857a5afb383dcf

  • C:\ProgramData\Microsoft\DWFCKBOM.exe

    Filesize

    434KB

    MD5

    0541dbe9dc3430860997086e63db74a9

    SHA1

    ba922c9fb5eb75ac97ceba4c54c423f8e89d8eb5

    SHA256

    b34c6fa3634b5c3cc501bf21d72e82cd57b4bd9e32d22fb4e31f7d83d852b691

    SHA512

    32240a020bf8ce4ec593a713f49369f52b9525cc1a428fcde4fa71bd26c60ccc065e3f2c619de8a5ef1e2396d40668e65c341ec7ff53451c0e857a5afb383dcf

  • C:\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp

    Filesize

    704KB

    MD5

    458bac8ff4cbe11156085a760de497b7

    SHA1

    e1661550462590f1b7671be2d539877a54bdf3bc

    SHA256

    65df91de6d9b3814cf3148c45136a23e4a2db676d96524e8b721385db26dbfde

    SHA512

    3a0a4a01e447516768247c129ed9a8ec4796eb92b0e6aa2bc2280b7481be05a06852022747b8496c4f5545d849f97e28feda49258e405fbeb656ed9bc2247ce6

  • C:\Users\Admin\AppData\Roaming\Adobe\C.exe

    Filesize

    159KB

    MD5

    dc04cd84d39f8ad4354de37702a9a980

    SHA1

    db928ad60a7c29d5f5287b5f984d2e78fa64479a

    SHA256

    5f239096c327b22c21c0205dde0d8dc4c41f458be802f74f54cdc5ba38921668

    SHA512

    a98f7aebf4237e5768c8fffa00e758b9549cf24e06cced7bef509dcca4c77c8097f91aa1bfdc4616f23ae66aa780004ed79f796401be0a35b2e4a9080f1d5401

  • C:\Users\Admin\AppData\Roaming\Adobe\C.exe

    Filesize

    159KB

    MD5

    dc04cd84d39f8ad4354de37702a9a980

    SHA1

    db928ad60a7c29d5f5287b5f984d2e78fa64479a

    SHA256

    5f239096c327b22c21c0205dde0d8dc4c41f458be802f74f54cdc5ba38921668

    SHA512

    a98f7aebf4237e5768c8fffa00e758b9549cf24e06cced7bef509dcca4c77c8097f91aa1bfdc4616f23ae66aa780004ed79f796401be0a35b2e4a9080f1d5401

  • C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe

    Filesize

    1.8MB

    MD5

    92902065645b8747ea3cbed5eb3bc288

    SHA1

    dc47d1b6ec4a2dcb518b6777d54afb1528873a05

    SHA256

    919f781fcf6f439fb2b44146f027f42cca71a07e8c0e56baf5fa0f3640c77e93

    SHA512

    c6d3fa98b117a967310c9e7f39177d2db8c788186dcc6fd6a93699366088ce08c066b98bb708f9442e64d412f62b74e88f3b26a18344baa80896dbd09081bdc4

  • C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe

    Filesize

    1.8MB

    MD5

    92902065645b8747ea3cbed5eb3bc288

    SHA1

    dc47d1b6ec4a2dcb518b6777d54afb1528873a05

    SHA256

    919f781fcf6f439fb2b44146f027f42cca71a07e8c0e56baf5fa0f3640c77e93

    SHA512

    c6d3fa98b117a967310c9e7f39177d2db8c788186dcc6fd6a93699366088ce08c066b98bb708f9442e64d412f62b74e88f3b26a18344baa80896dbd09081bdc4

  • \Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp

    Filesize

    704KB

    MD5

    458bac8ff4cbe11156085a760de497b7

    SHA1

    e1661550462590f1b7671be2d539877a54bdf3bc

    SHA256

    65df91de6d9b3814cf3148c45136a23e4a2db676d96524e8b721385db26dbfde

    SHA512

    3a0a4a01e447516768247c129ed9a8ec4796eb92b0e6aa2bc2280b7481be05a06852022747b8496c4f5545d849f97e28feda49258e405fbeb656ed9bc2247ce6

  • \Users\Admin\AppData\Local\Temp\is-4F0VR.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • \Users\Admin\AppData\Local\Temp\is-4F0VR.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • memory/1100-1-0x0000000000C50000-0x0000000001242000-memory.dmp

    Filesize

    5.9MB

  • memory/1100-42-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

  • memory/1100-0-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

  • memory/1100-41-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

  • memory/1872-14-0x000000001B280000-0x000000001B300000-memory.dmp

    Filesize

    512KB

  • memory/1872-8-0x0000000000E20000-0x0000000000E92000-memory.dmp

    Filesize

    456KB

  • memory/1872-11-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

  • memory/1872-40-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

    Filesize

    9.9MB

  • memory/2660-46-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

  • memory/2660-45-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

  • memory/2660-31-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

  • memory/2812-33-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/2812-61-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/3036-43-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/3036-18-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

  • memory/3036-15-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.