Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
05/10/2023, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
legend.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
legend.exe
Resource
win10v2004-20230915-en
General
-
Target
legend.exe
-
Size
347KB
-
MD5
ef2de4a8a06f86867f6e460e88919515
-
SHA1
927a63e2b72624abb062387e8ea83862c98158f2
-
SHA256
95146fd91e53797e70aa24b0a662c345ea9c0ed0500e9a996506d3c79433304c
-
SHA512
5e670977ae81b28cb0120b5f45379be295e49f394df16000181c84c8969abc47090623c34888c7fc01aeba4202aed1ad2d29bdc1052c212caefae25795ec8592
-
SSDEEP
6144:BnPdudwDsAq1bHTMqjOLx9JL78eBZoRgl7bMkqfOCY4JnpmIOHkQTtHVI:BnPdwAUHpOLXJhBZoRglPMkUOCdnhQg
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3048 wlhgt.exe 1668 wlhgt.exe -
Loads dropped DLL 2 IoCs
pid Process 2068 legend.exe 3048 wlhgt.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgptpyewschqm = "C:\\Users\\Admin\\AppData\\Roaming\\nsclgpyua\\joxdmirb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wlhgt.exe\" " wlhgt.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3048 set thread context of 1668 3048 wlhgt.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1668 wlhgt.exe 1668 wlhgt.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3048 wlhgt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1668 wlhgt.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2068 wrote to memory of 3048 2068 legend.exe 28 PID 2068 wrote to memory of 3048 2068 legend.exe 28 PID 2068 wrote to memory of 3048 2068 legend.exe 28 PID 2068 wrote to memory of 3048 2068 legend.exe 28 PID 3048 wrote to memory of 1668 3048 wlhgt.exe 29 PID 3048 wrote to memory of 1668 3048 wlhgt.exe 29 PID 3048 wrote to memory of 1668 3048 wlhgt.exe 29 PID 3048 wrote to memory of 1668 3048 wlhgt.exe 29 PID 3048 wrote to memory of 1668 3048 wlhgt.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\legend.exe"C:\Users\Admin\AppData\Local\Temp\legend.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\wlhgt.exe"C:\Users\Admin\AppData\Local\Temp\wlhgt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\wlhgt.exe"C:\Users\Admin\AppData\Local\Temp\wlhgt.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD52b4d08869bf52235776450f972eb4e14
SHA1239c9d5c80f8a9ebcafff027ca62a2f28ab2a4f2
SHA256760954e886be0d830a97dff466dd6f199fe76c12f95ee9c34fc1fea12b8e6941
SHA51278f5f1f6e3787a75e9200815f49e58c70bb00f65c6044880cf26cb93511e15a93c934553f054ef2d559232dfe4aee5d4addb5496f0a95e21bb1671ed0158bae7
-
Filesize
168KB
MD5857d33e8f8429f5ee496132d66023e24
SHA18d9e3a0d63b863ed1fbc01ad73777dba752c8538
SHA2563c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72
SHA51297582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da
-
Filesize
168KB
MD5857d33e8f8429f5ee496132d66023e24
SHA18d9e3a0d63b863ed1fbc01ad73777dba752c8538
SHA2563c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72
SHA51297582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da
-
Filesize
168KB
MD5857d33e8f8429f5ee496132d66023e24
SHA18d9e3a0d63b863ed1fbc01ad73777dba752c8538
SHA2563c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72
SHA51297582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da
-
Filesize
168KB
MD5857d33e8f8429f5ee496132d66023e24
SHA18d9e3a0d63b863ed1fbc01ad73777dba752c8538
SHA2563c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72
SHA51297582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da
-
Filesize
168KB
MD5857d33e8f8429f5ee496132d66023e24
SHA18d9e3a0d63b863ed1fbc01ad73777dba752c8538
SHA2563c70c6b43d985a72df3a28215e4417cf3276f5c46f7b67df16c7250da6ecdf72
SHA51297582d2d4da4855d61ce3c39a268c841fcdf55d2ee9a4f078b366444004b5db4d5535698fb43fa5d6f6096a0a63f93e51994d1769ee943409edf60a6150c96da