Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03/10/2023, 15:43 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Зоркий Глаз 5.409 (setup).exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Зоркий Глаз 5.409 (setup).exe
Resource
win10v2004-20230915-en
General
-
Target
Зоркий Глаз 5.409 (setup).exe
-
Size
5.9MB
-
MD5
f0c2a8ff2890cad08f17e607ccdda7fc
-
SHA1
87fbf60e9ba1d60b546347632f1884fe1c531f0f
-
SHA256
44c42156f16ae3664c2ba2aea2b8224bebdbc98e5978f56b5b1384a8a11917eb
-
SHA512
4001a301c6b7295126c7bcc79122ebdd85e7976224e3399b03285cebfc623550f186c45285f78116927c2ed26496ab475d91739adc918a0b390512064651732c
-
SSDEEP
49152:9so8Likxo9IiDqmbTp15J+/EE8Yfbebq/9jTaOS9SW5NyBFTGbxN+owQ:
Malware Config
Extracted
marsstealer
Default
rakishev.org/wp-load.php
Signatures
-
Mars Stealer
An infostealer written in C++ based on other infostealers.
-
Executes dropped EXE 4 IoCs
pid Process 1872 DWFCKBOM.exe 3036 6IOKEGSR.exe 2660 6IOKEGSR.tmp 2812 C.exe -
Loads dropped DLL 3 IoCs
pid Process 3036 6IOKEGSR.exe 2660 6IOKEGSR.tmp 2660 6IOKEGSR.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2660 6IOKEGSR.tmp -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1100 wrote to memory of 1872 1100 Зоркий Глаз 5.409 (setup).exe 30 PID 1100 wrote to memory of 1872 1100 Зоркий Глаз 5.409 (setup).exe 30 PID 1100 wrote to memory of 1872 1100 Зоркий Глаз 5.409 (setup).exe 30 PID 1100 wrote to memory of 3036 1100 Зоркий Глаз 5.409 (setup).exe 31 PID 1100 wrote to memory of 3036 1100 Зоркий Глаз 5.409 (setup).exe 31 PID 1100 wrote to memory of 3036 1100 Зоркий Глаз 5.409 (setup).exe 31 PID 1100 wrote to memory of 3036 1100 Зоркий Глаз 5.409 (setup).exe 31 PID 1100 wrote to memory of 3036 1100 Зоркий Глаз 5.409 (setup).exe 31 PID 1100 wrote to memory of 3036 1100 Зоркий Глаз 5.409 (setup).exe 31 PID 1100 wrote to memory of 3036 1100 Зоркий Глаз 5.409 (setup).exe 31 PID 3036 wrote to memory of 2660 3036 6IOKEGSR.exe 32 PID 3036 wrote to memory of 2660 3036 6IOKEGSR.exe 32 PID 3036 wrote to memory of 2660 3036 6IOKEGSR.exe 32 PID 3036 wrote to memory of 2660 3036 6IOKEGSR.exe 32 PID 3036 wrote to memory of 2660 3036 6IOKEGSR.exe 32 PID 3036 wrote to memory of 2660 3036 6IOKEGSR.exe 32 PID 3036 wrote to memory of 2660 3036 6IOKEGSR.exe 32 PID 1872 wrote to memory of 2812 1872 DWFCKBOM.exe 33 PID 1872 wrote to memory of 2812 1872 DWFCKBOM.exe 33 PID 1872 wrote to memory of 2812 1872 DWFCKBOM.exe 33 PID 1872 wrote to memory of 2812 1872 DWFCKBOM.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Зоркий Глаз 5.409 (setup).exe"C:\Users\Admin\AppData\Local\Temp\Зоркий Глаз 5.409 (setup).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\ProgramData\Microsoft\DWFCKBOM.exe"C:\ProgramData\Microsoft\DWFCKBOM.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Roaming\Adobe\C.exe"C:\Users\Admin\AppData\Roaming\Adobe\C.exe"3⤵
