Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 16:47
Static task
static1
Behavioral task
behavioral1
Sample
1bd78136fa8b9e9e63fde92829a9743d.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1bd78136fa8b9e9e63fde92829a9743d.exe
Resource
win10v2004-20230915-en
General
-
Target
1bd78136fa8b9e9e63fde92829a9743d.exe
-
Size
515KB
-
MD5
1bd78136fa8b9e9e63fde92829a9743d
-
SHA1
c9a07ff3362a68baa159521c6946026e4cc0f17b
-
SHA256
995d7782b47ae9d044a0a1edf76a011241ab941c09af6e8a90eeab23f82225e2
-
SHA512
47b43fa93e7da900c8f520a66bbf28af3fc5e5e7185b9735aa27508d9a7498334c649a3380a918969bc9db0b975b7dfd6bb4936260424b906ea291a62795af15
-
SSDEEP
6144:tZQ1L8X3KA0CJIJr/yl8ntd9wxJA4jLXIwejp9R37+RRmpr2MUX9xRjVJiJxeyBc:fQ1BCJIBd6xXIbjp9RSzsr2FgO
Malware Config
Extracted
Protocol: ftp- Host:
ftp.product-secured.com - Port:
21 - Username:
[email protected] - Password:
575K5(MaZro2575K5(MaZro2
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://ftp.product-secured.com/ - Port:
21 - Username:
[email protected] - Password:
575K5(MaZro2575K5(MaZro2
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
resource yara_rule behavioral1/memory/2388-10-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2388-12-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2388-16-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2388-18-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2388-20-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2388-27-0x0000000004AC0000-0x0000000004B00000-memory.dmp family_snakekeylogger behavioral1/memory/2732-50-0x0000000004C50000-0x0000000004C90000-memory.dmp family_snakekeylogger -
Executes dropped EXE 2 IoCs
pid Process 1060 svchost.exe 2732 svchost.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1bd78136fa8b9e9e63fde92829a9743d.exe Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1bd78136fa8b9e9e63fde92829a9743d.exe Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1bd78136fa8b9e9e63fde92829a9743d.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2104 set thread context of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 1060 set thread context of 2732 1060 svchost.exe 47 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1984 schtasks.exe 2516 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2388 1bd78136fa8b9e9e63fde92829a9743d.exe 2388 1bd78136fa8b9e9e63fde92829a9743d.exe 2732 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2388 1bd78136fa8b9e9e63fde92829a9743d.exe Token: SeDebugPrivilege 2732 svchost.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2388 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 30 PID 2104 wrote to memory of 2844 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 31 PID 2104 wrote to memory of 2844 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 31 PID 2104 wrote to memory of 2844 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 31 PID 2104 wrote to memory of 2844 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 31 PID 2104 wrote to memory of 2240 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 32 PID 2104 wrote to memory of 2240 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 32 PID 2104 wrote to memory of 2240 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 32 PID 2104 wrote to memory of 2240 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 32 PID 2104 wrote to memory of 2780 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 33 PID 2104 wrote to memory of 2780 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 33 PID 2104 wrote to memory of 2780 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 33 PID 2104 wrote to memory of 2780 2104 1bd78136fa8b9e9e63fde92829a9743d.exe 33 PID 2240 wrote to memory of 2516 2240 cmd.exe 37 PID 2240 wrote to memory of 2516 2240 cmd.exe 37 PID 2240 wrote to memory of 2516 2240 cmd.exe 37 PID 2240 wrote to memory of 2516 2240 cmd.exe 37 PID 1960 wrote to memory of 1060 1960 taskeng.exe 39 PID 1960 wrote to memory of 1060 1960 taskeng.exe 39 PID 1960 wrote to memory of 1060 1960 taskeng.exe 39 PID 1960 wrote to memory of 1060 1960 taskeng.exe 39 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2732 1060 svchost.exe 47 PID 1060 wrote to memory of 2600 1060 svchost.exe 40 PID 1060 wrote to memory of 2600 1060 svchost.exe 40 PID 1060 wrote to memory of 2600 1060 svchost.exe 40 PID 1060 wrote to memory of 2600 1060 svchost.exe 40 PID 1060 wrote to memory of 2828 1060 svchost.exe 43 PID 1060 wrote to memory of 2828 1060 svchost.exe 43 PID 1060 wrote to memory of 2828 1060 svchost.exe 43 PID 1060 wrote to memory of 2828 1060 svchost.exe 43 PID 1060 wrote to memory of 1944 1060 svchost.exe 42 PID 1060 wrote to memory of 1944 1060 svchost.exe 42 PID 1060 wrote to memory of 1944 1060 svchost.exe 42 PID 1060 wrote to memory of 1944 1060 svchost.exe 42 PID 2828 wrote to memory of 1984 2828 cmd.exe 46 PID 2828 wrote to memory of 1984 2828 cmd.exe 46 PID 2828 wrote to memory of 1984 2828 cmd.exe 46 PID 2828 wrote to memory of 1984 2828 cmd.exe 46 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1bd78136fa8b9e9e63fde92829a9743d.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1bd78136fa8b9e9e63fde92829a9743d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bd78136fa8b9e9e63fde92829a9743d.exe"C:\Users\Admin\AppData\Local\Temp\1bd78136fa8b9e9e63fde92829a9743d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\1bd78136fa8b9e9e63fde92829a9743d.exe"C:\Users\Admin\AppData\Local\Temp\1bd78136fa8b9e9e63fde92829a9743d.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2388
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:2844
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
PID:2516
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1bd78136fa8b9e9e63fde92829a9743d.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:2780
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EE940F79-5B7E-4BC6-AD9D-74451CF14361} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"3⤵PID:2600
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵PID:1944
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f4⤵
- Creates scheduled task(s)
PID:1984
-
-
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD51bd78136fa8b9e9e63fde92829a9743d
SHA1c9a07ff3362a68baa159521c6946026e4cc0f17b
SHA256995d7782b47ae9d044a0a1edf76a011241ab941c09af6e8a90eeab23f82225e2
SHA51247b43fa93e7da900c8f520a66bbf28af3fc5e5e7185b9735aa27508d9a7498334c649a3380a918969bc9db0b975b7dfd6bb4936260424b906ea291a62795af15
-
Filesize
515KB
MD51bd78136fa8b9e9e63fde92829a9743d
SHA1c9a07ff3362a68baa159521c6946026e4cc0f17b
SHA256995d7782b47ae9d044a0a1edf76a011241ab941c09af6e8a90eeab23f82225e2
SHA51247b43fa93e7da900c8f520a66bbf28af3fc5e5e7185b9735aa27508d9a7498334c649a3380a918969bc9db0b975b7dfd6bb4936260424b906ea291a62795af15
-
Filesize
515KB
MD51bd78136fa8b9e9e63fde92829a9743d
SHA1c9a07ff3362a68baa159521c6946026e4cc0f17b
SHA256995d7782b47ae9d044a0a1edf76a011241ab941c09af6e8a90eeab23f82225e2
SHA51247b43fa93e7da900c8f520a66bbf28af3fc5e5e7185b9735aa27508d9a7498334c649a3380a918969bc9db0b975b7dfd6bb4936260424b906ea291a62795af15