Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
26/11/2023, 22:33
Static task
static1
Behavioral task
behavioral1
Sample
bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
Resource
win10-20231023-en
General
-
Target
bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe
-
Size
1.6MB
-
MD5
3ff60bb00b635f8d94673252138c1319
-
SHA1
a41e71b7583d5b49f82b6afaab70f9d89c77e4d5
-
SHA256
bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169
-
SHA512
2d1da58a7021c9932a37f9be4569c19483b4a2dc169ccf0f978d21aa7720bb4bb7b822de693deebf2bedd0c12e370fc43ff7f0498cfa85d0ba0bf6da36d64d26
-
SSDEEP
49152:5ojy+A3cPEDkG+4LNl1R0FuWrDn74Vy6cewVs0B1H0:5ojyUMDVBr0FnrDTVtZ
Malware Config
Extracted
eternity
http://izrukvro5khcol3z7cvvdq3akeunlod2gshgn7ppo3a4jvse3z5hpiyd.onion
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
Executes dropped EXE 2 IoCs
pid Process 3060 ms_update.exe 2028 ms_updater.exe -
Loads dropped DLL 5 IoCs
pid Process 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 2028 ms_updater.exe 2028 ms_updater.exe 2028 ms_updater.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2028 set thread context of 2912 2028 ms_updater.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2912 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2912 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 3060 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 28 PID 2016 wrote to memory of 3060 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 28 PID 2016 wrote to memory of 3060 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 28 PID 2016 wrote to memory of 3060 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 28 PID 2016 wrote to memory of 3060 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 28 PID 2016 wrote to memory of 3060 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 28 PID 2016 wrote to memory of 3060 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 28 PID 2016 wrote to memory of 2028 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 30 PID 2016 wrote to memory of 2028 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 30 PID 2016 wrote to memory of 2028 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 30 PID 2016 wrote to memory of 2028 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 30 PID 2016 wrote to memory of 2028 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 30 PID 2016 wrote to memory of 2028 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 30 PID 2016 wrote to memory of 2028 2016 bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe 30 PID 2028 wrote to memory of 2664 2028 ms_updater.exe 31 PID 2028 wrote to memory of 2664 2028 ms_updater.exe 31 PID 2028 wrote to memory of 2664 2028 ms_updater.exe 31 PID 2028 wrote to memory of 2664 2028 ms_updater.exe 31 PID 2028 wrote to memory of 2664 2028 ms_updater.exe 31 PID 2028 wrote to memory of 2664 2028 ms_updater.exe 31 PID 2028 wrote to memory of 2664 2028 ms_updater.exe 31 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2028 wrote to memory of 2912 2028 ms_updater.exe 32 PID 2912 wrote to memory of 2116 2912 AppLaunch.exe 34 PID 2912 wrote to memory of 2116 2912 AppLaunch.exe 34 PID 2912 wrote to memory of 2116 2912 AppLaunch.exe 34 PID 2912 wrote to memory of 2116 2912 AppLaunch.exe 34 PID 2912 wrote to memory of 2116 2912 AppLaunch.exe 34 PID 2912 wrote to memory of 2116 2912 AppLaunch.exe 34 PID 2912 wrote to memory of 2116 2912 AppLaunch.exe 34 PID 2116 wrote to memory of 1740 2116 cmd.exe 36 PID 2116 wrote to memory of 1740 2116 cmd.exe 36 PID 2116 wrote to memory of 1740 2116 cmd.exe 36 PID 2116 wrote to memory of 1740 2116 cmd.exe 36 PID 2116 wrote to memory of 1740 2116 cmd.exe 36 PID 2116 wrote to memory of 1740 2116 cmd.exe 36 PID 2116 wrote to memory of 1740 2116 cmd.exe 36 PID 2116 wrote to memory of 1976 2116 cmd.exe 37 PID 