- Executes dropped EXE
PID:2812
-
-
-
C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe"C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp"C:\Users\Admin\AppData\Local\Temp\is-2LNV8.tmp\6IOKEGSR.tmp" /SL5="$40196,1628111,62976,C:\Users\Admin\AppData\Roaming\Identities\6IOKEGSR.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2660
-
-
Network
-
Remote address:8.8.8.8:53Requestrakishev.orgIN AResponserakishev.orgIN A104.21.20.56rakishev.orgIN A172.67.191.205
-
Remote address:104.21.20.56:80RequestGET /wp-load.php HTTP/1.1
Host: rakishev.org
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Content-Length: 4380
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=f9U6b6ERbS5UVtO7U7B7SGg4AGiyabOz4ZeqEtzylx6zVRTQRk0fP%2BHXoimjo66%2FJlyfabT5%2BPOzEriV0qT4kzAkaqCnWnkltEWZf1%2BLsrxQOvvuyY%2BYuA2ENirCBeQ%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81064d48fbe80a68-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.20.56:80RequestGET /wp-load.php HTTP/1.1
Host: rakishev.org
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Content-Length: 4379
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OVnWyBLvALM0ndw1kc1aWy1%2BDzAce%2FOLLkWYH7V611TNww5bfh1eFRV0DPA2S0mFEwrk%2BPqDvfEf28dijok16sEvL%2FgltK8loTyg7SFnLI1rRLxoQ8rcqgestoR7sl4%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81064e04be4fb93e-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.20.56:80RequestGET /wp-load.php HTTP/1.1
Host: rakishev.org
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Content-Length: 4380
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g%2FkBrS9fFYk%2FyM3bmK4dPXLhRUaMM40PNWYYOYD7Dn7%2FT0NL%2Bb2ZTRTU6wEzRbIuzfvUblkWNfO6HgpFDRLZ1nxhEnbVv8pDi1%2FE3OKF9ZvGGlSMojngmKvnvE%2BbmG0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81064ec06cfdb92a-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.20.56:80RequestGET /wp-load.php HTTP/1.1
Host: rakishev.org
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Content-Length: 4380
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Oq6S0G7GFKmpXbGQZvsjaw4RxzARM62ImuVVqNXtQiqD1H8A4VY7IOyhhNzLe%2BzNGDGZHQyBceW7OmMlPC8ZBqFpaNckg%2FELMbMplMX3uxOjjHfScsSu%2FdY3HapWSKY%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81064f7c1967b76c-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:104.21.20.56:80RequestGET /wp-load.php HTTP/1.1
Host: rakishev.org
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Content-Length: 4380
Connection: close
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Xhyw%2Bz0TDSF99Hst6jrDz%2Bm7W8oJmjXI4S9e7XiGlnKGO4d4Til%2F9%2FymIDOt8zcvfpXfDlPTma3hd25qZZ6EO7pEJTa4wappoJUrDo6ZnBR32sj9wubB73wuFEj7NhM%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 81065037c8d6b6fb-AMS
alt-svc: h3=":443"; ma=86400
-
420 B 6.0kB 7 9
HTTP Request
GET http://rakishev.org/wp-load.phpHTTP Response
403 -
420 B 6.0kB 7 9
HTTP Request
GET http://rakishev.org/wp-load.phpHTTP Response
403 -
420 B 6.0kB 7 9
HTTP Request
GET http://rakishev.org/wp-load.phpHTTP Response
403 -
420 B 6.0kB 7 9
HTTP Request
GET http://rakishev.org/wp-load.phpHTTP Response
403 -
374 B 5.9kB 6 8
HTTP Request
GET http://rakishev.org/wp-load.phpHTTP Response
403
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434KB
MD50541dbe9dc3430860997086e63db74a9
SHA1ba922c9fb5eb75ac97ceba4c54c423f8e89d8eb5
SHA256b34c6fa3634b5c3cc501bf21d72e82cd57b4bd9e32d22fb4e31f7d83d852b691
SHA51232240a020bf8ce4ec593a713f49369f52b9525cc1a428fcde4fa71bd26c60ccc065e3f2c619de8a5ef1e2396d40668e65c341ec7ff53451c0e857a5afb383dcf
-
Filesize
434KB
MD50541dbe9dc3430860997086e63db74a9
SHA1ba922c9fb5eb75ac97ceba4c54c423f8e89d8eb5
SHA256b34c6fa3634b5c3cc501bf21d72e82cd57b4bd9e32d22fb4e31f7d83d852b691
SHA51232240a020bf8ce4ec593a713f49369f52b9525cc1a428fcde4fa71bd26c60ccc065e3f2c619de8a5ef1e2396d40668e65c341ec7ff53451c0e857a5afb383dcf
-
Filesize
704KB
MD5458bac8ff4cbe11156085a760de497b7
SHA1e1661550462590f1b7671be2d539877a54bdf3bc
SHA25665df91de6d9b3814cf3148c45136a23e4a2db676d96524e8b721385db26dbfde
SHA5123a0a4a01e447516768247c129ed9a8ec4796eb92b0e6aa2bc2280b7481be05a06852022747b8496c4f5545d849f97e28feda49258e405fbeb656ed9bc2247ce6
-
Filesize
159KB
MD5dc04cd84d39f8ad4354de37702a9a980
SHA1db928ad60a7c29d5f5287b5f984d2e78fa64479a
SHA2565f239096c327b22c21c0205dde0d8dc4c41f458be802f74f54cdc5ba38921668
SHA512a98f7aebf4237e5768c8fffa00e758b9549cf24e06cced7bef509dcca4c77c8097f91aa1bfdc4616f23ae66aa780004ed79f796401be0a35b2e4a9080f1d5401
-
Filesize
159KB
MD5dc04cd84d39f8ad4354de37702a9a980
SHA1db928ad60a7c29d5f5287b5f984d2e78fa64479a
SHA2565f239096c327b22c21c0205dde0d8dc4c41f458be802f74f54cdc5ba38921668
SHA512a98f7aebf4237e5768c8fffa00e758b9549cf24e06cced7bef509dcca4c77c8097f91aa1bfdc4616f23ae66aa780004ed79f796401be0a35b2e4a9080f1d5401
-
Filesize
1.8MB
MD592902065645b8747ea3cbed5eb3bc288
SHA1dc47d1b6ec4a2dcb518b6777d54afb1528873a05
SHA256919f781fcf6f439fb2b44146f027f42cca71a07e8c0e56baf5fa0f3640c77e93
SHA512c6d3fa98b117a967310c9e7f39177d2db8c788186dcc6fd6a93699366088ce08c066b98bb708f9442e64d412f62b74e88f3b26a18344baa80896dbd09081bdc4
-
Filesize
1.8MB
MD592902065645b8747ea3cbed5eb3bc288
SHA1dc47d1b6ec4a2dcb518b6777d54afb1528873a05
SHA256919f781fcf6f439fb2b44146f027f42cca71a07e8c0e56baf5fa0f3640c77e93
SHA512c6d3fa98b117a967310c9e7f39177d2db8c788186dcc6fd6a93699366088ce08c066b98bb708f9442e64d412f62b74e88f3b26a18344baa80896dbd09081bdc4
-
Filesize
704KB
MD5458bac8ff4cbe11156085a760de497b7
SHA1e1661550462590f1b7671be2d539877a54bdf3bc
SHA25665df91de6d9b3814cf3148c45136a23e4a2db676d96524e8b721385db26dbfde
SHA5123a0a4a01e447516768247c129ed9a8ec4796eb92b0e6aa2bc2280b7481be05a06852022747b8496c4f5545d849f97e28feda49258e405fbeb656ed9bc2247ce6
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3