2116 wrote to memory of 1976 2116 cmd.exe 37 PID 2116 wrote to memory of 1976 2116 cmd.exe 37 PID 2116 wrote to memory of 1976 2116 cmd.exe 37 PID 2116 wrote to memory of 1976 2116 cmd.exe 37 PID 2116 wrote to memory of 1976 2116 cmd.exe 37 PID 2116 wrote to memory of 1976 2116 cmd.exe 37 PID 2116 wrote to memory of 584 2116 cmd.exe 38 PID 2116 wrote to memory of 584 2116 cmd.exe 38 PID 2116 wrote to memory of 584 2116 cmd.exe 38 PID 2116 wrote to memory of 584 2116 cmd.exe 38 PID 2116 wrote to memory of 584 2116 cmd.exe 38 PID 2116 wrote to memory of 584 2116 cmd.exe 38 PID 2116 wrote to memory of 584 2116 cmd.exe 38 PID 2912 wrote to memory of 1636 2912 AppLaunch.exe 39 PID 2912 wrote to memory of 1636 2912 AppLaunch.exe 39 PID 2912 wrote to memory of 1636 2912 AppLaunch.exe 39 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe"C:\Users\Admin\AppData\Local\Temp\bcde1b6a52ee2944096fc1b3059f09097add88eb3a99bee162613dc12a113169.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\ms_update.exe"C:\Users\Admin\AppData\Roaming\ms_update.exe"2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Users\Admin\AppData\Roaming\ms_updater.exe"C:\Users\Admin\AppData\Roaming\ms_updater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:2664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2912 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:1740
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile5⤵PID:1976
-
-
C:\Windows\SysWOW64\findstr.exefindstr All5⤵PID:584
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key4⤵PID:1636
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:2784
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name="65001" key=clear5⤵PID:2832
-
-
C:\Windows\SysWOW64\findstr.exefindstr Key5⤵PID:736
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
917KB
MD59481b1dfcf5c3f900285700b63d538a7
SHA130b6d34b391f92f9004608f08ecf8f52bc4d88ad
SHA256b112c6ded1a8af1ece407b8f141ada083ca96341b0164aa6a42f45b6cc002c60
SHA512b0353832dc773a075be5709976bee9b563010495a6c810f03863e6eff381bf709613384bda106c9ebc210aa9ca60feae9392edbdcc63669993371a925c1eefea
-
Filesize
443KB
MD58a2c454b6571e226223f0f0ffc03f58b
SHA1c5c83e9769d35c7ac5efa45d228117453b87621e
SHA2567aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36
SHA512c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09
-
Filesize
443KB
MD58a2c454b6571e226223f0f0ffc03f58b
SHA1c5c83e9769d35c7ac5efa45d228117453b87621e
SHA2567aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36
SHA512c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09
-
Filesize
917KB
MD59481b1dfcf5c3f900285700b63d538a7
SHA130b6d34b391f92f9004608f08ecf8f52bc4d88ad
SHA256b112c6ded1a8af1ece407b8f141ada083ca96341b0164aa6a42f45b6cc002c60
SHA512b0353832dc773a075be5709976bee9b563010495a6c810f03863e6eff381bf709613384bda106c9ebc210aa9ca60feae9392edbdcc63669993371a925c1eefea
-
Filesize
443KB
MD58a2c454b6571e226223f0f0ffc03f58b
SHA1c5c83e9769d35c7ac5efa45d228117453b87621e
SHA2567aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36
SHA512c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09
-
Filesize
443KB
MD58a2c454b6571e226223f0f0ffc03f58b
SHA1c5c83e9769d35c7ac5efa45d228117453b87621e
SHA2567aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36
SHA512c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09
-
Filesize
443KB
MD58a2c454b6571e226223f0f0ffc03f58b
SHA1c5c83e9769d35c7ac5efa45d228117453b87621e
SHA2567aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36
SHA512c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09
-
Filesize
443KB
MD58a2c454b6571e226223f0f0ffc03f58b
SHA1c5c83e9769d35c7ac5efa45d228117453b87621e
SHA2567aa42d31e48e600a2f7edcc4ce96fbd0336548b72dcc82227acbe3cc46600d36
SHA512c96f423e960ec72e6a22f17250e8fa1b656d436c4d056009344ec50c2494da939558f0930ed6c93851fce7068f77d00b56efd3a25841a9d8c2a55e283a660e09